From 8af4a53156a751d54e9887fbfa6211195d38c7d5 Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Wed, 14 Aug 2019 15:37:40 -0700 Subject: [PATCH 01/47] add templates for smartstore --- .../splunk-enterprise-master-ss.template | 577 ++++ templates/splunk-enterprise-ss.template | 2704 +++++++++++++++++ 2 files changed, 3281 insertions(+) create mode 100644 templates/splunk-enterprise-master-ss.template create mode 100644 templates/splunk-enterprise-ss.template diff --git a/templates/splunk-enterprise-master-ss.template b/templates/splunk-enterprise-master-ss.template new file mode 100644 index 0000000..0ed0c23 --- /dev/null +++ b/templates/splunk-enterprise-master-ss.template @@ -0,0 +1,577 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Splunk deployment with indexer, search head clustering and cluster master.", + "Parameters": { + "AvailabilityZones": { + "Description": "List of Availability Zones to use for the subnets in the VPC (logical order preserved). This must match the Number of Availability Zones parameter value.", + "Type": "List" + }, + "NumberOfAZs": { + "AllowedValues": [ + "2", + "3" + ], + "Default": "2", + "Description": "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.", + "Type": "String" + }, + "WebClientLocation": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", + "Description": "The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "HECClientLocation": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", + "Description": "The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "IndexerInstanceType": { + "AllowedValues": [ + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "m4.2xlarge", + "m4.4xlarge", + "m4.10xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "c5.18xlarge", + "i3.2xlarge", + "i3.4xlarge", + "i3.8xlarge" + ], + "Description": "EC2 instance type for Splunk Indexers", + "ConstraintDescription": "must be a valid EC2 instance type.", + "Default": "c5.4xlarge", + "Type": "String" + }, + "SearchHeadInstanceType": { + "AllowedValues": [ + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "r4.4xlarge", + "r4.8xlarge", + "r4.16xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "m5.2xlarge", + "m5.4xlarge", + "m5.12xlarge" + ], + "Description": "EC2 instance type for Splunk Search Heads", + "ConstraintDescription": "must be a valid EC2 instance type.", + "Default": "c5.4xlarge", + "Type": "String" + }, + "IndexerApps": { + "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s)", + "Default": "", + "Type": "CommaDelimitedList" + }, + "SearchHeadApps": { + "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s)", + "Default": "", + "Type": "CommaDelimitedList" + }, + "KeyName": { + "ConstraintDescription": "Must be the name of an existing EC2 KeyPair.", + "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName" + }, + "PublicSubnet1CIDR": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", + "Default": "10.0.1.0/24", + "Description": "The address space that will be assigned to the first Splunk server subnet. (x.x.x.x/x notation)", + "Type": "String" + }, + "PublicSubnet2CIDR": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", + "Default": "10.0.2.0/24", + "Description": "The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)", + "Type": "String" + }, + "PublicSubnet3CIDR": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", + "Default": "10.0.3.0/24", + "Description": "The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)", + "Type": "String" + }, + "QSS3BucketName": { + "Default": "splk-quickstart-testing", + "Description": "S3 bucket name for the Quick Start assets.", + "Type": "String" + }, + "QSS3KeyPrefix": { + "Default": "quickstart-splunk-enterprise/", + "Description": "S3 key prefix for the Quick Start assets.", + "Type": "String" + }, + "SHCEnabled": { + "AllowedValues": [ + "yes", + "no" + ], + "Default": "no", + "Description": "Do you want to build a Splunk search head cluster?", + "Type": "String" + }, + "SSHClientLocation": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", + "Description": "The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "SplunkAdminPassword": { + "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", + "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", + "Description": "Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols", + "MaxLength": "32", + "MinLength": "6", + "NoEcho": "true", + "Type": "String" + }, + "SplunkIndexerCount": { + "ConstraintDescription": "must be a valid number, 3-10", + "Default": "3", + "Description": "How many Splunk indexers to launch. [3-10]", + "MaxValue": "10", + "MinValue": "3", + "Type": "Number" + }, + "SplunkIndexerDiskSize": { + "ConstraintDescription": "must be a valid number, 320-16000", + "Default": "320", + "Description": "The size of the attached EBS volume to the Splunk indexers. (in GB)", + "MaxValue": "16000", + "MinValue": "320", + "Type": "Number" + }, + "SplunkSearchHeadDiskSize": { + "ConstraintDescription": "must be a valid number, 320-16000", + "Default": "320", + "Description": "The size of the attached EBS volume to the Splunk search head(s). (in GB)", + "MaxValue": "16000", + "MinValue": "320", + "Type": "Number" + }, + "SplunkLicenseBucket": { + "Default": "", + "Description": "Name of private S3 bucket with licenses to be accessed via authenticated requests", + "Type": "String" + }, + "SplunkLicensePath": { + "Default": "", + "Description": "Path to license file in S3 Bucket (without leading '/')", + "Type": "String" + }, + "SplunkReplicationFactor": { + "ConstraintDescription": "must be a valid number, 2-4", + "Default": "2", + "Description": "How many copies of data should be stored in the Splunk Indexer Cluster", + "MaxValue": "4", + "MinValue": "2", + "Type": "Number" + }, + "SplunkSearchFactor": { + "ConstraintDescription": "must be a valid number, 2-4", + "Default": "2", + "Description": "How many copies of data should be searchable in the Splunk indexer clusters", + "MaxValue": "4", + "MinValue": "2", + "Type": "Number" + }, + "SplunkClusterSecret": { + "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", + "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", + "Description": "Shared cluster secret for Search Head and Indexer clusters. Must be at least 8 characters containing letters, numbers and symbols.", + "MaxLength": "32", + "MinLength": "6", + "NoEcho": "true", + "Type": "String" + }, + "SplunkIndexerDiscoverySecret": { + "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", + "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", + "Description": "Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.", + "MaxLength": "32", + "MinLength": "8", + "NoEcho": "true", + "Type": "String" + }, + "VPCCIDR": { + "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", + "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", + "Default": "10.0.0.0/16", + "Description": "The address space that will be assigned to the entire VPC where Splunk will reside. (Recommend at least a /16)", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + } + }, + "Metadata": { + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "AWS Instance and Network Settings" + }, + "Parameters": [ + "IndexerInstanceType", + "SearchHeadInstanceType", + "KeyName", + "WebClientLocation", + "HECClientLocation", + "SSHClientLocation", + "AvailabilityZones", + "NumberOfAZs", + "VPCCIDR", + "PublicSubnet1CIDR", + "PublicSubnet2CIDR", + "PublicSubnet3CIDR" + ] + }, + { + "Label": { + "default": "Splunk Settings" + }, + "Parameters": [ + "SplunkAdminPassword", + "SplunkClusterSecret", + "SplunkIndexerDiscoverySecret", + "SplunkLicenseBucket", + "SplunkLicensePath", + "SplunkIndexerCount", + "SplunkIndexerDiskSize", + "SplunkSearchHeadDiskSize", + "SplunkReplicationFactor", + "SplunkSearchFactor", + "SHCEnabled", + "IndexerApps", + "SearchHeadApps" + ] + }, + { + "Label": { + "default": "AWS Quick Start Configuration" + }, + "Parameters": [ + "QSS3BucketName", + "QSS3KeyPrefix" + ] + } + ], + "ParameterLabels": { + "AvailabilityZones": { + "default": "Availability Zones" + }, + "NumberOfAZs": { + "default": "Number of Availability Zones" + }, + "WebClientLocation": { + "default": "Permitted CIDR for Splunk web interface" + }, + "HECClientLocation": { + "default": "Permitted CIDR for Splunk HTTP event collector input" + }, + "IndexerInstanceType": { + "default": "EC2 instance type for Splunk indexer" + }, + "SearchHeadInstanceType": { + "default": "EC2 instance type for Splunk search head" + }, + "KeyName": { + "default": "Key Name" + }, + "PublicSubnet1CIDR": { + "default": "Public Subnet 1 CIDR" + }, + "PublicSubnet2CIDR": { + "default": "Public Subnet 2 CIDR" + }, + "PublicSubnet3CIDR": { + "default": "Public Subnet 3 CIDR" + }, + "QSS3BucketName": { + "default": "QuickStart S3 Bucket Name" + }, + "QSS3KeyPrefix": { + "default": "QuickStart S3 Key Prefix" + }, + "SHCEnabled": { + "default": "Enable Search Head Cluster?" + }, + "SSHClientLocation": { + "default": "Permitted CIDR for ssh" + }, + "SplunkAdminPassword": { + "default": "Splunk Admin Password" + }, + "SplunkIndexerCount": { + "default": "No. of Splunk Indexers" + }, + "SplunkIndexerDiskSize": { + "default": "Indexer Disk Size" + }, + "SplunkLicenseBucket": { + "default": "Splunk License Bucket" + }, + "SplunkLicensePath": { + "default": "Splunk License S3 Bucket Path" + }, + "SplunkReplicationFactor": { + "default": "Index Cluster Replication Factor" + }, + "SplunkSearchFactor": { + "default": "Index Cluster Search Factor" + }, + "SplunkClusterSecret": { + "default": "Shared Security Key for Cluster Nodes" + }, + "SplunkIndexerDiscoverySecret": { + "default": "Shared Security Key for Forwarders using Indexer Discovery" + }, + "IndexerApps": { + "default": "Apps/Add-ons to pre-Install on Splunk Indexers" + }, + "SearchHeadApps": { + "default": "Apps/Add-ons to pre-Install on Splunk Search Heads" + }, + "VPCCIDR": { + "default": "VPC CIDR" + } + } + } + }, + "Conditions": { + "Create3AZ": { + "Fn::Equals": [ + { + "Ref": "NumberOfAZs" + }, + "3" + ] + } + }, + "Resources": { + "VPCStack": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": { + "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template" + }, + "Parameters": { + "AvailabilityZones": { + "Fn::Join": [ + ",", + { + "Ref": "AvailabilityZones" + } + ] + }, + "CreatePrivateSubnets": "false", + "KeyPairName": { + "Ref": "KeyName" + }, + "NumberOfAZs": { + "Ref": "NumberOfAZs" + }, + "PublicSubnet1CIDR": { + "Ref": "PublicSubnet1CIDR" + }, + "PublicSubnet2CIDR": { + "Ref": "PublicSubnet2CIDR" + }, + "PublicSubnet3CIDR": { + "Ref": "PublicSubnet3CIDR" + }, + "VPCCIDR": { + "Ref": "VPCCIDR" + } + }, + "TimeoutInMinutes": 15 + } + }, + "SplunkStack": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": { + "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/splunk-enterprise.template" + }, + "Parameters": { + "VPCID": { + "Fn::GetAtt": [ + "VPCStack", + "Outputs.VPCID" + ] + }, + "VPCCIDR": { + "Fn::GetAtt": [ + "VPCStack", + "Outputs.VPCCIDR" + ] + }, + "PublicSubnet1ID": { + "Fn::GetAtt": [ + "VPCStack", + "Outputs.PublicSubnet1ID" + ] + }, + "PublicSubnet2ID": { + "Fn::GetAtt": [ + "VPCStack", + "Outputs.PublicSubnet2ID" + ] + }, + "PublicSubnet3ID": { + "Fn::If": [ + "Create3AZ", + { + "Fn::GetAtt": [ + "VPCStack", + "Outputs.PublicSubnet3ID" + ] + }, + { + "Fn::GetAtt": [ + "VPCStack", + "Outputs.PublicSubnet2ID" + ] + } + ] + }, + "NumberOfAZs": { + "Ref": "NumberOfAZs" + }, + "IndexerInstanceType": { + "Ref": "IndexerInstanceType" + }, + "SearchHeadInstanceType": { + "Ref": "SearchHeadInstanceType" + }, + "SplunkAdminPassword": { + "Ref": "SplunkAdminPassword" + }, + "SplunkClusterSecret": { + "Ref": "SplunkClusterSecret" + }, + "SplunkIndexerDiscoverySecret": { + "Ref": "SplunkIndexerDiscoverySecret" + }, + "SplunkLicenseBucket": { + "Ref": "SplunkLicenseBucket" + }, + "SplunkLicensePath": { + "Ref": "SplunkLicensePath" + }, + "KeyName": { + "Ref": "KeyName" + }, + "SSHClientLocation": { + "Ref": "SSHClientLocation" + }, + "HECClientLocation": { + "Ref": "HECClientLocation" + }, + "WebClientLocation": { + "Ref": "WebClientLocation" + }, + "SplunkIndexerCount": { + "Ref": "SplunkIndexerCount" + }, + "SHCEnabled": { + "Ref": "SHCEnabled" + }, + "SplunkIndexerDiskSize": { + "Ref": "SplunkIndexerDiskSize" + }, + "SplunkReplicationFactor": { + "Ref": "SplunkReplicationFactor" + }, + "IndexerApps": { + "Fn::Join": [ + ",", + { "Ref": "IndexerApps" } + ] + }, + "SearchHeadApps": { + "Fn::Join": [ + ",", + { "Ref": "SearchHeadApps" } + ] + } + }, + "TimeoutInMinutes": 60 + } + } + }, + "Outputs": { + "SearchHeadURL": { + "Description": "Splunk Enterprise - Search Head URL", + "Value": { + "Fn::GetAtt": [ + "SplunkStack", + "Outputs.SearchHeadURL" + ] + } + }, + "ClusterMasterURL": { + "Description": "Splunk Enterprise - Cluster Master URL", + "Value": { + "Fn::GetAtt": [ + "SplunkStack", + "Outputs.ClusterMasterURL" + ] + } + }, + "ClusterMasterManagementURL": { + "Description": "Splunk Enterprise - Cluster Master Management URL (required for Indexer Discovery)", + "Value": { + "Fn::GetAtt": [ + "SplunkStack", + "Outputs.ClusterMasterManagementURL" + ] + } + }, + "DeployerURL": { + "Description": "Splunk Enterprise - Search Head Cluster Deployer URL", + "Value": { + "Fn::GetAtt": [ + "SplunkStack", + "Outputs.DeployerURL" + ] + } + }, + "HttpEventCollectorURL": { + "Description": "HTTP Event Collector URL", + "Value": { + "Fn::GetAtt": [ + "SplunkStack", + "Outputs.HttpEventCollectorURL" + ] + } + }, + "HttpEventCollectorToken": { + "Description": "HTTP Event Collector Token", + "Value": { + "Fn::GetAtt": [ + "SplunkStack", + "Outputs.HttpEventCollectorToken" + ] + } + } + } +} diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template new file mode 100644 index 0000000..980ae27 --- /dev/null +++ b/templates/splunk-enterprise-ss.template @@ -0,0 +1,2704 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Splunk deployment with indexer, search head clustering and cluster master. QS(5030)", + "Parameters": { + "WebClientLocation": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", + "Description": "The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "HECClientLocation": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", + "Description": "The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "IndexerInstanceType": { + "AllowedValues": [ + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "m4.2xlarge", + "m4.4xlarge", + "m4.10xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "c5.18xlarge", + "i3.2xlarge", + "i3.4xlarge", + "i3.8xlarge" + ], + "Description": "EC2 instance type for Splunk Indexers", + "ConstraintDescription": "must be a valid EC2 instance type.", + "Default": "c5.4xlarge", + "Type": "String" + }, + "SearchHeadInstanceType": { + "AllowedValues": [ + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "r4.4xlarge", + "r4.8xlarge", + "r4.16xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "m5.2xlarge", + "m5.4xlarge", + "m5.12xlarge" + ], + "Description": "EC2 instance type for Splunk Search Heads", + "ConstraintDescription": "must be a valid EC2 instance type.", + "Default": "c5.4xlarge", + "Type": "String" + }, + "IndexerApps": { + "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s)", + "Default": "", + "Type": "CommaDelimitedList" + }, + "SearchHeadApps": { + "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s)", + "Default": "", + "Type": "CommaDelimitedList" + }, + "KeyName": { + "ConstraintDescription": "Must be the name of an existing EC2 KeyPair.", + "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName" + }, + "NumberOfAZs": { + "AllowedValues": [ + "2", + "3" + ], + "Default": "2", + "Description": "Number of Availability Zones to use in the VPC. This must match the number public subnet IDs entered as parameters", + "Type": "String" + }, + "PublicSubnet1ID": { + "Description": "ID of Splunk public subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)", + "Type": "AWS::EC2::Subnet::Id" + }, + "PublicSubnet2ID": { + "Description": "ID of Splunk public subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)", + "Type": "AWS::EC2::Subnet::Id" + }, + "PublicSubnet3ID": { + "Description": "ID of Splunk public subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)", + "Type": "AWS::EC2::Subnet::Id", + "Default": "" + }, + "QSS3BucketName": { + "Default": "splk-quickstart-testing", + "Description": "S3 bucket name for the Quick Start assets.", + "Type": "String" + }, + "QSS3KeyPrefix": { + "Default": "quickstart-splunk-enterprise/", + "Description": "S3 key prefix for the Quick Start assets.", + "Type": "String" + }, + "SHCEnabled": { + "AllowedValues": [ + "yes", + "no" + ], + "Default": "no", + "Description": "Do you want to build a Splunk search head cluster?", + "Type": "String" + }, + "SSHClientLocation": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", + "Description": "The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "SplunkAdminPassword": { + "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", + "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", + "Description": "Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols.", + "MaxLength": "32", + "MinLength": "6", + "NoEcho": "true", + "Type": "String" + }, + "SplunkIndexerCount": { + "ConstraintDescription": "must be a valid number, 3-10", + "Default": "3", + "Description": "How many Splunk indexers to launch. [3-10]", + "MaxValue": "10", + "MinValue": "3", + "Type": "Number" + }, + "SplunkIndexerDiskSize": { + "ConstraintDescription": "must be a valid number, 320-16000", + "Default": "320", + "Description": "The size of the attached EBS volume to the Splunk indexers. (in GB)", + "MaxValue": "16000", + "MinValue": "320", + "Type": "Number" + }, + + "SplunkSearchHeadDiskSize": { + "ConstraintDescription": "must be a valid number, 320-16000", + "Default": "320", + "Description": "The size of the attached EBS volume to the Splunk search head(s). (in GB)", + "MaxValue": "16000", + "MinValue": "320", + "Type": "Number" + }, + "SplunkLicenseBucket": { + "Default": "", + "Description": "Name of private S3 bucket with licenses to be accessed via authenticated requests", + "Type": "String" + }, + "SplunkLicensePath": { + "Default": "", + "Description": "Path to license file in S3 Bucket (without leading '/')", + "Type": "String" + }, + "SplunkReplicationFactor": { + "ConstraintDescription": "must be a valid number, 2-4", + "Default": "2", + "Description": "How many copies of data should be stored in the Splunk Indexer Cluster", + "MaxValue": "4", + "MinValue": "2", + "Type": "Number" + }, + "SplunkSearchFactor": { + "ConstraintDescription": "must be a valid number, 2-4", + "Default": "2", + "Description": "How many copies of data should be searchable in the Splunk indexer clusters", + "MaxValue": "4", + "MinValue": "2", + "Type": "Number" + }, + "SplunkClusterSecret": { + "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", + "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", + "Description": "Shared cluster secret for Search Head and Indexer cluster nodes. Must be at least 8 characters containing letters, numbers and symbols.", + "MaxLength": "32", + "MinLength": "8", + "NoEcho": "true", + "Type": "String" + }, + "SplunkIndexerDiscoverySecret": { + "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", + "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", + "Description": "Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.", + "MaxLength": "32", + "MinLength": "8", + "NoEcho": "true", + "Type": "String" + }, + "VPCCIDR": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", + "Description": "VPC CIDR Block (x.x.x.x/x notation)", + "Type": "String" + }, + "VPCID": { + "Description": "VPC ID", + "Type": "AWS::EC2::VPC::Id" + } + }, + "Metadata": { + "AWSAMIRegionMap":{ + "Filters":{ + "SPLUNKENTHVM":{ + "name":"splunk_marketplace_AMI_*", + "owner-alias":"aws-marketplace", + "product-code.type":"marketplace" + } + } + }, + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "AWS Instance and Network Settings" + }, + "Parameters": [ + "IndexerInstanceType", + "SearchHeadInstanceType", + "KeyName", + "WebClientLocation", + "HECClientLocation", + "SSHClientLocation", + "VPCID", + "VPCCIDR", + "PublicSubnet1ID", + "PublicSubnet2ID", + "PublicSubnet3ID", + "NumberOfAZs" + ] + }, + { + "Label": { + "default": "Splunk Settings" + }, + "Parameters": [ + "SplunkAdminPassword", + "SplunkClusterSecret", + "SplunkIndexerDiscoverySecret", + "SplunkLicenseBucket", + "SplunkLicensePath", + "SplunkIndexerCount", + "SplunkIndexerDiskSize", + "SplunkSearchHeadDiskSize", + "SplunkReplicationFactor", + "SplunkSearchFactor", + "SHCEnabled", + "IndexerApps", + "SearchHeadApps" + ] + } + ], + "ParameterLabels": { + "WebClientLocation": { + "default": "Permitted CIDR for Splunk web interface" + }, + "HECClientLocation": { + "default": "Permitted CIDR for Splunk HTTP event collector input" + }, + "IndexerInstanceType": { + "default": "EC2 instance type for Splunk indexer" + }, + "SearchHeadInstanceType": { + "default": "EC2 instance type for Splunk search head" + }, + "KeyName": { + "default": "Key Name" + }, + "PublicSubnet1ID": { + "default": "Public Subnet 1 ID" + }, + "PublicSubnet2ID": { + "default": "Public Subnet 2 ID" + }, + "PublicSubnet3ID": { + "default": "Public Subnet 3 ID" + }, + "NumberOfAZs": { + "default": "Number of Availability Zones" + }, + "SHCEnabled": { + "default": "Enable Search Head Cluster?" + }, + "SSHClientLocation": { + "default": "Permitted CIDR for ssh" + }, + "SplunkAdminPassword": { + "default": "Splunk Admin Password" + }, + "SplunkIndexerCount": { + "default": "No. of Splunk Indexers" + }, + "SplunkIndexerDiskSize": { + "default": "Indexer Disk Size" + }, + "SplunkSearchHeadDiskSize": { + "default": "Search Head(s) Disk Size" + }, + "SplunkLicenseBucket": { + "default": "Splunk License Bucket" + }, + "SplunkLicensePath": { + "default": "Splunk License S3 Bucket Path" + }, + "SplunkReplicationFactor": { + "default": "Index Cluster Replication Factor" + }, + "SplunkSearchFactor": { + "default": "Index Cluster Search Factor" + }, + "SplunkClusterSecret": { + "default": "Shared Security Key for Cluster Nodes" + }, + "SplunkIndexerDiscoverySecret": { + "default": "Shared Security Key for Forwarders using Indexer Discovery" + }, + "IndexerApps": { + "default": "Apps/Add-ons to pre-Install on Splunk Indexers" + }, + "SearchHeadApps": { + "default": "Apps/Add-ons to pre-Install on Splunk Search Heads" + }, + "VPCCIDR": { + "default": "VPC CIDR" + }, + "VPCID": { + "default": "VPC ID" + } + } + } + }, + "Conditions": { + "Create3AZ": { + "Fn::Equals": [ + { + "Ref": "NumberOfAZs" + }, + "3" + ] + }, + "CreateSingleSearchHead": { + "Fn::Equals": [ + { + "Ref": "SHCEnabled" + }, + "no" + ] + }, + "CreateSHC": { + "Fn::Equals": [ + { + "Ref": "SHCEnabled" + }, + "yes" + ] + }, + "InstallIndexerApps": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Fn::Join": [ + "", + { + "Ref": "IndexerApps" + } + ] + }, + "" + ] + } + ] + }, + "InstallSearchHeadApps": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Fn::Join": [ + "", + { + "Ref": "SearchHeadApps" + } + ] + }, + "" + ] + } + ] + }, + "ConfigureLicense": { + "Fn::And": [ + { + "Fn::Not": [ + { + "Fn::Equals": [ + "", + { + "Ref": "SplunkLicenseBucket" + } + ] + } + ] + }, + { + "Fn::Not": [ + { + "Fn::Equals": [ + "", + { + "Ref": "SplunkLicensePath" + } + ] + } + ] + } + ] + } + }, + "Mappings": { + "AWSAMIRegionMap": { + "AMI": { + "SPLUNKENTHVM": "splunk_marketplace_AMI_2018-10-16_22_07_36-7b65de6c-5006-4ca2-bd75-fdba95ae5d9d-ami-0d494b5a999e1c49f.4" + }, + "ap-northeast-1": { + "SPLUNKENTHVM": "ami-0db36f11d65f551fb" + }, + "ap-northeast-2": { + "SPLUNKENTHVM": "ami-09c7965888207979b" + }, + "ap-south-1": { + "SPLUNKENTHVM": "ami-07c20db6edfd45f98" + }, + "ap-southeast-1": { + "SPLUNKENTHVM": "ami-0e7b7ca1bdcdd93a6" + }, + "ap-southeast-2": { + "SPLUNKENTHVM": "ami-0c8a4d5bdf83f0df8" + }, + "ca-central-1": { + "SPLUNKENTHVM": "ami-02f085f4514fa7145" + }, + "eu-central-1": { + "SPLUNKENTHVM": "ami-09ce965c3b1a9a1cb" + }, + "eu-west-1": { + "SPLUNKENTHVM": "ami-0fafe9e81915f154e" + }, + "eu-west-2": { + "SPLUNKENTHVM": "ami-060d9e50d310e0ebb" + }, + "sa-east-1": { + "SPLUNKENTHVM": "ami-0dacd4005280936e5" + }, + "us-east-1": { + "SPLUNKENTHVM": "ami-0484972f36720ea7f" + }, + "us-east-2": { + "SPLUNKENTHVM": "ami-04b6874c649721f0a" + }, + "us-west-1": { + "SPLUNKENTHVM": "ami-0377011a3f771e353" + }, + "us-west-2": { + "SPLUNKENTHVM": "ami-0c3e33232b6c07537" + } + }, + "SplunkConfig": { + "dedicated-instance-type": { + "clusterMaster": "c5.xlarge", + "shclusterDeployer": "c5.xlarge" + }, + "shcluster-replication-factor": { + "num": "3" + }, + "labels": { + "cluster": "IndexerCluster", + "shcluster": "SearchHeadCluster" + } + } + }, + "Resources": { + "SplunkSearchHeadSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "VPCID" + }, + "GroupDescription": "Enable port 8000 for Splunk web interface, port 8090 for SHC replication, and port 8191 for KV store replication", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 8000, + "ToPort": 8000, + "CidrIp": { + "Ref": "WebClientLocation" + } + }, + { + "IpProtocol": "tcp", + "FromPort": 8090, + "ToPort": 8090, + "CidrIp": { + "Ref": "VPCCIDR" + } + }, + { + "IpProtocol": "tcp", + "FromPort": 8191, + "ToPort": 8191, + "CidrIp": { + "Ref": "VPCCIDR" + } + } + ], + "Tags": [ + { + "Key": "Application", + "Value": { + "Ref": "AWS::StackId" + } + }, + { + "Key": "Name", + "Value": "SplunkSearchHeadSecurityGroup" + } + ] + } + }, + "SplunkIndexerSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "VPCID" + }, + "GroupDescription": "Enable port 9997 for splunktcp input, port 8088 for HEC input, port 514 for tcp/udp input, and port 9887 for data replication", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 9997, + "ToPort": 9997, + "CidrIp": { + "Ref": "VPCCIDR" + } + }, + { + "IpProtocol": "tcp", + "FromPort": 8088, + "ToPort": 8088, + "SourceSecurityGroupId": { + "Ref": "SplunkHttpEventCollectorLoadBalancerSecurityGroup" + } + }, + { + "IpProtocol": "tcp", + "FromPort": 514, + "ToPort": 514, + "CidrIp": { + "Ref": "VPCCIDR" + } + }, + { + "IpProtocol": "udp", + "FromPort": 514, + "ToPort": 514, + "CidrIp": { + "Ref": "VPCCIDR" + } + }, + { + "IpProtocol": "tcp", + "FromPort": 9887, + "ToPort": 9887, + "CidrIp": { + "Ref": "VPCCIDR" + } + } + ], + "Tags": [ + { + "Key": "Application", + "Value": { + "Ref": "AWS::StackId" + } + }, + { + "Key": "Name", + "Value": "SplunkIndexerSecurityGroup" + } + ] + } + }, + "SplunkSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "VPCID" + }, + "GroupDescription": "Enable administrative ports like restricted SSH and management port", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": { + "Ref": "SSHClientLocation" + } + }, + { + "IpProtocol": "tcp", + "FromPort": 8089, + "ToPort": 8089, + "CidrIp": { + "Ref": "VPCCIDR" + } + } + ], + "Tags": [ + { + "Key": "Application", + "Value": { + "Ref": "AWS::StackId" + } + }, + { + "Key": "Name", + "Value": "SplunkSecurityGroup" + } + ] + } + }, + "SplunkHttpEventCollectorLoadBalancerSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "VPCID" + }, + "GroupDescription": "Enable port 8088 on ELB for HEC input", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 8088, + "ToPort": 8088, + "CidrIp": { + "Ref": "HECClientLocation" + } + } + ], + "Tags": [ + { + "Key": "Application", + "Value": { + "Ref": "AWS::StackId" + } + }, + { + "Key": "Name", + "Value": "SplunkHttpEventCollectorLoadBalancerSecurityGroup" + } + ] + } + }, + "SplunkSearchHeadInstance": { + "Type": "AWS::EC2::Instance", + "Condition": "CreateSingleSearchHead", + "CreationPolicy": { + "ResourceSignal": { + "Timeout": "PT60M" + } + }, + "Properties": { + "ImageId": { + "Fn::FindInMap": [ + "AWSAMIRegionMap", + { + "Ref": "AWS::Region" + }, + "SPLUNKENTHVM" + ] + }, + "InstanceType": { + "Ref": "SearchHeadInstanceType" + }, + "KeyName": { + "Ref": "KeyName" + }, + "Tags": [ + { + "Key": "Application", + "Value": { + "Ref": "AWS::StackId" + } + }, + { + "Key": "Role", + "Value": "splunk-search-head" + }, + { + "Key": "Name", + "Value": "search-head" + } + ], + "NetworkInterfaces": [ + { + "GroupSet": [ + { + "Ref": "SplunkSecurityGroup" + }, + { + "Ref": "SplunkSearchHeadSecurityGroup" + } + ], + "AssociatePublicIpAddress": true, + "DeviceIndex": "0", + "DeleteOnTermination": true, + "SubnetId": { + "Ref": "PublicSubnet1ID" + } + } + ], + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "VolumeType": "gp2", + "VolumeSize": { + "Ref": "SplunkSearchHeadDiskSize" + } + } + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "", + [ + "#!/bin/bash -v\n", + "# First make cloud-init output log readable by root only to protect sensitive parameter values\n", + "chmod 600 /var/log/cloud-init-output.log\n", + "yum update -y aws-cfn-bootstrap\n", + "export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)\n", + "export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\n", + "export SPLUNK_USER=splunk\n", + "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", + "export SPLUNK_HOME=/opt/splunk\n", + "printf '%s\t%s\n' \"$LOCALIP\" 'splunksearch' >> /etc/hosts\n", + "hostname splunksearch\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", + "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf </dev/null)\n", + "export SPLUNK_USER=splunk\n", + "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", + "export SPLUNK_HOME=/opt/splunk\n", + "# remove stale splunkd.log that ships with AMI.\n", + "rm -f $SPLUNK_HOME/var/log/splunk/splunkd.log\n", + "printf '%s\t%s\n' \"$LOCALIP\" 'splunklicense' >> /etc/hosts\n", + "hostname splunklicense\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", + "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/system/local/server.conf < /tmp/token\n", + "TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token\n", + "echo $TOKEN\n", + "mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", + "mv $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", + "# Peer config 2: Enable splunktcp input\n", + "cat >>$SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local/inputs.conf <> /etc/hosts\n", + "hostname splunk-shc-deployer\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", + "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local/outputs.conf <> /etc/hosts\n", + "hostname splunksearch\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", + "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", + "hostname splunksearch\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", + "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", + "hostname splunksearch\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", + "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf < Date: Wed, 6 May 2020 13:18:22 -0700 Subject: [PATCH 02/47] added smartstore support --- .../splunk-enterprise-master-ss.template | 1056 ++-- templates/splunk-enterprise-ss.template | 5310 +++++++++-------- 2 files changed, 3295 insertions(+), 3071 deletions(-) diff --git a/templates/splunk-enterprise-master-ss.template b/templates/splunk-enterprise-master-ss.template index 0ed0c23..406fe15 100644 --- a/templates/splunk-enterprise-master-ss.template +++ b/templates/splunk-enterprise-master-ss.template @@ -1,577 +1,593 @@ { - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Splunk deployment with indexer, search head clustering and cluster master.", - "Parameters": { + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Splunk deployment with indexer, search head clustering and cluster master.", + "Parameters": { + "AvailabilityZones": { + "Description": "List of Availability Zones to use for the subnets in the VPC (logical order preserved). This must match the Number of Availability Zones parameter value.", + "Type": "List" + }, + "NumberOfAZs": { + "AllowedValues": [ + "2", + "3" + ], + "Default": "2", + "Description": "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.", + "Type": "String" + }, + "WebClientLocation": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", + "Description": "The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "HECClientLocation": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", + "Description": "The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "IndexerInstanceType": { + "AllowedValues": [ + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "m4.2xlarge", + "m4.4xlarge", + "m4.10xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "c5.18xlarge", + "i3.2xlarge", + "i3.4xlarge", + "i3.8xlarge" + ], + "Description": "EC2 instance type for Splunk Indexers", + "ConstraintDescription": "must be a valid EC2 instance type.", + "Default": "c5.4xlarge", + "Type": "String" + }, + "SearchHeadInstanceType": { + "AllowedValues": [ + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "r4.4xlarge", + "r4.8xlarge", + "r4.16xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "m5.2xlarge", + "m5.4xlarge", + "m5.12xlarge" + ], + "Description": "EC2 instance type for Splunk Search Heads", + "ConstraintDescription": "must be a valid EC2 instance type.", + "Default": "c5.4xlarge", + "Type": "String" + }, + "IndexerApps": { + "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s)", + "Default": "", + "Type": "CommaDelimitedList" + }, + "SearchHeadApps": { + "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s)", + "Default": "", + "Type": "CommaDelimitedList" + }, + "KeyName": { + "ConstraintDescription": "Must be the name of an existing EC2 KeyPair.", + "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName" + }, + "PublicSubnet1CIDR": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", + "Default": "10.0.1.0/24", + "Description": "The address space that will be assigned to the first Splunk server subnet. (x.x.x.x/x notation)", + "Type": "String" + }, + "PublicSubnet2CIDR": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", + "Default": "10.0.2.0/24", + "Description": "The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)", + "Type": "String" + }, + "PublicSubnet3CIDR": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", + "Default": "10.0.3.0/24", + "Description": "The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)", + "Type": "String" + }, + "QSS3BucketName": { + "Default": "", + "Description": "S3 bucket name for the Quick Start assets.", + "Type": "String" + }, + "QSS3KeyPrefix": { + "Default": "quickstart-splunk-enterprise/", + "Description": "S3 key prefix for the Quick Start assets.", + "Type": "String" + }, + "SHCEnabled": { + "AllowedValues": [ + "yes", + "no" + ], + "Default": "no", + "Description": "Do you want to build a Splunk search head cluster?", + "Type": "String" + }, + "SSHClientLocation": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", + "Description": "The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "SplunkAdminPassword": { + "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", + "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", + "Description": "Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols", + "MaxLength": "32", + "MinLength": "6", + "NoEcho": "true", + "Type": "String" + }, + "SplunkIndexerCount": { + "ConstraintDescription": "must be a valid number, 3-10", + "Default": "3", + "Description": "How many Splunk indexers to launch. [3-10]", + "MaxValue": "10", + "MinValue": "3", + "Type": "Number" + }, + "SplunkIndexerDiskSize": { + "ConstraintDescription": "must be a valid number, 320-16000", + "Default": "320", + "Description": "The size of the attached EBS volume to the Splunk indexers. (in GB)", + "MaxValue": "16000", + "MinValue": "320", + "Type": "Number" + }, + "SplunkSearchHeadDiskSize": { + "ConstraintDescription": "must be a valid number, 320-16000", + "Default": "320", + "Description": "The size of the attached EBS volume to the Splunk search head(s). (in GB)", + "MaxValue": "16000", + "MinValue": "320", + "Type": "Number" + }, + "SplunkLicenseBucket": { + "Default": "", + "Description": "Name of private S3 bucket with licenses to be accessed via authenticated requests", + "Type": "String" + }, + "SplunkLicensePath": { + "Default": "", + "Description": "Path to license file in S3 Bucket (without leading '/')", + "Type": "String" + }, + "SplunkReplicationFactor": { + "ConstraintDescription": "must be a valid number, 2-4", + "Default": "2", + "Description": "How many copies of data should be stored in the Splunk Indexer Cluster", + "MaxValue": "4", + "MinValue": "2", + "Type": "Number" + }, + "SplunkSearchFactor": { + "ConstraintDescription": "must be a valid number, 2-4", + "Default": "2", + "Description": "How many copies of data should be searchable in the Splunk indexer clusters", + "MaxValue": "4", + "MinValue": "2", + "Type": "Number" + }, + "SplunkClusterSecret": { + "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", + "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", + "Description": "Shared cluster secret for Search Head and Indexer clusters. Must be at least 8 characters containing letters, numbers and symbols.", + "MaxLength": "32", + "MinLength": "6", + "NoEcho": "true", + "Type": "String" + }, + "SplunkIndexerDiscoverySecret": { + "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", + "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", + "Description": "Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.", + "MaxLength": "32", + "MinLength": "8", + "NoEcho": "true", + "Type": "String" + }, + "VPCCIDR": { + "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", + "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", + "Default": "10.0.0.0/16", + "Description": "The address space that will be assigned to the entire VPC where Splunk will reside. (Recommend at least a /16)", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "SmartStoreBucketName": { + "Default": "", + "Description": "Name of bucket that will be created for SmartStore storage", + "Type": "String" + } + }, + "Metadata": { + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "AWS Instance and Network Settings" + }, + "Parameters": [ + "IndexerInstanceType", + "SearchHeadInstanceType", + "KeyName", + "WebClientLocation", + "HECClientLocation", + "SSHClientLocation", + "AvailabilityZones", + "NumberOfAZs", + "VPCCIDR", + "PublicSubnet1CIDR", + "PublicSubnet2CIDR", + "PublicSubnet3CIDR" + ] + }, + { + "Label": { + "default": "Splunk Settings" + }, + "Parameters": [ + "SplunkAdminPassword", + "SplunkClusterSecret", + "SplunkIndexerDiscoverySecret", + "SplunkLicenseBucket", + "SplunkLicensePath", + "SplunkIndexerCount", + "SplunkIndexerDiskSize", + "SplunkSearchHeadDiskSize", + "SplunkReplicationFactor", + "SplunkSearchFactor", + "SmartStoreBucketName", + "SHCEnabled", + "IndexerApps", + "SearchHeadApps" + ] + }, + { + "Label": { + "default": "AWS Quick Start Configuration" + }, + "Parameters": [ + "QSS3BucketName", + "QSS3KeyPrefix" + ] + } + ], + "ParameterLabels": { "AvailabilityZones": { - "Description": "List of Availability Zones to use for the subnets in the VPC (logical order preserved). This must match the Number of Availability Zones parameter value.", - "Type": "List" + "default": "Availability Zones" }, "NumberOfAZs": { - "AllowedValues": [ - "2", - "3" - ], - "Default": "2", - "Description": "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.", - "Type": "String" + "default": "Number of Availability Zones" }, "WebClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" + "default": "Permitted CIDR for Splunk web interface" }, "HECClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" + "default": "Permitted CIDR for Splunk HTTP event collector input" }, "IndexerInstanceType": { - "AllowedValues": [ - "c4.2xlarge", - "c4.4xlarge", - "c4.8xlarge", - "m4.2xlarge", - "m4.4xlarge", - "m4.10xlarge", - "c5.2xlarge", - "c5.4xlarge", - "c5.9xlarge", - "c5.18xlarge", - "i3.2xlarge", - "i3.4xlarge", - "i3.8xlarge" - ], - "Description": "EC2 instance type for Splunk Indexers", - "ConstraintDescription": "must be a valid EC2 instance type.", - "Default": "c5.4xlarge", - "Type": "String" + "default": "EC2 instance type for Splunk indexer" }, "SearchHeadInstanceType": { - "AllowedValues": [ - "c4.2xlarge", - "c4.4xlarge", - "c4.8xlarge", - "r4.4xlarge", - "r4.8xlarge", - "r4.16xlarge", - "c5.2xlarge", - "c5.4xlarge", - "c5.9xlarge", - "m5.2xlarge", - "m5.4xlarge", - "m5.12xlarge" - ], - "Description": "EC2 instance type for Splunk Search Heads", - "ConstraintDescription": "must be a valid EC2 instance type.", - "Default": "c5.4xlarge", - "Type": "String" - }, - "IndexerApps": { - "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s)", - "Default": "", - "Type": "CommaDelimitedList" - }, - "SearchHeadApps": { - "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s)", - "Default": "", - "Type": "CommaDelimitedList" + "default": "EC2 instance type for Splunk search head" }, "KeyName": { - "ConstraintDescription": "Must be the name of an existing EC2 KeyPair.", - "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance", - "Type": "AWS::EC2::KeyPair::KeyName" + "default": "Key Name" }, "PublicSubnet1CIDR": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Default": "10.0.1.0/24", - "Description": "The address space that will be assigned to the first Splunk server subnet. (x.x.x.x/x notation)", - "Type": "String" + "default": "Public Subnet 1 CIDR" }, "PublicSubnet2CIDR": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Default": "10.0.2.0/24", - "Description": "The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)", - "Type": "String" + "default": "Public Subnet 2 CIDR" }, "PublicSubnet3CIDR": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Default": "10.0.3.0/24", - "Description": "The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)", - "Type": "String" + "default": "Public Subnet 3 CIDR" }, "QSS3BucketName": { - "Default": "splk-quickstart-testing", - "Description": "S3 bucket name for the Quick Start assets.", - "Type": "String" + "default": "QuickStart S3 Bucket Name" }, "QSS3KeyPrefix": { - "Default": "quickstart-splunk-enterprise/", - "Description": "S3 key prefix for the Quick Start assets.", - "Type": "String" + "default": "QuickStart S3 Key Prefix" }, "SHCEnabled": { - "AllowedValues": [ - "yes", - "no" - ], - "Default": "no", - "Description": "Do you want to build a Splunk search head cluster?", - "Type": "String" + "default": "Enable Search Head Cluster?" }, "SSHClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" + "default": "Permitted CIDR for ssh" }, "SplunkAdminPassword": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols", - "MaxLength": "32", - "MinLength": "6", - "NoEcho": "true", - "Type": "String" + "default": "Splunk Admin Password" }, "SplunkIndexerCount": { - "ConstraintDescription": "must be a valid number, 3-10", - "Default": "3", - "Description": "How many Splunk indexers to launch. [3-10]", - "MaxValue": "10", - "MinValue": "3", - "Type": "Number" + "default": "No. of Splunk Indexers" }, "SplunkIndexerDiskSize": { - "ConstraintDescription": "must be a valid number, 320-16000", - "Default": "320", - "Description": "The size of the attached EBS volume to the Splunk indexers. (in GB)", - "MaxValue": "16000", - "MinValue": "320", - "Type": "Number" - }, - "SplunkSearchHeadDiskSize": { - "ConstraintDescription": "must be a valid number, 320-16000", - "Default": "320", - "Description": "The size of the attached EBS volume to the Splunk search head(s). (in GB)", - "MaxValue": "16000", - "MinValue": "320", - "Type": "Number" + "default": "Indexer Disk Size" }, "SplunkLicenseBucket": { - "Default": "", - "Description": "Name of private S3 bucket with licenses to be accessed via authenticated requests", - "Type": "String" + "default": "Splunk License Bucket" }, "SplunkLicensePath": { - "Default": "", - "Description": "Path to license file in S3 Bucket (without leading '/')", - "Type": "String" + "default": "Splunk License S3 Bucket Path" }, "SplunkReplicationFactor": { - "ConstraintDescription": "must be a valid number, 2-4", - "Default": "2", - "Description": "How many copies of data should be stored in the Splunk Indexer Cluster", - "MaxValue": "4", - "MinValue": "2", - "Type": "Number" + "default": "Index Cluster Replication Factor" }, "SplunkSearchFactor": { - "ConstraintDescription": "must be a valid number, 2-4", - "Default": "2", - "Description": "How many copies of data should be searchable in the Splunk indexer clusters", - "MaxValue": "4", - "MinValue": "2", - "Type": "Number" + "default": "Index Cluster Search Factor" + }, + "SmartStoreBucketName": { + "default": "Name of bucket that will be created for SmartStore storage" }, "SplunkClusterSecret": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Shared cluster secret for Search Head and Indexer clusters. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "6", - "NoEcho": "true", - "Type": "String" + "default": "Shared Security Key for Cluster Nodes" }, "SplunkIndexerDiscoverySecret": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "8", - "NoEcho": "true", - "Type": "String" + "default": "Shared Security Key for Forwarders using Indexer Discovery" + }, + "IndexerApps": { + "default": "Apps/Add-ons to pre-Install on Splunk Indexers" + }, + "SearchHeadApps": { + "default": "Apps/Add-ons to pre-Install on Splunk Search Heads" }, "VPCCIDR": { - "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Default": "10.0.0.0/16", - "Description": "The address space that will be assigned to the entire VPC where Splunk will reside. (Recommend at least a /16)", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" + "default": "VPC CIDR" } - }, - "Metadata": { - "AWS::CloudFormation::Interface": { - "ParameterGroups": [ - { - "Label": { - "default": "AWS Instance and Network Settings" - }, - "Parameters": [ - "IndexerInstanceType", - "SearchHeadInstanceType", - "KeyName", - "WebClientLocation", - "HECClientLocation", - "SSHClientLocation", - "AvailabilityZones", - "NumberOfAZs", - "VPCCIDR", - "PublicSubnet1CIDR", - "PublicSubnet2CIDR", - "PublicSubnet3CIDR" - ] - }, - { - "Label": { - "default": "Splunk Settings" - }, - "Parameters": [ - "SplunkAdminPassword", - "SplunkClusterSecret", - "SplunkIndexerDiscoverySecret", - "SplunkLicenseBucket", - "SplunkLicensePath", - "SplunkIndexerCount", - "SplunkIndexerDiskSize", - "SplunkSearchHeadDiskSize", - "SplunkReplicationFactor", - "SplunkSearchFactor", - "SHCEnabled", - "IndexerApps", - "SearchHeadApps" - ] - }, - { - "Label": { - "default": "AWS Quick Start Configuration" - }, - "Parameters": [ - "QSS3BucketName", - "QSS3KeyPrefix" - ] - } - ], - "ParameterLabels": { - "AvailabilityZones": { - "default": "Availability Zones" - }, - "NumberOfAZs": { - "default": "Number of Availability Zones" - }, - "WebClientLocation": { - "default": "Permitted CIDR for Splunk web interface" - }, - "HECClientLocation": { - "default": "Permitted CIDR for Splunk HTTP event collector input" - }, - "IndexerInstanceType": { - "default": "EC2 instance type for Splunk indexer" - }, - "SearchHeadInstanceType": { - "default": "EC2 instance type for Splunk search head" - }, - "KeyName": { - "default": "Key Name" - }, - "PublicSubnet1CIDR": { - "default": "Public Subnet 1 CIDR" - }, - "PublicSubnet2CIDR": { - "default": "Public Subnet 2 CIDR" - }, - "PublicSubnet3CIDR": { - "default": "Public Subnet 3 CIDR" - }, - "QSS3BucketName": { - "default": "QuickStart S3 Bucket Name" - }, - "QSS3KeyPrefix": { - "default": "QuickStart S3 Key Prefix" - }, - "SHCEnabled": { - "default": "Enable Search Head Cluster?" - }, - "SSHClientLocation": { - "default": "Permitted CIDR for ssh" - }, - "SplunkAdminPassword": { - "default": "Splunk Admin Password" - }, - "SplunkIndexerCount": { - "default": "No. of Splunk Indexers" - }, - "SplunkIndexerDiskSize": { - "default": "Indexer Disk Size" - }, - "SplunkLicenseBucket": { - "default": "Splunk License Bucket" - }, - "SplunkLicensePath": { - "default": "Splunk License S3 Bucket Path" - }, - "SplunkReplicationFactor": { - "default": "Index Cluster Replication Factor" - }, - "SplunkSearchFactor": { - "default": "Index Cluster Search Factor" - }, - "SplunkClusterSecret": { - "default": "Shared Security Key for Cluster Nodes" - }, - "SplunkIndexerDiscoverySecret": { - "default": "Shared Security Key for Forwarders using Indexer Discovery" - }, - "IndexerApps": { - "default": "Apps/Add-ons to pre-Install on Splunk Indexers" - }, - "SearchHeadApps": { - "default": "Apps/Add-ons to pre-Install on Splunk Search Heads" - }, - "VPCCIDR": { - "default": "VPC CIDR" - } - } - } - }, - "Conditions": { - "Create3AZ": { - "Fn::Equals": [ - { - "Ref": "NumberOfAZs" - }, - "3" + } + } + }, + "Conditions": { + "Create3AZ": { + "Fn::Equals": [ + { + "Ref": "NumberOfAZs" + }, + "3" + ] + } + }, + "Resources": { + "VPCStack": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": { + "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template" + }, + "Parameters": { + "AvailabilityZones": { + "Fn::Join": [ + ",", + { + "Ref": "AvailabilityZones" + } ] - } - }, - "Resources": { - "VPCStack": { - "Type": "AWS::CloudFormation::Stack", - "Properties": { - "TemplateURL": { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template" - }, - "Parameters": { - "AvailabilityZones": { - "Fn::Join": [ - ",", - { - "Ref": "AvailabilityZones" - } - ] - }, - "CreatePrivateSubnets": "false", - "KeyPairName": { - "Ref": "KeyName" - }, - "NumberOfAZs": { - "Ref": "NumberOfAZs" - }, - "PublicSubnet1CIDR": { - "Ref": "PublicSubnet1CIDR" - }, - "PublicSubnet2CIDR": { - "Ref": "PublicSubnet2CIDR" - }, - "PublicSubnet3CIDR": { - "Ref": "PublicSubnet3CIDR" - }, - "VPCCIDR": { - "Ref": "VPCCIDR" - } - }, - "TimeoutInMinutes": 15 - } - }, - "SplunkStack": { - "Type": "AWS::CloudFormation::Stack", - "Properties": { - "TemplateURL": { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/splunk-enterprise.template" - }, - "Parameters": { - "VPCID": { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.VPCID" - ] - }, - "VPCCIDR": { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.VPCCIDR" - ] - }, - "PublicSubnet1ID": { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.PublicSubnet1ID" - ] - }, - "PublicSubnet2ID": { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.PublicSubnet2ID" - ] - }, - "PublicSubnet3ID": { - "Fn::If": [ - "Create3AZ", - { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.PublicSubnet3ID" - ] - }, - { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.PublicSubnet2ID" - ] - } - ] - }, - "NumberOfAZs": { - "Ref": "NumberOfAZs" - }, - "IndexerInstanceType": { - "Ref": "IndexerInstanceType" - }, - "SearchHeadInstanceType": { - "Ref": "SearchHeadInstanceType" - }, - "SplunkAdminPassword": { - "Ref": "SplunkAdminPassword" - }, - "SplunkClusterSecret": { - "Ref": "SplunkClusterSecret" - }, - "SplunkIndexerDiscoverySecret": { - "Ref": "SplunkIndexerDiscoverySecret" - }, - "SplunkLicenseBucket": { - "Ref": "SplunkLicenseBucket" - }, - "SplunkLicensePath": { - "Ref": "SplunkLicensePath" - }, - "KeyName": { - "Ref": "KeyName" - }, - "SSHClientLocation": { - "Ref": "SSHClientLocation" - }, - "HECClientLocation": { - "Ref": "HECClientLocation" - }, - "WebClientLocation": { - "Ref": "WebClientLocation" - }, - "SplunkIndexerCount": { - "Ref": "SplunkIndexerCount" - }, - "SHCEnabled": { - "Ref": "SHCEnabled" - }, - "SplunkIndexerDiskSize": { - "Ref": "SplunkIndexerDiskSize" - }, - "SplunkReplicationFactor": { - "Ref": "SplunkReplicationFactor" - }, - "IndexerApps": { - "Fn::Join": [ - ",", - { "Ref": "IndexerApps" } - ] - }, - "SearchHeadApps": { - "Fn::Join": [ - ",", - { "Ref": "SearchHeadApps" } - ] - } - }, - "TimeoutInMinutes": 60 - } - } + }, + "CreatePrivateSubnets": "false", + "KeyPairName": { + "Ref": "KeyName" + }, + "NumberOfAZs": { + "Ref": "NumberOfAZs" + }, + "PublicSubnet1CIDR": { + "Ref": "PublicSubnet1CIDR" + }, + "PublicSubnet2CIDR": { + "Ref": "PublicSubnet2CIDR" + }, + "PublicSubnet3CIDR": { + "Ref": "PublicSubnet3CIDR" + }, + "VPCCIDR": { + "Ref": "VPCCIDR" + } + }, + "TimeoutInMinutes": 15 + } }, - "Outputs": { - "SearchHeadURL": { - "Description": "Splunk Enterprise - Search Head URL", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.SearchHeadURL" - ] - } - }, - "ClusterMasterURL": { - "Description": "Splunk Enterprise - Cluster Master URL", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.ClusterMasterURL" - ] - } - }, - "ClusterMasterManagementURL": { - "Description": "Splunk Enterprise - Cluster Master Management URL (required for Indexer Discovery)", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.ClusterMasterManagementURL" - ] - } - }, - "DeployerURL": { - "Description": "Splunk Enterprise - Search Head Cluster Deployer URL", - "Value": { + "SplunkStack": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": { + "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/splunk-enterprise-ss.template" + }, + "Parameters": { + "VPCID": { + "Fn::GetAtt": [ + "VPCStack", + "Outputs.VPCID" + ] + }, + "VPCCIDR": { + "Fn::GetAtt": [ + "VPCStack", + "Outputs.VPCCIDR" + ] + }, + "PublicSubnet1ID": { + "Fn::GetAtt": [ + "VPCStack", + "Outputs.PublicSubnet1ID" + ] + }, + "PublicSubnet2ID": { + "Fn::GetAtt": [ + "VPCStack", + "Outputs.PublicSubnet2ID" + ] + }, + "PublicSubnet3ID": { + "Fn::If": [ + "Create3AZ", + { "Fn::GetAtt": [ - "SplunkStack", - "Outputs.DeployerURL" + "VPCStack", + "Outputs.PublicSubnet3ID" ] - } - }, - "HttpEventCollectorURL": { - "Description": "HTTP Event Collector URL", - "Value": { + }, + { "Fn::GetAtt": [ - "SplunkStack", - "Outputs.HttpEventCollectorURL" + "VPCStack", + "Outputs.PublicSubnet2ID" ] - } + } + ] + }, + "NumberOfAZs": { + "Ref": "NumberOfAZs" + }, + "IndexerInstanceType": { + "Ref": "IndexerInstanceType" + }, + "SearchHeadInstanceType": { + "Ref": "SearchHeadInstanceType" + }, + "SplunkAdminPassword": { + "Ref": "SplunkAdminPassword" + }, + "SplunkClusterSecret": { + "Ref": "SplunkClusterSecret" + }, + "SplunkIndexerDiscoverySecret": { + "Ref": "SplunkIndexerDiscoverySecret" + }, + "SplunkLicenseBucket": { + "Ref": "SplunkLicenseBucket" + }, + "SplunkLicensePath": { + "Ref": "SplunkLicensePath" + }, + "KeyName": { + "Ref": "KeyName" + }, + "SSHClientLocation": { + "Ref": "SSHClientLocation" + }, + "HECClientLocation": { + "Ref": "HECClientLocation" + }, + "WebClientLocation": { + "Ref": "WebClientLocation" + }, + "SplunkIndexerCount": { + "Ref": "SplunkIndexerCount" + }, + "SHCEnabled": { + "Ref": "SHCEnabled" + }, + "SplunkIndexerDiskSize": { + "Ref": "SplunkIndexerDiskSize" + }, + "SmartStoreBucketName": { + "Ref": "SmartStoreBucketName" + }, + "SplunkReplicationFactor": { + "Ref": "SplunkReplicationFactor" + }, + "IndexerApps": { + "Fn::Join": [ + ",", + { + "Ref": "IndexerApps" + } + ] + }, + "SearchHeadApps": { + "Fn::Join": [ + ",", + { + "Ref": "SearchHeadApps" + } + ] + } }, - "HttpEventCollectorToken": { - "Description": "HTTP Event Collector Token", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.HttpEventCollectorToken" - ] - } - } + "TimeoutInMinutes": 60 + } + } + }, + "Outputs": { + "SearchHeadURL": { + "Description": "Splunk Enterprise - Search Head URL", + "Value": { + "Fn::GetAtt": [ + "SplunkStack", + "Outputs.SearchHeadURL" + ] + } + }, + "ClusterMasterURL": { + "Description": "Splunk Enterprise - Cluster Master URL", + "Value": { + "Fn::GetAtt": [ + "SplunkStack", + "Outputs.ClusterMasterURL" + ] + } + }, + "ClusterMasterManagementURL": { + "Description": "Splunk Enterprise - Cluster Master Management URL (required for Indexer Discovery)", + "Value": { + "Fn::GetAtt": [ + "SplunkStack", + "Outputs.ClusterMasterManagementURL" + ] + } + }, + "DeployerURL": { + "Description": "Splunk Enterprise - Search Head Cluster Deployer URL", + "Value": { + "Fn::GetAtt": [ + "SplunkStack", + "Outputs.DeployerURL" + ] + } + }, + "HttpEventCollectorURL": { + "Description": "HTTP Event Collector URL", + "Value": { + "Fn::GetAtt": [ + "SplunkStack", + "Outputs.HttpEventCollectorURL" + ] + } + }, + "HttpEventCollectorToken": { + "Description": "HTTP Event Collector Token", + "Value": { + "Fn::GetAtt": [ + "SplunkStack", + "Outputs.HttpEventCollectorToken" + ] + } } -} + } +} \ No newline at end of file diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template index 980ae27..501c435 100644 --- a/templates/splunk-enterprise-ss.template +++ b/templates/splunk-enterprise-ss.template @@ -1,2704 +1,2912 @@ { - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Splunk deployment with indexer, search head clustering and cluster master. QS(5030)", - "Parameters": { + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Splunk deployment with indexer, search head clustering and cluster master. QS(5030)", + "Parameters": { + "WebClientLocation": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", + "Description": "The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "HECClientLocation": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", + "Description": "The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "IndexerInstanceType": { + "AllowedValues": [ + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "m4.2xlarge", + "m4.4xlarge", + "m4.10xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "c5.18xlarge", + "i3.2xlarge", + "i3.4xlarge", + "i3.8xlarge" + ], + "Description": "EC2 instance type for Splunk Indexers", + "ConstraintDescription": "must be a valid EC2 instance type.", + "Default": "c5.4xlarge", + "Type": "String" + }, + "SearchHeadInstanceType": { + "AllowedValues": [ + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "r4.4xlarge", + "r4.8xlarge", + "r4.16xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "m5.2xlarge", + "m5.4xlarge", + "m5.12xlarge" + ], + "Description": "EC2 instance type for Splunk Search Heads", + "ConstraintDescription": "must be a valid EC2 instance type.", + "Default": "c5.4xlarge", + "Type": "String" + }, + "IndexerApps": { + "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s)", + "Default": "", + "Type": "CommaDelimitedList" + }, + "SearchHeadApps": { + "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s)", + "Default": "", + "Type": "CommaDelimitedList" + }, + "KeyName": { + "ConstraintDescription": "Must be the name of an existing EC2 KeyPair.", + "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName" + }, + "NumberOfAZs": { + "AllowedValues": [ + "2", + "3" + ], + "Default": "2", + "Description": "Number of Availability Zones to use in the VPC. This must match the number public subnet IDs entered as parameters", + "Type": "String" + }, + "PublicSubnet1ID": { + "Description": "ID of Splunk public subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)", + "Type": "AWS::EC2::Subnet::Id" + }, + "PublicSubnet2ID": { + "Description": "ID of Splunk public subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)", + "Type": "AWS::EC2::Subnet::Id" + }, + "PublicSubnet3ID": { + "Description": "ID of Splunk public subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)", + "Type": "AWS::EC2::Subnet::Id", + "Default": "" + }, + "QSS3BucketName": { + "Default": "splk-quickstart-testing", + "Description": "S3 bucket name for the Quick Start assets.", + "Type": "String" + }, + "QSS3KeyPrefix": { + "Default": "quickstart-splunk-enterprise/", + "Description": "S3 key prefix for the Quick Start assets.", + "Type": "String" + }, + "SHCEnabled": { + "AllowedValues": [ + "yes", + "no" + ], + "Default": "no", + "Description": "Do you want to build a Splunk search head cluster?", + "Type": "String" + }, + "SSHClientLocation": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", + "Description": "The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", + "MaxLength": "19", + "MinLength": "9", + "Type": "String" + }, + "SplunkAdminPassword": { + "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", + "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", + "Description": "Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols.", + "MaxLength": "32", + "MinLength": "6", + "NoEcho": "true", + "Type": "String" + }, + "SplunkIndexerCount": { + "ConstraintDescription": "must be a valid number, 3-10", + "Default": "3", + "Description": "How many Splunk indexers to launch. [3-10]", + "MaxValue": "10", + "MinValue": "3", + "Type": "Number" + }, + "SplunkIndexerDiskSize": { + "ConstraintDescription": "must be a valid number, 320-16000", + "Default": "320", + "Description": "The size of the attached EBS volume to the Splunk indexers. (in GB)", + "MaxValue": "16000", + "MinValue": "320", + "Type": "Number" + }, + "SplunkSearchHeadDiskSize": { + "ConstraintDescription": "must be a valid number, 320-16000", + "Default": "320", + "Description": "The size of the attached EBS volume to the Splunk search head(s). (in GB)", + "MaxValue": "16000", + "MinValue": "320", + "Type": "Number" + }, + "SmartStoreBucketName": { + "Default": "", + "Description": "Name of S3 bucket to be created for SmartStore storage", + "Type": "String" + }, + "SplunkLicenseBucket": { + "Default": "", + "Description": "Name of private S3 bucket with licenses to be accessed via authenticated requests", + "Type": "String" + }, + "SplunkLicensePath": { + "Default": "", + "Description": "Path to license file in S3 Bucket (without leading '/')", + "Type": "String" + }, + "SplunkReplicationFactor": { + "ConstraintDescription": "must be a valid number, 2-4", + "Default": "2", + "Description": "How many copies of data should be stored in the Splunk Indexer Cluster", + "MaxValue": "4", + "MinValue": "2", + "Type": "Number" + }, + "SplunkSearchFactor": { + "ConstraintDescription": "must be a valid number, 2-4", + "Default": "2", + "Description": "How many copies of data should be searchable in the Splunk indexer clusters", + "MaxValue": "4", + "MinValue": "2", + "Type": "Number" + }, + "SplunkClusterSecret": { + "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", + "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", + "Description": "Shared cluster secret for Search Head and Indexer cluster nodes. Must be at least 8 characters containing letters, numbers and symbols.", + "MaxLength": "32", + "MinLength": "8", + "NoEcho": "true", + "Type": "String" + }, + "SplunkIndexerDiscoverySecret": { + "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", + "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", + "Description": "Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.", + "MaxLength": "32", + "MinLength": "8", + "NoEcho": "true", + "Type": "String" + }, + "VPCCIDR": { + "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", + "Description": "VPC CIDR Block (x.x.x.x/x notation)", + "Type": "String" + }, + "VPCID": { + "Description": "VPC ID", + "Type": "AWS::EC2::VPC::Id" + } + }, + "Metadata": { + "AWSAMIRegionMap": { + "Filters": { + "SPLUNKENTHVM": { + "name": "splunk_marketplace_AMI_*", + "owner-alias": "aws-marketplace", + "product-code.type": "marketplace" + } + } + }, + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "AWS Instance and Network Settings" + }, + "Parameters": [ + "IndexerInstanceType", + "SearchHeadInstanceType", + "KeyName", + "WebClientLocation", + "HECClientLocation", + "SSHClientLocation", + "VPCID", + "VPCCIDR", + "PublicSubnet1ID", + "PublicSubnet2ID", + "PublicSubnet3ID", + "NumberOfAZs", + "SmartStoreBucketName" + ] + }, + { + "Label": { + "default": "Splunk Settings" + }, + "Parameters": [ + "SplunkAdminPassword", + "SplunkClusterSecret", + "SplunkIndexerDiscoverySecret", + "SplunkLicenseBucket", + "SplunkLicensePath", + "SplunkIndexerCount", + "SplunkIndexerDiskSize", + "SplunkSearchHeadDiskSize", + "SplunkReplicationFactor", + "SplunkSearchFactor", + "SmartStoreBucketName", + "SHCEnabled", + "IndexerApps", + "SearchHeadApps" + ] + } + ], + "ParameterLabels": { "WebClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" + "default": "Permitted CIDR for Splunk web interface" }, "HECClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" + "default": "Permitted CIDR for Splunk HTTP event collector input" }, "IndexerInstanceType": { - "AllowedValues": [ - "c4.2xlarge", - "c4.4xlarge", - "c4.8xlarge", - "m4.2xlarge", - "m4.4xlarge", - "m4.10xlarge", - "c5.2xlarge", - "c5.4xlarge", - "c5.9xlarge", - "c5.18xlarge", - "i3.2xlarge", - "i3.4xlarge", - "i3.8xlarge" - ], - "Description": "EC2 instance type for Splunk Indexers", - "ConstraintDescription": "must be a valid EC2 instance type.", - "Default": "c5.4xlarge", - "Type": "String" + "default": "EC2 instance type for Splunk indexer" }, "SearchHeadInstanceType": { - "AllowedValues": [ - "c4.2xlarge", - "c4.4xlarge", - "c4.8xlarge", - "r4.4xlarge", - "r4.8xlarge", - "r4.16xlarge", - "c5.2xlarge", - "c5.4xlarge", - "c5.9xlarge", - "m5.2xlarge", - "m5.4xlarge", - "m5.12xlarge" - ], - "Description": "EC2 instance type for Splunk Search Heads", - "ConstraintDescription": "must be a valid EC2 instance type.", - "Default": "c5.4xlarge", - "Type": "String" - }, - "IndexerApps": { - "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s)", - "Default": "", - "Type": "CommaDelimitedList" - }, - "SearchHeadApps": { - "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s)", - "Default": "", - "Type": "CommaDelimitedList" + "default": "EC2 instance type for Splunk search head" }, "KeyName": { - "ConstraintDescription": "Must be the name of an existing EC2 KeyPair.", - "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance", - "Type": "AWS::EC2::KeyPair::KeyName" - }, - "NumberOfAZs": { - "AllowedValues": [ - "2", - "3" - ], - "Default": "2", - "Description": "Number of Availability Zones to use in the VPC. This must match the number public subnet IDs entered as parameters", - "Type": "String" + "default": "Key Name" }, "PublicSubnet1ID": { - "Description": "ID of Splunk public subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)", - "Type": "AWS::EC2::Subnet::Id" + "default": "Public Subnet 1 ID" }, "PublicSubnet2ID": { - "Description": "ID of Splunk public subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)", - "Type": "AWS::EC2::Subnet::Id" + "default": "Public Subnet 2 ID" }, "PublicSubnet3ID": { - "Description": "ID of Splunk public subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)", - "Type": "AWS::EC2::Subnet::Id", - "Default": "" - }, - "QSS3BucketName": { - "Default": "splk-quickstart-testing", - "Description": "S3 bucket name for the Quick Start assets.", - "Type": "String" + "default": "Public Subnet 3 ID" }, - "QSS3KeyPrefix": { - "Default": "quickstart-splunk-enterprise/", - "Description": "S3 key prefix for the Quick Start assets.", - "Type": "String" + "NumberOfAZs": { + "default": "Number of Availability Zones" }, "SHCEnabled": { - "AllowedValues": [ - "yes", - "no" - ], - "Default": "no", - "Description": "Do you want to build a Splunk search head cluster?", - "Type": "String" + "default": "Enable Search Head Cluster?" }, "SSHClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" + "default": "Permitted CIDR for ssh" }, "SplunkAdminPassword": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "6", - "NoEcho": "true", - "Type": "String" + "default": "Splunk Admin Password" }, "SplunkIndexerCount": { - "ConstraintDescription": "must be a valid number, 3-10", - "Default": "3", - "Description": "How many Splunk indexers to launch. [3-10]", - "MaxValue": "10", - "MinValue": "3", - "Type": "Number" + "default": "No. of Splunk Indexers" + }, + "SmartStoreBucketName": { + "default": "Name of bucket to be created for Smartstore storage" }, "SplunkIndexerDiskSize": { - "ConstraintDescription": "must be a valid number, 320-16000", - "Default": "320", - "Description": "The size of the attached EBS volume to the Splunk indexers. (in GB)", - "MaxValue": "16000", - "MinValue": "320", - "Type": "Number" + "default": "Indexer Disk Size" }, - "SplunkSearchHeadDiskSize": { - "ConstraintDescription": "must be a valid number, 320-16000", - "Default": "320", - "Description": "The size of the attached EBS volume to the Splunk search head(s). (in GB)", - "MaxValue": "16000", - "MinValue": "320", - "Type": "Number" + "default": "Search Head(s) Disk Size" }, "SplunkLicenseBucket": { - "Default": "", - "Description": "Name of private S3 bucket with licenses to be accessed via authenticated requests", - "Type": "String" + "default": "Splunk License Bucket" }, "SplunkLicensePath": { - "Default": "", - "Description": "Path to license file in S3 Bucket (without leading '/')", - "Type": "String" + "default": "Splunk License S3 Bucket Path" }, "SplunkReplicationFactor": { - "ConstraintDescription": "must be a valid number, 2-4", - "Default": "2", - "Description": "How many copies of data should be stored in the Splunk Indexer Cluster", - "MaxValue": "4", - "MinValue": "2", - "Type": "Number" + "default": "Index Cluster Replication Factor" }, "SplunkSearchFactor": { - "ConstraintDescription": "must be a valid number, 2-4", - "Default": "2", - "Description": "How many copies of data should be searchable in the Splunk indexer clusters", - "MaxValue": "4", - "MinValue": "2", - "Type": "Number" + "default": "Index Cluster Search Factor" }, "SplunkClusterSecret": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Shared cluster secret for Search Head and Indexer cluster nodes. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "8", - "NoEcho": "true", - "Type": "String" + "default": "Shared Security Key for Cluster Nodes" }, "SplunkIndexerDiscoverySecret": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "8", - "NoEcho": "true", - "Type": "String" + "default": "Shared Security Key for Forwarders using Indexer Discovery" + }, + "IndexerApps": { + "default": "Apps/Add-ons to pre-Install on Splunk Indexers" + }, + "SearchHeadApps": { + "default": "Apps/Add-ons to pre-Install on Splunk Search Heads" }, "VPCCIDR": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Description": "VPC CIDR Block (x.x.x.x/x notation)", - "Type": "String" + "default": "VPC CIDR" }, "VPCID": { - "Description": "VPC ID", - "Type": "AWS::EC2::VPC::Id" + "default": "VPC ID" } + } + } + }, + "Conditions": { + "Create3AZ": { + "Fn::Equals": [ + { + "Ref": "NumberOfAZs" + }, + "3" + ] }, - "Metadata": { - "AWSAMIRegionMap":{ - "Filters":{ - "SPLUNKENTHVM":{ - "name":"splunk_marketplace_AMI_*", - "owner-alias":"aws-marketplace", - "product-code.type":"marketplace" - } + "CreateSingleSearchHead": { + "Fn::Equals": [ + { + "Ref": "SHCEnabled" + }, + "no" + ] + }, + "CreateSHC": { + "Fn::Equals": [ + { + "Ref": "SHCEnabled" + }, + "yes" + ] + }, + "InstallIndexerApps": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Fn::Join": [ + "", + { + "Ref": "IndexerApps" + } + ] + }, + "" + ] + } + ] + }, + "InstallSearchHeadApps": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Fn::Join": [ + "", + { + "Ref": "SearchHeadApps" + } + ] + }, + "" + ] + } + ] + }, + "ConfigureLicense": { + "Fn::And": [ + { + "Fn::Not": [ + { + "Fn::Equals": [ + "", + { + "Ref": "SplunkLicenseBucket" + } + ] + } + ] + }, + { + "Fn::Not": [ + { + "Fn::Equals": [ + "", + { + "Ref": "SplunkLicensePath" + } + ] + } + ] + } + ] + } + }, + "Mappings": { + "AWSAMIRegionMap": { + "AMI": { + "SPLUNKENTHVM": "splunk_marketplace_AMI_2018-10-16_22_07_36-7b65de6c-5006-4ca2-bd75-fdba95ae5d9d-ami-0d494b5a999e1c49f.4" + }, + "ap-northeast-1": { + "SPLUNKENTHVM": "ami-0db36f11d65f551fb" + }, + "ap-northeast-2": { + "SPLUNKENTHVM": "ami-09c7965888207979b" + }, + "ap-south-1": { + "SPLUNKENTHVM": "ami-07c20db6edfd45f98" + }, + "ap-southeast-1": { + "SPLUNKENTHVM": "ami-0e7b7ca1bdcdd93a6" + }, + "ap-southeast-2": { + "SPLUNKENTHVM": "ami-0c8a4d5bdf83f0df8" + }, + "ca-central-1": { + "SPLUNKENTHVM": "ami-02f085f4514fa7145" + }, + "eu-central-1": { + "SPLUNKENTHVM": "ami-09ce965c3b1a9a1cb" + }, + "eu-west-1": { + "SPLUNKENTHVM": "ami-0fafe9e81915f154e" + }, + "eu-west-2": { + "SPLUNKENTHVM": "ami-060d9e50d310e0ebb" + }, + "sa-east-1": { + "SPLUNKENTHVM": "ami-0dacd4005280936e5" + }, + "us-east-1": { + "SPLUNKENTHVM": "ami-0484972f36720ea7f" + }, + "us-east-2": { + "SPLUNKENTHVM": "ami-04b6874c649721f0a" + }, + "us-west-1": { + "SPLUNKENTHVM": "ami-0377011a3f771e353" + }, + "us-west-2": { + "SPLUNKENTHVM": "ami-098f3b1d228f57491" + } + }, + "SplunkConfig": { + "dedicated-instance-type": { + "clusterMaster": "c5.xlarge", + "shclusterDeployer": "c5.xlarge" + }, + "shcluster-replication-factor": { + "num": "3" + }, + "labels": { + "cluster": "IndexerCluster", + "shcluster": "SearchHeadCluster" + } + } + }, + "Resources": { + "SplunkSmartstoreBucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": { + "Ref": "SmartStoreBucketName" + }, + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] } }, - "AWS::CloudFormation::Interface": { - "ParameterGroups": [ + "DeletionPolicy": "Delete" + }, + "SmartStoreS3BucketRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ec2.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/" + } + }, + "SmartStoreS3AccessInstanceProfile": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Path": "/", + "Roles": [ + { + "Ref": "SmartStoreS3BucketRole" + } + ] + } + }, + "SmartStoreS3BucketPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "SmartStoreS3BucketPolicy", + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:ListBucket" + ], + "Effect": "Allow", + "Resource": [ { - "Label": { - "default": "AWS Instance and Network Settings" - }, - "Parameters": [ - "IndexerInstanceType", - "SearchHeadInstanceType", - "KeyName", - "WebClientLocation", - "HECClientLocation", - "SSHClientLocation", - "VPCID", - "VPCCIDR", - "PublicSubnet1ID", - "PublicSubnet2ID", - "PublicSubnet3ID", - "NumberOfAZs" + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "SmartStoreBucketName" + } ] - }, + ] + } + ] + }, + { + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:DeleteObject", + "s3:PutObjectAcl" + ], + "Effect": "Allow", + "Resource": [ { - "Label": { - "default": "Splunk Settings" - }, - "Parameters": [ - "SplunkAdminPassword", - "SplunkClusterSecret", - "SplunkIndexerDiscoverySecret", - "SplunkLicenseBucket", - "SplunkLicensePath", - "SplunkIndexerCount", - "SplunkIndexerDiskSize", - "SplunkSearchHeadDiskSize", - "SplunkReplicationFactor", - "SplunkSearchFactor", - "SHCEnabled", - "IndexerApps", - "SearchHeadApps" + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "SmartStoreBucketName" + }, + "/*" ] + ] } + ] + } + ] + }, + "Roles": [ + { + "Ref": "SmartStoreS3BucketRole" + } + ] + } + }, + "SplunkSearchHeadSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "VPCID" + }, + "GroupDescription": "Enable port 8000 for Splunk web interface, port 8090 for SHC replication, and port 8191 for KV store replication", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 8000, + "ToPort": 8000, + "CidrIp": { + "Ref": "WebClientLocation" + } + }, + { + "IpProtocol": "tcp", + "FromPort": 8090, + "ToPort": 8090, + "CidrIp": { + "Ref": "VPCCIDR" + } + }, + { + "IpProtocol": "tcp", + "FromPort": 8191, + "ToPort": 8191, + "CidrIp": { + "Ref": "VPCCIDR" + } + } + ], + "Tags": [ + { + "Key": "Application", + "Value": { + "Ref": "AWS::StackId" + } + }, + { + "Key": "Name", + "Value": "SplunkSearchHeadSecurityGroup" + } + ] + } + }, + "SplunkIndexerSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "VPCID" + }, + "GroupDescription": "Enable port 9997 for splunktcp input, port 8088 for HEC input, port 514 for tcp/udp input, and port 9887 for data replication", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 9997, + "ToPort": 9997, + "CidrIp": { + "Ref": "VPCCIDR" + } + }, + { + "IpProtocol": "tcp", + "FromPort": 8088, + "ToPort": 8088, + "SourceSecurityGroupId": { + "Ref": "SplunkHttpEventCollectorLoadBalancerSecurityGroup" + } + }, + { + "IpProtocol": "tcp", + "FromPort": 514, + "ToPort": 514, + "CidrIp": { + "Ref": "VPCCIDR" + } + }, + { + "IpProtocol": "udp", + "FromPort": 514, + "ToPort": 514, + "CidrIp": { + "Ref": "VPCCIDR" + } + }, + { + "IpProtocol": "tcp", + "FromPort": 9887, + "ToPort": 9887, + "CidrIp": { + "Ref": "VPCCIDR" + } + } + ], + "Tags": [ + { + "Key": "Application", + "Value": { + "Ref": "AWS::StackId" + } + }, + { + "Key": "Name", + "Value": "SplunkIndexerSecurityGroup" + } + ] + } + }, + "SplunkSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "VPCID" + }, + "GroupDescription": "Enable administrative ports like restricted SSH and management port", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": { + "Ref": "SSHClientLocation" + } + }, + { + "IpProtocol": "tcp", + "FromPort": 8089, + "ToPort": 8089, + "CidrIp": { + "Ref": "VPCCIDR" + } + } + ], + "Tags": [ + { + "Key": "Application", + "Value": { + "Ref": "AWS::StackId" + } + }, + { + "Key": "Name", + "Value": "SplunkSecurityGroup" + } + ] + } + }, + "SplunkHttpEventCollectorLoadBalancerSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "VPCID" + }, + "GroupDescription": "Enable port 8088 on ELB for HEC input", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 8088, + "ToPort": 8088, + "CidrIp": { + "Ref": "HECClientLocation" + } + } + ], + "Tags": [ + { + "Key": "Application", + "Value": { + "Ref": "AWS::StackId" + } + }, + { + "Key": "Name", + "Value": "SplunkHttpEventCollectorLoadBalancerSecurityGroup" + } + ] + } + }, + "SplunkSearchHeadInstance": { + "Type": "AWS::EC2::Instance", + "Condition": "CreateSingleSearchHead", + "CreationPolicy": { + "ResourceSignal": { + "Timeout": "PT60M" + } + }, + "Properties": { + "ImageId": { + "Fn::FindInMap": [ + "AWSAMIRegionMap", + { + "Ref": "AWS::Region" + }, + "SPLUNKENTHVM" + ] + }, + "InstanceType": { + "Ref": "SearchHeadInstanceType" + }, + "KeyName": { + "Ref": "KeyName" + }, + "Tags": [ + { + "Key": "Application", + "Value": { + "Ref": "AWS::StackId" + } + }, + { + "Key": "Role", + "Value": "splunk-search-head" + }, + { + "Key": "Name", + "Value": "search-head" + } + ], + "NetworkInterfaces": [ + { + "GroupSet": [ + { + "Ref": "SplunkSecurityGroup" + }, + { + "Ref": "SplunkSearchHeadSecurityGroup" + } ], - "ParameterLabels": { - "WebClientLocation": { - "default": "Permitted CIDR for Splunk web interface" - }, - "HECClientLocation": { - "default": "Permitted CIDR for Splunk HTTP event collector input" - }, - "IndexerInstanceType": { - "default": "EC2 instance type for Splunk indexer" - }, - "SearchHeadInstanceType": { - "default": "EC2 instance type for Splunk search head" - }, - "KeyName": { - "default": "Key Name" - }, - "PublicSubnet1ID": { - "default": "Public Subnet 1 ID" - }, - "PublicSubnet2ID": { - "default": "Public Subnet 2 ID" - }, - "PublicSubnet3ID": { - "default": "Public Subnet 3 ID" - }, - "NumberOfAZs": { - "default": "Number of Availability Zones" - }, - "SHCEnabled": { - "default": "Enable Search Head Cluster?" - }, - "SSHClientLocation": { - "default": "Permitted CIDR for ssh" - }, - "SplunkAdminPassword": { - "default": "Splunk Admin Password" - }, - "SplunkIndexerCount": { - "default": "No. of Splunk Indexers" - }, - "SplunkIndexerDiskSize": { - "default": "Indexer Disk Size" - }, - "SplunkSearchHeadDiskSize": { - "default": "Search Head(s) Disk Size" - }, - "SplunkLicenseBucket": { - "default": "Splunk License Bucket" - }, - "SplunkLicensePath": { - "default": "Splunk License S3 Bucket Path" - }, - "SplunkReplicationFactor": { - "default": "Index Cluster Replication Factor" - }, - "SplunkSearchFactor": { - "default": "Index Cluster Search Factor" - }, - "SplunkClusterSecret": { - "default": "Shared Security Key for Cluster Nodes" - }, - "SplunkIndexerDiscoverySecret": { - "default": "Shared Security Key for Forwarders using Indexer Discovery" - }, - "IndexerApps": { - "default": "Apps/Add-ons to pre-Install on Splunk Indexers" - }, - "SearchHeadApps": { - "default": "Apps/Add-ons to pre-Install on Splunk Search Heads" + "AssociatePublicIpAddress": true, + "DeviceIndex": "0", + "DeleteOnTermination": true, + "SubnetId": { + "Ref": "PublicSubnet1ID" + } + } + ], + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "VolumeType": "gp2", + "VolumeSize": { + "Ref": "SplunkSearchHeadDiskSize" + } + } + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "", + [ + "#!/bin/bash -v\n", + "cd /opt/splunk-ansible && sudo -u ec2-user -E -S bash -c \"SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml\"\n", + "rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg\n", + "/bin/systemctl start Splunkd\n", + "/bin/systemctl stop Splunkd\n", + "# First make cloud-init output log readable by root only to protect sensitive parameter values\n", + "chmod 600 /var/log/cloud-init-output.log\n", + "yum update -y aws-cfn-bootstrap\n", + "export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)\n", + "export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\n", + "export SPLUNK_USER=splunk\n", + "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", + "export SPLUNK_HOME=/opt/splunk\n", + "printf '%s\t%s\n' \"$LOCALIP\" 'splunksearch' >> /etc/hosts\n", + "hostname splunksearch\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", + "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf </dev/null)\n", + "export SPLUNK_USER=splunk\n", + "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", + "export SPLUNK_HOME=/opt/splunk\n", + "# remove stale splunkd.log that ships with AMI.\n", + "rm -f $SPLUNK_HOME/var/log/splunk/splunkd.log\n", + "printf '%s\t%s\n' \"$LOCALIP\" 'splunklicense' >> /etc/hosts\n", + "hostname splunklicense\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", + "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <> /etc/hosts\n", - "hostname splunksearch\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/system/local/server.conf < /tmp/token\n", + "TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token\n", + "echo $TOKEN\n", + "mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", + "mv $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", + "# Peer config 2: Enable splunktcp input\n", + "cat >>$SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local/inputs.conf <> $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf\n", + "cat >>$SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf </dev/null)\n", - "export SPLUNK_USER=splunk\n", - "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", - "export SPLUNK_HOME=/opt/splunk\n", - "# remove stale splunkd.log that ships with AMI.\n", - "rm -f $SPLUNK_HOME/var/log/splunk/splunkd.log\n", - "printf '%s\t%s\n' \"$LOCALIP\" 'splunklicense' >> /etc/hosts\n", - "hostname splunklicense\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/system/local/server.conf < /tmp/token\n", - "TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token\n", - "echo $TOKEN\n", - "mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", - "mv $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", - "# Peer config 2: Enable splunktcp input\n", - "cat >>$SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local/inputs.conf <> /etc/hosts\n", - "hostname splunk-shc-deployer\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local/outputs.conf <> /etc/hosts\n", + "hostname splunk-shc-deployer\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", + "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local/outputs.conf <> /etc/hosts\n", - "hostname splunksearch\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", - "hostname splunksearch\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", + "hostname splunksearch\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", + "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", + "hostname splunksearch\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", + "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", - "hostname splunksearch\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <> /etc/hosts\n", + "hostname splunksearch\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", + "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <>$SPLUNK_HOME/etc/system/local/user-seed.conf <> $SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf\n", + "cat >>$SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/system/local/server.conf < Date: Thu, 7 May 2020 10:08:11 -0700 Subject: [PATCH 03/47] Update splunk-enterprise-master-ss.template testing.. --- templates/splunk-enterprise-master-ss.template | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/splunk-enterprise-master-ss.template b/templates/splunk-enterprise-master-ss.template index 406fe15..1013b01 100644 --- a/templates/splunk-enterprise-master-ss.template +++ b/templates/splunk-enterprise-master-ss.template @@ -96,7 +96,7 @@ }, "PublicSubnet2CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", + "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x", "Default": "10.0.2.0/24", "Description": "The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)", "Type": "String" @@ -590,4 +590,4 @@ } } } -} \ No newline at end of file +} From 672a2086098324541ce3f4f191a1870cc38dda60 Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Wed, 13 May 2020 11:31:19 -0700 Subject: [PATCH 04/47] Create user_data.sh initial commit of user_data.sh -- testing viability of using external shell scripts for user data instead of doing everything in-line with the template. --- scripts/user_data.sh | 153 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 153 insertions(+) create mode 100644 scripts/user_data.sh diff --git a/scripts/user_data.sh b/scripts/user_data.sh new file mode 100644 index 0000000..e131fc5 --- /dev/null +++ b/scripts/user_data.sh @@ -0,0 +1,153 @@ +#!/bin/bash -v + +## +#- user script for Splunk search head +## + +#- The newer version of the Splunk AMI does not come with Splunk pre-installed. Instead +#- Splunk is installed via ansible as part of cloud-init. The following command +#- is needed to ensure these install scripts are ran prior to the remainder of the user +#- scripts. Without doing this first, the Splunk installer is ran after CloudFormation's +#- cloud-init scripts, leaving no Splunk install for these scripts to configure. + +(cd /opt/splunk-ansible && sudo -u ec2-user -E -S bash -c \"SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml) + +#- remove the cloud-init script from running since it's already been ran manually. +rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg +/bin/systemctl start Splunkd +/bin/systemctl stop Splunkd + +# First make cloud-init output log readable by root only to protect sensitive parameter values +chmod 600 /var/log/cloud-init-output.log + +#- update package +yum update -y aws-cfn-bootstrap + +#- variables +export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) +export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) +export SPLUNK_USER=splunk +export SPLUNK_BIN=/opt/splunk/bin/splunk +export SPLUNK_HOME=/opt/splunk + +#- add hostname to /etc/hosts and set hostname +printf '%s\t%s\n' \"$LOCALIP\" 'splunksearch' >> /etc/hosts +hostname splunksearch + +#- setup auth with user-selected admin password +mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak +cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf < Date: Wed, 13 May 2020 11:55:13 -0700 Subject: [PATCH 05/47] Update user_data.sh --- scripts/user_data.sh | 99 +++++++++++++++----------------------------- 1 file changed, 33 insertions(+), 66 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index e131fc5..d4125d1 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -80,74 +80,41 @@ chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated #- start splunk /opt/splunk/bin/splunk start -#- setup license server +#- setup license server communication sudo -u $SPLUNK_USER $SPLUNK_BIN edit licenser-localslave -master_uri https://$CM_PRIVATEIP:8089 \ -auth admin:$ADMIN_PASSWORD -"sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -secret ", -{ -"Ref": "SplunkClusterSecret" -}, -" -mode searchhead -site site1 -master_uri https://", -{ -"Fn::GetAtt": [ -"SplunkCM", -"PrivateIp" -] -}, -":8089 -auth admin:", -{ -"Ref": "SplunkAdminPassword" -}, -"\n", -{ -"Fn::If": [ -"InstallSearchHeadApps", -{ -"Fn::Join": [ -"", -[ -"# Add user-provided apps for cluster members\n", -"user_apps=( ", -{ -"Fn::Join": [ -" ", -{ -"Ref": "SearchHeadApps" -} -] -}, - ), -for i in ${!user_apps[*]} -do - echo \"Downloading app ${user_apps[$i]}\" - if wget --tries=3 ${user_apps[$i]} -O /tmp/app${i}.spl; then - echo \"Installing app...\" - tar -xvzf /tmp/app${i}.spl -C $SPLUNK_HOME/etc/apps/ - if [ $? -ne 0 ]; then - echo \"Extracting tarball failed\" - fi - rm /tmp/app${i}.spl - else - echo \"Downloading tarball failed\" +#- configure communication to the splunk indexer cluster +sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -secret $SPLUNK_CLUSTER_SECRET \ + -mode searchhead -site site1 -master_uri https://$CM_PRIVATEIP:8089 -auth admin:$ADMIN_PASSWORD + +#- install search head apps, if appropriate + +if [ $INSTALL_SH_APPS == 1]; +then + for i in ${!USER_APPS[*]} + do + echo "Downloading app ${user_apps[$i]}" + if wget --tries=3 ${user_apps[$i]} -O /tmp/app${i}.spl + then + echo "Installing app..." + tar -xvzf /tmp/app${i}.spl -C $SPLUNK_HOME/etc/apps/ + if [ $? -ne 0 ]; then + echo "Extracting tarball failed" fi + rm /tmp/app${i}.spl + else + echo "Downloading tarball failed" + fi + #- set ownership + chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps done -chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps -] - -}, -"" -] -}, -"/opt/splunk/bin/splunk restart\n", -"/opt/aws/bin/cfn-signal -e $? --stack ", -{ -"Ref": "AWS::StackName" -}, -" --resource SplunkSearchHeadInstance", -" --region ", -{ -"Ref": "AWS::Region" -}, -"\n", -"usermod --expiredate 1 splunk\n" + +#- restart splunk +/opt/splunk/bin/splunk restart + +#- communicate back to CloudFormation the status of the instance creation +/opt/aws/bin/cfn-signal -e $? --stack $STACK_NAME --resource SplunkSearchHeadInstance --region $AWS_REGION + +#- disable splunk login +usermod --expiredate 1 splunk From 3b5875b0d328d968bc8494938b79ca4379c60206 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Wed, 20 May 2020 13:31:44 -0700 Subject: [PATCH 06/47] updated for further testing using user_data.sh --- scripts/user_data.sh | 244 ++++++++++++------ .../splunk-enterprise-master-ss.template | 1 + templates/splunk-enterprise-ss.template | 147 +++-------- 3 files changed, 208 insertions(+), 184 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index d4125d1..c74309e 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -1,40 +1,54 @@ -#!/bin/bash -v +#!/bin/bash -## -#- user script for Splunk search head -## +##### +#### start universal config +##### + +# universal functions +function restart_signal +{ + + # restart splunk + /bin/systemctl restart Splunkd + + # communicate back to CloudFormation the status of the instance creation + /opt/aws/bin/cfn-signal -e $? --stack $STACK_NAME --resource SplunkSearchHeadInstance \ + --region $AWS_REGION + + # disable splunk user login + usermod --expiredate 1 splunk +} #- The newer version of the Splunk AMI does not come with Splunk pre-installed. Instead -#- Splunk is installed via ansible as part of cloud-init. The following command -#- is needed to ensure these install scripts are ran prior to the remainder of the user -#- scripts. Without doing this first, the Splunk installer is ran after CloudFormation's -#- cloud-init scripts, leaving no Splunk install for these scripts to configure. +#- Splunk is installed via ansible as part of cloud-init. The following code (line 28) is +#- needed to ensure these install scripts are ran prior to the remainder of the Cloudformation +#- user scripts. Without doing this first, the Splunk installer is ran after CloudFormation's +#- cloud-init scripts, leaving no Splunk install to configure. (cd /opt/splunk-ansible && sudo -u ec2-user -E -S bash -c \"SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml) -#- remove the cloud-init script from running since it's already been ran manually. +# remove the cloud-init script from running again later rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg + +# start splunk for initialization, and then stop to make edits. /bin/systemctl start Splunkd /bin/systemctl stop Splunkd -# First make cloud-init output log readable by root only to protect sensitive parameter values +# make cloud-init output log readable by root only to protect sensitive parameter values chmod 600 /var/log/cloud-init-output.log -#- update package +# update cfn package yum update -y aws-cfn-bootstrap -#- variables +# variables export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) export SPLUNK_USER=splunk export SPLUNK_BIN=/opt/splunk/bin/splunk export SPLUNK_HOME=/opt/splunk -#- add hostname to /etc/hosts and set hostname -printf '%s\t%s\n' \"$LOCALIP\" 'splunksearch' >> /etc/hosts -hostname splunksearch -#- setup auth with user-selected admin password +# setup auth with user-selected admin password mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <> /etc/hosts + hostname splunksearch + + # stop splunk to make changes to search head configs + /bin/systemctl stop Splunkd + + # Increase splunkweb connection timeout with splunkd + mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local + cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <> /etc/hosts\n", - "hostname splunksearch\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <> $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf\n", @@ -2424,7 +2351,7 @@ "#Configure smartstore as if it were a bundle already pushed by the CM.\n", "# ...set SmartStore for all indexes except _internal, _introspection, etc.\n", "# ...NOTE the fisrt part of the file is base64 to get around a dollar sign in the text.\n", - + "mkdir -p $SPLUNK_HOME/etc/slave-apps/_cluster/local\n", "touch $SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf\n", @@ -2909,4 +2836,4 @@ } } } -} \ No newline at end of file +} From a3858847088815db8d40314e8874447b40d6b1c2 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Wed, 20 May 2020 15:58:23 -0700 Subject: [PATCH 07/47] changed timeout for CM wait condition --- templates/splunk-enterprise.template | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/splunk-enterprise.template b/templates/splunk-enterprise.template index 756fbe4..8ca052b 100644 --- a/templates/splunk-enterprise.template +++ b/templates/splunk-enterprise.template @@ -899,7 +899,7 @@ "Type": "AWS::EC2::Instance", "CreationPolicy": { "ResourceSignal": { - "Timeout": "PT60M" + "Timeout": "PT15M" } }, "Metadata": { @@ -1126,8 +1126,8 @@ }, "\n", "sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode master -multisite true -replication_factor ", - { - "Ref": "SplunkReplicationFactor" + { + "Ref": "SplunkReplicationFactor" }, " -available_sites ", { @@ -1143,8 +1143,8 @@ "Ref": "SplunkReplicationFactor" }, " -site_search_factor origin:1,total:", - { - "Ref": "SplunkSearchFactor" + { + "Ref": "SplunkSearchFactor" }, " -secret ", { From 3dc459f3fed16afbb267c43e07c35982235c8fd9 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Wed, 20 May 2020 15:59:38 -0700 Subject: [PATCH 08/47] decrease cm timeout condition to 15 minutes --- templates/splunk-enterprise-ss.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template index 6c7168c..e07bc0d 100644 --- a/templates/splunk-enterprise-ss.template +++ b/templates/splunk-enterprise-ss.template @@ -1334,7 +1334,7 @@ "Handle": { "Ref": "SplunkCMWaitHandle" }, - "Timeout": "3600" + "Timeout": "900" } }, "SplunkSHCDeployer": { From f00266d914ae783c2a7d48571c012cca7dc86df2 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Thu, 21 May 2020 00:57:08 -0700 Subject: [PATCH 09/47] changed timeout for CM to 10 minutes. missed updating the creationpolicy timeout on the previous commit. fixing that, and lowering the timeout to 10 minutes instead of 15. --- templates/splunk-enterprise-ss.template | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template index e07bc0d..0665876 100644 --- a/templates/splunk-enterprise-ss.template +++ b/templates/splunk-enterprise-ss.template @@ -946,7 +946,7 @@ "Type": "AWS::EC2::Instance", "CreationPolicy": { "ResourceSignal": { - "Timeout": "PT60M" + "Timeout": "PT10M" } }, "Metadata": { @@ -1092,8 +1092,10 @@ "#!/bin/bash -v\n", "cd /opt/splunk-ansible && sudo -u ec2-user -E -S bash -c \"SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml\"\n", "rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg\n", - "/bin/systemctl start Splunkd\n", - "/bin/systemctl stop Splunkd\n", + "#/bin/systemctl start Splunkd\n", + "#/bin/systemctl stop Splunkd\n", + "/opt/splunk/bin/splunk start\n", + "/opt/splunk/bin/splunk stop\n", "# First make cloud-init output log readable by root only to protect sensitive parameter values\n", "chmod 600 /var/log/cloud-init-output.log\n", "yum update -y aws-cfn-bootstrap\n", @@ -1334,7 +1336,7 @@ "Handle": { "Ref": "SplunkCMWaitHandle" }, - "Timeout": "900" + "Timeout": "600" } }, "SplunkSHCDeployer": { From efac84ee8f0db12fca7080ad777a0d4d76a9cb60 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Thu, 21 May 2020 12:32:51 -0700 Subject: [PATCH 10/47] housekeeping 10 minutes was not enough for the CM to boot before timeout. changed back to 15. changed systemctl commands to use splunk binary moved variables up in user data removed the cloud init files for splunk ansible before ansible is ran --- scripts/user_data.sh | 85 ++++++++----------- .../splunk-enterprise-master-ss.template | 2 +- templates/splunk-enterprise-ss.template | 51 ++++++----- 3 files changed, 62 insertions(+), 76 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index c74309e..89e35a6 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -1,23 +1,21 @@ #!/bin/bash -##### -#### start universal config -##### -# universal functions -function restart_signal -{ +# variables +export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) +export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) +export SPLUNK_USER=splunk +export SPLUNK_BIN=/opt/splunk/bin/splunk +export SPLUNK_HOME=/opt/splunk - # restart splunk - /bin/systemctl restart Splunkd - # communicate back to CloudFormation the status of the instance creation - /opt/aws/bin/cfn-signal -e $? --stack $STACK_NAME --resource SplunkSearchHeadInstance \ - --region $AWS_REGION +# make cloud-init output log readable by root only to protect sensitive parameter values +chmod 600 /var/log/cloud-init-output.log - # disable splunk user login - usermod --expiredate 1 splunk -} +# remove the cloud-init script from running again + +rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg +rm -f /var/lib/cloud/instance/scripts/runcmd #- The newer version of the Splunk AMI does not come with Splunk pre-installed. Instead #- Splunk is installed via ansible as part of cloud-init. The following code (line 28) is @@ -27,26 +25,14 @@ function restart_signal (cd /opt/splunk-ansible && sudo -u ec2-user -E -S bash -c \"SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml) -# remove the cloud-init script from running again later -rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg - # start splunk for initialization, and then stop to make edits. -/bin/systemctl start Splunkd -/bin/systemctl stop Splunkd - -# make cloud-init output log readable by root only to protect sensitive parameter values -chmod 600 /var/log/cloud-init-output.log +#/bin/systemctl start Splunkd +#/bin/systemctl stop Splunkd +$SPLUNK_BIN stop # update cfn package yum update -y aws-cfn-bootstrap -# variables -export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) -export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) -export SPLUNK_USER=splunk -export SPLUNK_BIN=/opt/splunk/bin/splunk -export SPLUNK_HOME=/opt/splunk - # setup auth with user-selected admin password mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak @@ -56,17 +42,31 @@ USERNAME = admin PASSWORD = $ADMIN_PASSWORD end -# disable password reset on login sed -i '/guid/d' $SPLUNK_HOME/etc/instance.cfg -sed -i 's/ENFORCE_PWD_CHANGE=1/ENFORCE_PWD_CHANGE=0/' /etc/init.d/splunk touch $SPLUNK_HOME/etc/.ui_login # restart Splunk for changes to take effect -/bin/systemctl restart Splunkd +#/bin/systemctl restart Splunkd +$SPLUNK_BIN start + +#### start universal functions + +function restart_signal +{ + + # restart splunk + #/bin/systemctl restart Splunkd + $SPLUNK_BIN restart + + # communicate back to CloudFormation the status of the instance creation + /opt/aws/bin/cfn-signal -e $? --stack $STACK_NAME --resource SplunkSearchHeadInstance \ + --region $AWS_REGION + + # disable splunk user login + usermod --expiredate 1 splunk +} -##### #### end universal config -##### ##### #### start user data functions @@ -80,7 +80,7 @@ function splunk_single_sh hostname splunksearch # stop splunk to make changes to search head configs - /bin/systemctl stop Splunkd + #/bin/systemctl stop Splunkd # Increase splunkweb connection timeout with splunkd mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local @@ -120,7 +120,7 @@ end # install search head apps, if appropriate - if [ $INSTALL_SH_APPS == 1]; + if [ $INSTALL_SH_APPS = 1 ]; then for i in ${!USER_APPS[*]} do @@ -196,19 +196,6 @@ esac - - - - - - - - - - - - - diff --git a/templates/splunk-enterprise-master-ss.template b/templates/splunk-enterprise-master-ss.template index d94c6fc..7bf6188 100644 --- a/templates/splunk-enterprise-master-ss.template +++ b/templates/splunk-enterprise-master-ss.template @@ -223,7 +223,7 @@ "Type": "String" }, "SmartStoreBucketName": { - "Default": "", + "Default": "bbartlett-smartstore-testing", "Description": "Name of bucket that will be created for SmartStore storage", "Type": "String" } diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template index 0665876..3bdd8b7 100644 --- a/templates/splunk-enterprise-ss.template +++ b/templates/splunk-enterprise-ss.template @@ -905,12 +905,6 @@ "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" }, "\"\n", - - "# download user_data script\n", - "wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh\n", - "/tmp/user_data.sh single_sh\n", - - { "Fn::If": [ "InstallSearchHeadApps", @@ -929,7 +923,10 @@ } ] }, - " )\n" + " )\n", + "# download user_data script\n", + "wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh\n", + "/tmp/user_data.sh single_sh\n" ] ] }, @@ -946,7 +943,7 @@ "Type": "AWS::EC2::Instance", "CreationPolicy": { "ResourceSignal": { - "Timeout": "PT10M" + "Timeout": "PT15M" } }, "Metadata": { @@ -1090,24 +1087,27 @@ "", [ "#!/bin/bash -v\n", - "cd /opt/splunk-ansible && sudo -u ec2-user -E -S bash -c \"SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml\"\n", + "export SPLUNK_USER=splunk\n", + "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", + "export SPLUNK_HOME=/opt/splunk\n", + "printf '%s\t%s\n' \"$LOCALIP\" 'splunklicense' >> /etc/hosts\n", + "hostname splunklicense\n", + "rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg\n", + "rm -f /var/lib/cloud/instance/scripts/runcmd\n", + + "cd /opt/splunk-ansible && sudo -u ec2-user -E -S bash -c \"SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml\"\n", + "#/bin/systemctl start Splunkd\n", "#/bin/systemctl stop Splunkd\n", - "/opt/splunk/bin/splunk start\n", - "/opt/splunk/bin/splunk stop\n", + "# $SPLUNK_BIN start\n", + "$SPLUNK_BIN stop\n", "# First make cloud-init output log readable by root only to protect sensitive parameter values\n", "chmod 600 /var/log/cloud-init-output.log\n", "yum update -y aws-cfn-bootstrap\n", "export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)\n", "export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id 2>/dev/null)\n", - "export SPLUNK_USER=splunk\n", - "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", - "export SPLUNK_HOME=/opt/splunk\n", - "# remove stale splunkd.log that ships with AMI.\n", - "rm -f $SPLUNK_HOME/var/log/splunk/splunkd.log\n", - "printf '%s\t%s\n' \"$LOCALIP\" 'splunklicense' >> /etc/hosts\n", - "hostname splunklicense\n", + "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf < /tmp/token\n", "TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token\n", - "echo $TOKEN\n", + "#echo $TOKEN\n", "mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", "mv $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", "# Peer config 2: Enable splunktcp input\n", @@ -1236,7 +1235,7 @@ "# ... is also added to each indexer as if the bundle was already pushed.\n", "# ... this should allow easy recovery for maintenance and future bundle pushes.\n", "# ... note, SmartStore set for all indexes.\n", - "# ... also note the fisrt part of the file is base64 to get around a dollar sign in the text.\n", + "# ... also note the first part of the file is base64 to get around a dollar sign in the text.\n", "mkdir -p $SPLUNK_HOME/etc/master-apps/_cluster/local/\n", @@ -1303,7 +1302,7 @@ ] }, "chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/master-apps\n", - "/opt/splunk/bin/splunk restart\n", + "$SPLUNK_BIN restart\n", "/opt/aws/bin/cfn-signal -e $? --stack ", { "Ref": "AWS::StackName" @@ -1336,7 +1335,7 @@ "Handle": { "Ref": "SplunkCMWaitHandle" }, - "Timeout": "600" + "Timeout": "900" } }, "SplunkSHCDeployer": { From 1ee5b78f40d4b35ea721b2b3aaf70ec70999a40e Mon Sep 17 00:00:00 2001 From: billbartlett Date: Thu, 21 May 2020 14:24:32 -0700 Subject: [PATCH 11/47] fixed location of the user_data.sh download. it was inadvertently locked inside the if statement --- templates/splunk-enterprise-ss.template | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template index 3bdd8b7..d019256 100644 --- a/templates/splunk-enterprise-ss.template +++ b/templates/splunk-enterprise-ss.template @@ -923,16 +923,16 @@ } ] }, - " )\n", - "# download user_data script\n", - "wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh\n", - "/tmp/user_data.sh single_sh\n" + " )\n" ] ] }, "" ] - } + }, + "# download user_data script\n", + "wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh\n", + "/tmp/user_data.sh single_sh\n" ] ] } From 884087a4a229a45d72c414b64e8e2df209fcefa3 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Fri, 22 May 2020 10:12:55 -0700 Subject: [PATCH 12/47] added time to ansible start script to see how long the installation takes --- templates/splunk-enterprise-ss.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template index d019256..6cbffcb 100644 --- a/templates/splunk-enterprise-ss.template +++ b/templates/splunk-enterprise-ss.template @@ -1096,7 +1096,7 @@ "rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg\n", "rm -f /var/lib/cloud/instance/scripts/runcmd\n", - "cd /opt/splunk-ansible && sudo -u ec2-user -E -S bash -c \"SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml\"\n", + "cd /opt/splunk-ansible && time sudo -u ec2-user -E -S bash -c \"SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml\"\n", "#/bin/systemctl start Splunkd\n", "#/bin/systemctl stop Splunkd\n", From 92cb5310d1f60e7f168c58814ba952412ed4293c Mon Sep 17 00:00:00 2001 From: billbartlett Date: Fri, 22 May 2020 10:13:49 -0700 Subject: [PATCH 13/47] fixed some syntax issues and added echo statements to the functions. without something in the functions, bash will error out on a syntax error. added echo statements as placeholders. --- scripts/user_data.sh | 67 ++++++++++++++++++++++---------------------- 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index 89e35a6..5a23d0a 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -23,7 +23,7 @@ rm -f /var/lib/cloud/instance/scripts/runcmd #- user scripts. Without doing this first, the Splunk installer is ran after CloudFormation's #- cloud-init scripts, leaving no Splunk install to configure. -(cd /opt/splunk-ansible && sudo -u ec2-user -E -S bash -c \"SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml) +(cd /opt/splunk-ansible && time sudo -u ec2-user -E -S bash -c "SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml") # start splunk for initialization, and then stop to make edits. #/bin/systemctl start Splunkd @@ -72,6 +72,26 @@ function restart_signal #### start user data functions ##### +function splunk_cm +{ + echo; +} + +function indexer +{ + echo; +} + +function splunk_cluster_sh +{ + echo; +} + +function splunk_deployer +{ + echo; +} + ## splunk single search head function splunk_single_sh { @@ -124,18 +144,19 @@ end then for i in ${!USER_APPS[*]} do - echo "Downloading app ${user_apps[$i]}" - if wget --tries=3 ${user_apps[$i]} -O /tmp/app${i}.spl - then - echo "Installing app..." - tar -xvzf /tmp/app${i}.spl -C $SPLUNK_HOME/etc/apps/ - if [ $? -ne 0 ]; then - echo "Extracting tarball failed" + echo "Downloading app ${user_apps[$i]}" + if wget --tries=3 ${user_apps[$i]} -O /tmp/app${i}.spl + then + echo "Installing app..." + tar -xvzf /tmp/app${i}.spl -C $SPLUNK_HOME/etc/apps/ + if [ $? -ne 0 ]; then + echo "Extracting tarball failed" + fi + rm /tmp/app${i}.spl + else + echo "Downloading tarball failed" fi - rm /tmp/app${i}.spl - else - echo "Downloading tarball failed" - fi + done #- set ownership chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps fi @@ -144,29 +165,7 @@ end restart_signal } -function splunk_cm -{ - - -} - -function indexer -{ - - -} -function splunk_cluster_sh -{ - - -} - -function splunk_deployer -{ - - -} case "$1" in From 3b3dc28a6ec08ee3a6ba1629d1bd927029eed5f4 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Wed, 27 May 2020 15:55:50 -0700 Subject: [PATCH 14/47] add splunk cluster master to user_data.sh process --- scripts/user_data.sh | 195 ++++++++++++++++---- templates/splunk-enterprise-ss.template | 235 ++++++------------------ 2 files changed, 218 insertions(+), 212 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index 5a23d0a..774ae30 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -12,10 +12,7 @@ export SPLUNK_HOME=/opt/splunk # make cloud-init output log readable by root only to protect sensitive parameter values chmod 600 /var/log/cloud-init-output.log -# remove the cloud-init script from running again -rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg -rm -f /var/lib/cloud/instance/scripts/runcmd #- The newer version of the Splunk AMI does not come with Splunk pre-installed. Instead #- Splunk is installed via ansible as part of cloud-init. The following code (line 28) is @@ -23,12 +20,17 @@ rm -f /var/lib/cloud/instance/scripts/runcmd #- user scripts. Without doing this first, the Splunk installer is ran after CloudFormation's #- cloud-init scripts, leaving no Splunk install to configure. +# remove the cloud-init scripts from running +rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg +rm -f /var/lib/cloud/instance/scripts/runcmd + +# run the ansible manually (cd /opt/splunk-ansible && time sudo -u ec2-user -E -S bash -c "SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml") # start splunk for initialization, and then stop to make edits. #/bin/systemctl start Splunkd #/bin/systemctl stop Splunkd -$SPLUNK_BIN stop +# $SPLUNK_BIN stop # update cfn package yum update -y aws-cfn-bootstrap @@ -45,9 +47,8 @@ end sed -i '/guid/d' $SPLUNK_HOME/etc/instance.cfg touch $SPLUNK_HOME/etc/.ui_login -# restart Splunk for changes to take effect -#/bin/systemctl restart Splunkd -$SPLUNK_BIN start +# restart Splunk for admin password update +$SPLUNK_BIN restart #### start universal functions @@ -59,7 +60,7 @@ function restart_signal $SPLUNK_BIN restart # communicate back to CloudFormation the status of the instance creation - /opt/aws/bin/cfn-signal -e $? --stack $STACK_NAME --resource SplunkSearchHeadInstance \ + /opt/aws/bin/cfn-signal -e $? --stack $STACK_NAME --resource $RESOURCE \ --region $AWS_REGION # disable splunk user login @@ -74,7 +75,136 @@ function restart_signal function splunk_cm { - echo; + export RESOURCE="SplunkCM" + printf '%s\t%s\n' "$LOCALIP" 'splunklicense' >> /etc/hosts + hostname splunklicense + + # Install files from the metadata + /opt/aws/bin/cfn-init -v --stack $STACK_NAME --resource SplunkCM --region $AWS_REGION + + mkdir -p $SPLUNK_HOME/etc/licenses/enterprise + chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/licenses/enterprise + mv /etc/splunk/splunk.license $SPLUNK_HOME/etc/licenses/enterprise/ + + # Increase splunkweb connection timeout with splunkd + mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local + cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/system/local/server.conf < /tmp/token + TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token + #echo $TOKEN + + # place generated config into master-apps + mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local + mv $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local + + # peer config 2: enable splunk tcp input + cat >>$SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local/inputs.conf <>$SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf <> /etc/hosts + printf "$LOCALIP \t splunksearch\n" >> /etc/hosts hostname splunksearch # stop splunk to make changes to search head configs @@ -107,7 +238,7 @@ function splunk_single_sh cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <> /etc/hosts\n", - "hostname splunklicense\n", - - "rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg\n", - "rm -f /var/lib/cloud/instance/scripts/runcmd\n", - - "cd /opt/splunk-ansible && time sudo -u ec2-user -E -S bash -c \"SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml\"\n", - - "#/bin/systemctl start Splunkd\n", - "#/bin/systemctl stop Splunkd\n", - "# $SPLUNK_BIN start\n", - "$SPLUNK_BIN stop\n", - "# First make cloud-init output log readable by root only to protect sensitive parameter values\n", - "chmod 600 /var/log/cloud-init-output.log\n", - "yum update -y aws-cfn-bootstrap\n", - "export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)\n", - "export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id 2>/dev/null)\n", + "export SYMMKEY=\"", + { + "Ref": "SplunkIndexerDiscoverySecret" + }, + "\" \n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/system/local/server.conf < /tmp/token\n", - "TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token\n", - "#echo $TOKEN\n", - "mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", - "mv $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", - "# Peer config 2: Enable splunktcp input\n", - "cat >>$SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local/inputs.conf <> $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf\n", - "cat >>$SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf < Date: Mon, 8 Jun 2020 08:52:59 -0700 Subject: [PATCH 15/47] updated to add splunk cluster manager to user_data script --- scripts/user_data.sh | 21 +++++++++++++------- templates/splunk-enterprise-ss.template | 26 +++++++++++++++---------- 2 files changed, 30 insertions(+), 17 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index 774ae30..f467212 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -1,5 +1,6 @@ #!/bin/bash +# https://splk-quickstart-testing.s3.us-west-2.amazonaws.com/quickstart-splunk-enterprise/templates/splunk-enterprise-master-ss.template # variables export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) @@ -79,8 +80,16 @@ function splunk_cm printf '%s\t%s\n' "$LOCALIP" 'splunklicense' >> /etc/hosts hostname splunklicense - # Install files from the metadata - /opt/aws/bin/cfn-init -v --stack $STACK_NAME --resource SplunkCM --region $AWS_REGION + #- for the CM, we can't reference CM_PRIVATE_IP in the CloudFormation UserData like + #- we do in the other resources because the CM hasn't been created yet. To keep the + #- syntax consistent across each resource in user_data.sh, export $CM_PRIVATEIP to + #- the CM's local ip address + export CM_PRIVATEIP=$LOCALIP + + # Install license from metadata. This is only relevant if the user uploads a license file. + if [ $INSTALL_LICENSE = 1 ]; then + /opt/aws/bin/cfn-init -v --stack $STACK_NAME --resource $RESOURCE --region $AWS_REGION + fi mkdir -p $SPLUNK_HOME/etc/licenses/enterprise chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/licenses/enterprise @@ -138,6 +147,7 @@ end # add base config for peer nodes (indexers) as an app under master-apps # peer config 1: ENABLE HEC input on indexers + printf "** create HEC token\t" && date # generate the config file and HEC token sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector enable -uri https://localhost:8089 sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector create default-token \ @@ -238,7 +248,7 @@ function splunk_single_sh cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf < Date: Wed, 8 Jul 2020 21:04:34 -0700 Subject: [PATCH 16/47] adding license by default for testing --- scripts/user_data.sh | 116 ++++++- .../splunk-enterprise-master-ss.template | 4 +- templates/splunk-enterprise-ss.template | 288 +++--------------- 3 files changed, 159 insertions(+), 249 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index f467212..7cad486 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -61,8 +61,7 @@ function restart_signal $SPLUNK_BIN restart # communicate back to CloudFormation the status of the instance creation - /opt/aws/bin/cfn-signal -e $? --stack $STACK_NAME --resource $RESOURCE \ - --region $AWS_REGION + /opt/aws/bin/cfn-signal -e $? --stack $STACK_NAME --resource $RESOURCE --region $AWS_REGION # disable splunk user login usermod --expiredate 1 splunk @@ -74,6 +73,9 @@ function restart_signal #### start user data functions ##### +### +# Splunk Cluster Master / License Master +### function splunk_cm { export RESOURCE="SplunkCM" @@ -89,6 +91,8 @@ function splunk_cm # Install license from metadata. This is only relevant if the user uploads a license file. if [ $INSTALL_LICENSE = 1 ]; then /opt/aws/bin/cfn-init -v --stack $STACK_NAME --resource $RESOURCE --region $AWS_REGION + mkdir -p /opt/splunk/etc/licenses/enterprise/ + mv /etc/splunk/splunk.license /opt/splunk/etc/licenses/enterprise/splunk.license fi mkdir -p $SPLUNK_HOME/etc/licenses/enterprise @@ -227,14 +231,116 @@ function splunk_cluster_sh echo; } +### +# Splunk Deployer +### function splunk_deployer { - echo; + export RESOURCE="SplunkSHCDeployer" + printf "$LOCALIP \t splunk-shc-deployer\n" >> /etc/hosts + hostname splunk-shc-deployer + + # Increase splunkweb connection timeout with splunkd + mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local + cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local/outputs.conf <> /etc/hosts @@ -271,12 +377,12 @@ end # update permissions chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated - printf "** license setup\t " && date + printf "#### license setup\t " && date # setup license server communication sudo -u $SPLUNK_USER $SPLUNK_BIN edit licenser-localslave -master_uri https://$CM_PRIVATEIP:8089 -auth admin:$ADMIN_PASSWORD - printf "** clustering setup\t " && date + printf "#### clustering setup\t " && date # configure communication to the splunk indexer cluster sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -secret $SPLUNK_CLUSTER_SECRET \ diff --git a/templates/splunk-enterprise-master-ss.template b/templates/splunk-enterprise-master-ss.template index 7bf6188..2aca80b 100644 --- a/templates/splunk-enterprise-master-ss.template +++ b/templates/splunk-enterprise-master-ss.template @@ -170,12 +170,12 @@ "Type": "Number" }, "SplunkLicenseBucket": { - "Default": "", + "Default": "splk-quickstart-testing", "Description": "Name of private S3 bucket with licenses to be accessed via authenticated requests", "Type": "String" }, "SplunkLicensePath": { - "Default": "", + "Default": "license/splunk.license", "Description": "Path to license file in S3 Bucket (without leading '/')", "Type": "String" }, diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template index 7b9c741..8181f41 100644 --- a/templates/splunk-enterprise-ss.template +++ b/templates/splunk-enterprise-ss.template @@ -867,40 +867,18 @@ "#!/bin/bash \n", "# setup variables\n", "export INSTALL_SH_APPS=0\n", - "export SYMMKEY=\"", - { - "Ref": "SplunkIndexerDiscoverySecret" - }, - "\" \n", + "export SYMMKEY=\"", {"Ref": "SplunkIndexerDiscoverySecret"}, "\" \n", + "export ADMIN_PASSWORD=\"", {"Ref": "SplunkAdminPassword"}, "\" \n", + "export STACK_NAME=\"", {"Ref": "AWS::StackName"}, "\" \n", + "export AWS_REGION=\"", {"Ref": "AWS::Region"}, "\" \n", + "export SPLUNK_CLUSTER_SECRET=\"", {"Ref": "SplunkClusterSecret"}, "\" \n", - "export ADMIN_PASSWORD=\"", - { - "Ref": "SplunkAdminPassword" - }, - "\" \n", "export CM_PRIVATEIP=\"", { - "Fn::GetAtt": [ - "SplunkCM", - "PrivateIp" - ] - }, - "\" \n", - "export STACK_NAME=\"", - { - "Ref": "AWS::StackName" - }, - "\" \n", - "export AWS_REGION=\"", - { - "Ref": "AWS::Region" - }, - "\" \n", - "export SPLUNK_CLUSTER_SECRET=\"", - { - "Ref": "SplunkClusterSecret" + "Fn::GetAtt": ["SplunkCM", "PrivateIp"] }, "\" \n", + "export S3_USERDATA=\"", { "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" @@ -919,9 +897,7 @@ { "Fn::Join": [ " ", - { - "Ref": "SearchHeadApps" - } + {"Ref": "SearchHeadApps"} ] }, " )\n" @@ -1095,41 +1071,16 @@ "export SPLUNK_HOME=/opt/splunk\n", "export INSTALL_INDEXER_APPS=0\n", "export INSTALL_LICENSE=0\n", - "export SYMMKEY=\"", - { - "Ref": "SplunkIndexerDiscoverySecret" - }, - "\" \n", - - "export ADMIN_PASSWORD=\"", - { - "Ref": "SplunkAdminPassword" - }, - "\" \n", - - "export STACK_NAME=\"", - { - "Ref": "AWS::StackName" - }, - "\" \n", - - "export AWS_REGION=\"", - { - "Ref": "AWS::Region" - }, - "\" \n", - - "export SPLUNK_CLUSTER_SECRET=\"", - { - "Ref": "SplunkClusterSecret" - }, - "\" \n", - "export SMARTSTORE_BUCKET=\"", - { - "Ref": "SmartStoreBucketName" - }, - "\"\n", + "export SYMMKEY=\"", {"Ref": "SplunkIndexerDiscoverySecret"}, "\" \n", + "export ADMIN_PASSWORD=\"", {"Ref": "SplunkAdminPassword"}, "\" \n", + "export STACK_NAME=\"", {"Ref": "AWS::StackName"}, "\" \n", + "export AWS_REGION=\"", {"Ref": "AWS::Region"}, "\" \n", + "export SPLUNK_CLUSTER_SECRET=\"", {"Ref": "SplunkClusterSecret"}, "\" \n", + "export SMARTSTORE_BUCKET=\"", {"Ref": "SmartStoreBucketName"}, "\"\n", + "export SplunkCMWaitHandle=\"", {"Ref": "SplunkCMWaitHandle"}, "\"\n", + "export REPFACTOR=\"", {"Ref": "SplunkReplicationFactor"}, "\"\n", + "export SEARCHFACTOR=\"", {"Ref": "SplunkSearchFactor"}, "\"\n", "export S3_USERDATA=\"", { @@ -1147,32 +1098,13 @@ }, "\"\n", - "export SplunkCMWaitHandle=\"", - { - "Ref": "SplunkCMWaitHandle" - }, - "\"\n", - - "export REPFACTOR=\"", - { - "Ref": "SplunkReplicationFactor" - }, - "\"\n", - - "export SEARCHFACTOR=\"", - { - "Ref": "SplunkSearchFactor" - }, - "\"\n", { "Fn::If": [ "ConfigureLicense", { "Fn::Join": [ "", - [ - "export INSTALL_LICENSE=1\n" - ] + ["export INSTALL_LICENSE=1\n"] ] }, "" @@ -1230,7 +1162,7 @@ "Condition": "CreateSHC", "CreationPolicy": { "ResourceSignal": { - "Timeout": "PT60M" + "Timeout": "PT20M" } }, "Properties": { @@ -1262,7 +1194,7 @@ }, { "Key": "Role", - "Value": "splunk-search-head" + "Value": "splunk-deployer" }, { "Key": "Name", @@ -1304,111 +1236,31 @@ "", [ "#!/bin/bash -v\n", - "cd /opt/splunk-ansible && sudo -u ec2-user -E -S bash -c \"SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml\"\n", - "rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg\n", - "/bin/systemctl start Splunkd\n", - "/bin/systemctl stop Splunkd\n", - "# First make cloud-init output log readable by root only to protect sensitive parameter values\n", - "chmod 600 /var/log/cloud-init-output.log\n", - "yum update -y aws-cfn-bootstrap\n", "export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)\n", "export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\n", "export SPLUNK_USER=splunk\n", "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", "export SPLUNK_HOME=/opt/splunk\n", - "printf '%s\t%s\n' \"$LOCALIP\" 'splunk-shc-deployer' >> /etc/hosts\n", - "hostname splunk-shc-deployer\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local/outputs.conf < Date: Wed, 8 Jul 2020 21:12:42 -0700 Subject: [PATCH 17/47] add 0.0.0.0/0 as access CIDR by default for easier testing --- templates/splunk-enterprise-master-ss.template | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/splunk-enterprise-master-ss.template b/templates/splunk-enterprise-master-ss.template index 2aca80b..d6289d7 100644 --- a/templates/splunk-enterprise-master-ss.template +++ b/templates/splunk-enterprise-master-ss.template @@ -16,6 +16,7 @@ "Type": "String" }, "WebClientLocation": { + "Default": "0.0.0.0/0", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", "Description": "The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", @@ -24,6 +25,7 @@ "Type": "String" }, "HECClientLocation": { + "Default": "0.0.0.0/0", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", "Description": "The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", @@ -129,6 +131,7 @@ "Type": "String" }, "SSHClientLocation": { + "Default": "0.0.0.0/0", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", "Description": "The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", From c92fe8795e37e51309859e00773a264ccb45cf28 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Wed, 8 Jul 2020 21:14:56 -0700 Subject: [PATCH 18/47] . --- templates/splunk-enterprise-master-ss.template | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/splunk-enterprise-master-ss.template b/templates/splunk-enterprise-master-ss.template index d6289d7..63dd887 100644 --- a/templates/splunk-enterprise-master-ss.template +++ b/templates/splunk-enterprise-master-ss.template @@ -111,7 +111,6 @@ "Type": "String" }, "QSS3BucketName": { - "Default": "", "Description": "S3 bucket name for the Quick Start assets.", "Default": "splk-quickstart-testing", "Type": "String" From 9641ec49df3f9862021f514a98964da563fca731 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Mon, 13 Jul 2020 09:27:48 -0700 Subject: [PATCH 19/47] moved all of the code that runs on every machine to a 'base' function. Prior to this change, when the script was ran without any arguments, it would still try to execute the base install of Splunk. This change was made so that if someone executes the script to see usage, it won't try to execute the install before showing the usage. --- scripts/user_data.sh | 101 ++++++++++++++++++++++++------------------- 1 file changed, 57 insertions(+), 44 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index 7cad486..f98c120 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -1,63 +1,65 @@ #!/bin/bash -# https://splk-quickstart-testing.s3.us-west-2.amazonaws.com/quickstart-splunk-enterprise/templates/splunk-enterprise-master-ss.template +#### start universal functions +function base +{ -# variables -export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) -export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) -export SPLUNK_USER=splunk -export SPLUNK_BIN=/opt/splunk/bin/splunk -export SPLUNK_HOME=/opt/splunk + # https://splk-quickstart-testing.s3.us-west-2.amazonaws.com/quickstart-splunk-enterprise/templates/splunk-enterprise-master-ss.template + # variables + export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) + export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) + export SPLUNK_USER=splunk + export SPLUNK_BIN=/opt/splunk/bin/splunk + export SPLUNK_HOME=/opt/splunk -# make cloud-init output log readable by root only to protect sensitive parameter values -chmod 600 /var/log/cloud-init-output.log + # make cloud-init output log readable by root only to protect sensitive parameter values + chmod 600 /var/log/cloud-init-output.log -#- The newer version of the Splunk AMI does not come with Splunk pre-installed. Instead -#- Splunk is installed via ansible as part of cloud-init. The following code (line 28) is -#- needed to ensure these install scripts are ran prior to the remainder of the Cloudformation -#- user scripts. Without doing this first, the Splunk installer is ran after CloudFormation's -#- cloud-init scripts, leaving no Splunk install to configure. -# remove the cloud-init scripts from running -rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg -rm -f /var/lib/cloud/instance/scripts/runcmd + #- The newer version of the Splunk AMI does not come with Splunk pre-installed. Instead + #- Splunk is installed via ansible as part of cloud-init. The following code (line 28) is + #- needed to ensure these install scripts are ran prior to the remainder of the Cloudformation + #- user scripts. Without doing this first, the Splunk installer is ran after CloudFormation's + #- cloud-init scripts, leaving no Splunk install to configure. -# run the ansible manually -(cd /opt/splunk-ansible && time sudo -u ec2-user -E -S bash -c "SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml") + # remove the cloud-init scripts from running + rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg + rm -f /var/lib/cloud/instance/scripts/runcmd -# start splunk for initialization, and then stop to make edits. -#/bin/systemctl start Splunkd -#/bin/systemctl stop Splunkd -# $SPLUNK_BIN stop + # run the ansible manually + (cd /opt/splunk-ansible && time sudo -u ec2-user -E -S bash -c "SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml") -# update cfn package -yum update -y aws-cfn-bootstrap + # start splunk for initialization, and then stop to make edits. + #/bin/systemctl start Splunkd + #/bin/systemctl stop Splunkd + # $SPLUNK_BIN stop + # update cfn package + yum update -y aws-cfn-bootstrap -# setup auth with user-selected admin password -mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak -cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <> $SPLUNK_HOME/etc/system/local/user-seed.conf << end + [user_info] + USERNAME = admin + PASSWORD = $ADMIN_PASSWORD +end -# restart Splunk for admin password update -$SPLUNK_BIN restart + sed -i '/guid/d' $SPLUNK_HOME/etc/instance.cfg + touch $SPLUNK_HOME/etc/.ui_login -#### start universal functions + # restart Splunk for admin password update + $SPLUNK_BIN restart +} function restart_signal { # restart splunk - #/bin/systemctl restart Splunkd $SPLUNK_BIN restart # communicate back to CloudFormation the status of the instance creation @@ -78,6 +80,9 @@ function restart_signal ### function splunk_cm { + # execute base install and configuration + base + export RESOURCE="SplunkCM" printf '%s\t%s\n' "$LOCALIP" 'splunklicense' >> /etc/hosts hostname splunklicense @@ -90,15 +95,11 @@ function splunk_cm # Install license from metadata. This is only relevant if the user uploads a license file. if [ $INSTALL_LICENSE = 1 ]; then + mkdir -p $SPLUNK_HOME/etc/licenses/enterprise/ + chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/licenses/enterprise /opt/aws/bin/cfn-init -v --stack $STACK_NAME --resource $RESOURCE --region $AWS_REGION - mkdir -p /opt/splunk/etc/licenses/enterprise/ - mv /etc/splunk/splunk.license /opt/splunk/etc/licenses/enterprise/splunk.license fi - mkdir -p $SPLUNK_HOME/etc/licenses/enterprise - chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/licenses/enterprise - mv /etc/splunk/splunk.license $SPLUNK_HOME/etc/licenses/enterprise/ - # Increase splunkweb connection timeout with splunkd mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <> /etc/hosts hostname splunk-shc-deployer @@ -337,6 +347,9 @@ end ## splunk single search head function splunk_single_sh { + # execute base install and configuration + base + # sleep 20 seconds to make sure Splunk has restarted before applying the configuration echo "#### sleeping" sleep 20 From b91040e78e5c182f3b0c14b3e1704b0fc4b671e8 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Mon, 13 Jul 2020 09:28:56 -0700 Subject: [PATCH 20/47] changed location that splunk license installs to previously, it wrote to /etc/splunk/splunk.license and then the user_data script moved it. that seems unnecessary, so I'm having cloudformation write directly to the appropriate directory. --- templates/splunk-enterprise-ss.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template index 8181f41..e6de01b 100644 --- a/templates/splunk-enterprise-ss.template +++ b/templates/splunk-enterprise-ss.template @@ -930,7 +930,7 @@ { "config": { "files": { - "/etc/splunk/splunk.license": { + "/opt/splunk/etc/licenses/enterprise/splunk.license": { "source": { "Fn::If": [ "ConfigureLicense", From 555c1ac57d2961cc9296166a65f6af05de9d8b6b Mon Sep 17 00:00:00 2001 From: billbartlett Date: Thu, 16 Jul 2020 10:17:01 -0700 Subject: [PATCH 21/47] changed minimum indexer count to 4 instead of 3 the minimum number of indexers in an AZ must be at least as large as the replication factor. since we're using RF = 2, and a default minimum of 2 AZ, there must be at least 4 indexers in total - 2 in each AZ. --- templates/splunk-enterprise-master-ss.template | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/splunk-enterprise-master-ss.template b/templates/splunk-enterprise-master-ss.template index 63dd887..ac25288 100644 --- a/templates/splunk-enterprise-master-ss.template +++ b/templates/splunk-enterprise-master-ss.template @@ -148,11 +148,11 @@ "Type": "String" }, "SplunkIndexerCount": { - "ConstraintDescription": "must be a valid number, 3-10", - "Default": "3", - "Description": "How many Splunk indexers to launch. [3-10]", + "ConstraintDescription": "must be a valid number, 4-10", + "Default": "4", + "Description": "How many Splunk indexers to launch. [4-10]", "MaxValue": "10", - "MinValue": "3", + "MinValue": "4", "Type": "Number" }, "SplunkIndexerDiskSize": { From 56cdbf7cd6806277ef8354f45db42f75d1ad48ec Mon Sep 17 00:00:00 2001 From: billbartlett Date: Thu, 16 Jul 2020 10:18:23 -0700 Subject: [PATCH 22/47] migrated search head cluster logic to user_data.sh --- scripts/user_data.sh | 130 +++++-- templates/splunk-enterprise-ss.template | 447 ++++++------------------ 2 files changed, 208 insertions(+), 369 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index f98c120..1ef60f9 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -32,11 +32,6 @@ function base # run the ansible manually (cd /opt/splunk-ansible && time sudo -u ec2-user -E -S bash -c "SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml") - # start splunk for initialization, and then stop to make edits. - #/bin/systemctl start Splunkd - #/bin/systemctl stop Splunkd - # $SPLUNK_BIN stop - # update cfn package yum update -y aws-cfn-bootstrap @@ -87,7 +82,7 @@ function splunk_cm printf '%s\t%s\n' "$LOCALIP" 'splunklicense' >> /etc/hosts hostname splunklicense - #- for the CM, we can't reference CM_PRIVATE_IP in the CloudFormation UserData like + #- for the CM, we can't reference CM_PRIVATEIP in the CloudFormation UserData like #- we do in the other resources because the CM hasn't been created yet. To keep the #- syntax consistent across each resource in user_data.sh, export $CM_PRIVATEIP to #- the CM's local ip address @@ -128,7 +123,9 @@ end chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated $SPLUNK_BIN restart - sleep 10 + # sleep 20 seconds to make sure Splunk has restarted before applying the configuration + echo "#### sleeping" + sleep 20 # log in to splunk to execute several commands without requiring -auth sudo -u $SPLUNK_USER $SPLUNK_BIN login -auth admin:$ADMIN_PASSWORD @@ -234,8 +231,87 @@ function splunk_cluster_sh { # execute base install and configuration - #base - echo; + + # the splunk cluster in quickstart is a pre-defined 3 nodes. + # verify that the argument passed is 1, 2, or 3 + + if [[ "$1" =~ ^[1-3]$ ]] + then + base + num=$1 + + # if this is a 3AZ deployment, place the third search head in site3. + # if not, place the third search head in site1. + # in all cases searchhead1 is site1, and searchhead2 is site2 + + if [ $THREEAZ -eq 0 ] && [ $num -eq 3 ] + then + sitenum="site1" + else + sitenum="site$num" + fi + + export RESOURCE="SplunkSHCMember$num" + + printf '%s\t%s\n' \"$LOCALIP\" \"splunksearch-$num\" >> /etc/hosts + hostname "splunksearch-$num" + + # set splunk servername + sudo -u $SPLUNK_USER $SPLUNK_BIN set servername SHC$num + + # Increase splunkweb connection timeout with splunkd + cat >$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", - "hostname splunksearch\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", - "hostname splunksearch\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", - "hostname splunksearch\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf < Date: Thu, 23 Jul 2020 10:34:12 -0700 Subject: [PATCH 23/47] updated functionality for clustered search heads --- scripts/user_data.sh | 53 ++++++++++++++++--------- templates/splunk-enterprise-ss.template | 36 ++--------------- 2 files changed, 37 insertions(+), 52 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index 1ef60f9..09fb92f 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -67,7 +67,7 @@ function restart_signal #### end universal config ##### -#### start user data functions +#### start role-specific functions ##### ### @@ -151,7 +151,9 @@ end printf "** create HEC token\t" && date # generate the config file and HEC token - sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector enable -uri https://localhost:8089 + sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector enable \ + -uri https://localhost:8089 + sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector create default-token \ -uri https://localhost:8089 > /tmp/token TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token @@ -283,14 +285,25 @@ end -master_uri https://$CM_PRIVATEIP:8089 # configure searchhead cluster + echo "### setup splunk search head cluster" + echo "### sudo -u $SPLUNK_USER $SPLUNK_BIN init shcluster-config -mgmt_uri https://$LOCALIP:8089 -replication_port 8090 -replication_factor $SH_REPLICATION_FACTOR -conf_deploy_fetch_url https://$SH_DEPLOYER_IP:8089 \ -shcluster_label SplunkSHC -secret $SPLUNK_CLUSTER_SECRET" + sudo -u $SPLUNK_USER $SPLUNK_BIN init shcluster-config \ - -mgmt_uri https://$LOCALIP:8089 -replication_port 8090 \ + -auth admin:$ADMIN_PASSWORD \ + -mgmt_uri https://$LOCALIP:8089 \ + -replication_port 8090 \ -replication_factor $SH_REPLICATION_FACTOR \ -conf_deploy_fetch_url https://$SH_DEPLOYER_IP:8089 \ - -shcluster_label SplunkSHC \ + -shcluster_label SplunkSHC\ -secret $SPLUNK_CLUSTER_SECRET - sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode searchhead \ + $SPLUNK_BIN restart + sleep 10 + + echo "### sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode searchhead -site $sitenum -master_uri https://$CM_PRIVATEIP:8089 -secret $SPLUNK_CLUSTER_SECRET" + + sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config \ + -mode searchhead \ -site $sitenum \ -master_uri https://$CM_PRIVATEIP:8089 \ -secret $SPLUNK_CLUSTER_SECRET @@ -300,12 +313,16 @@ end # searchhead3 will be bootstrapped as the first searchhead cluster captain. if [ $num -eq 3 ] then + echo "### setup splunk search head captain" + export SH3_IP=$LOCALIP + + echo "### sudo -u $SPLUNK_USER $SPLUNK_BIN bootstrap shcluster-captain -servers_list https://$SH1_IP:8089,https://$SH2_IP:8089,https://$SH3_IP:8089" + sudo -u $SPLUNK_USER $SPLUNK_BIN bootstrap shcluster-captain \ - -servers_list https://$SH1_IP:8089,https://$SH2_IP:8089,https://$SH3_IP:8089 + -servers_list https://$SH1_IP:8089,https://$SH2_IP:8089,https://$SH3_IP:8089 \ + -auth admin:$ADMIN_PASSWORD fi - restart_signal - else echo "Incorrect value passed. \"$1\" is not 1, 2, or 3." # communicate back to CloudFormation the status of the instance creation @@ -356,7 +373,6 @@ end [indexer_discovery:cluster_master] pass4SymmKey = $SYMMKEY - master_uri = https://$CM_PRIVATEIP:8089 end @@ -387,16 +403,14 @@ end #- set ownership chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps - $SPLUNK_BIN start + $SPLUNK_BIN restart sudo -u $SPLUNK_USER $SPLUNK_BIN edit licenser-localslave \ - -master_uri https://$CM_PRIVATEIP:8089 -auth admin:$ADMIN_PASSWORD + -master_uri https://$CM_PRIVATEIP:8089 \ + -auth admin:$ADMIN_PASSWORD sudo -u $SPLUNK_USER $SPLUNK_BIN apply shcluster-bundle -action stage --answer-yes - $SPLUNK_BIN restart - restart_signal - } ## splunk single search head @@ -453,8 +467,12 @@ end printf "#### clustering setup\t " && date # configure communication to the splunk indexer cluster - sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -secret $SPLUNK_CLUSTER_SECRET \ - -mode searchhead -site site1 -master_uri https://$CM_PRIVATEIP:8089 -auth admin:$ADMIN_PASSWORD + sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config \ + -secret $SPLUNK_CLUSTER_SECRET \ + -mode searchhead \ + -site site1 \ + -master_uri https://$CM_PRIVATEIP:8089 \ + -auth admin:$ADMIN_PASSWORD # install search head apps, if appropriate if [ $INSTALL_SH_APPS = 1 ]; @@ -482,9 +500,6 @@ end restart_signal } - - - case "$1" in "single_sh") splunk_single_sh diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template index 0cac566..ad36a50 100644 --- a/templates/splunk-enterprise-ss.template +++ b/templates/splunk-enterprise-ss.template @@ -1278,7 +1278,6 @@ }, "SplunkSHCMember1": { "Type": "AWS::EC2::Instance", - "DependsOn": "SplunkSHCDeployer", "Condition": "CreateSHC", "CreationPolicy": { "ResourceSignal": { @@ -1377,11 +1376,7 @@ "export THREEAZ=\"", { - "Fn::If": [ - "Create3AZ", - "1", - "0" - ] + "Fn::If": ["Create3AZ", "1", "0"] }, "\"\n", @@ -1404,7 +1399,6 @@ }, "SplunkSHCMember2": { "Type": "AWS::EC2::Instance", - "DependsOn": "SplunkSHCMember1", "Condition": "CreateSHC", "CreationPolicy": { "ResourceSignal": { @@ -1503,11 +1497,7 @@ "export THREEAZ=\"", { - "Fn::If": [ - "Create3AZ", - "1", - "0" - ] + "Fn::If": ["Create3AZ", "1", "0"] }, "\"\n", @@ -1530,7 +1520,6 @@ }, "SplunkSHCMember3": { "Type": "AWS::EC2::Instance", - "DependsOn": "SplunkSHCMember2", "Condition": "CreateSHC", "CreationPolicy": { "ResourceSignal": { @@ -1637,11 +1626,7 @@ "export THREEAZ=\"", { - "Fn::If": [ - "Create3AZ", - "1", - "0" - ] + "Fn::If": ["Create3AZ", "1", "0"] }, "\"\n", @@ -1672,21 +1657,6 @@ }, "\" \n", - "export SH3_IP=\"", - { - "Fn::GetAtt": [ - "SplunkSHCMember3", - "PrivateIp" - ] - }, - "\" \n", - - " -auth admin:", - { - "Ref": "SplunkAdminPassword" - }, - "\n", - "# download user_data script\n", "wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh\n", "/tmp/user_data.sh cluster_sh 3 && rm -f /tmp/user_data.sh\n" From 0913c16aad234d077423abf89b1d2d7ffdab0c41 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Thu, 23 Jul 2020 13:13:51 -0700 Subject: [PATCH 24/47] migrated indexer cluster to user_data.sh --- scripts/user_data.sh | 86 +++++++++++++- templates/splunk-enterprise-ss.template | 148 +++--------------------- 2 files changed, 97 insertions(+), 137 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index 09fb92f..61fdc12 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -221,12 +221,92 @@ end } -function indexer +function splunk_indexer { # execute base install and configuration - #base - echo; + base + + #variables + export INSTANCE_MAC_ADDR=$(curl -s http://169.254.169.254/latest/meta-data/mac) + export INSTANCE_SUBNET_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/$INSTANCE_MAC_ADDR/subnet-id) + export RESOURCE="SplunkIndexerNodesASG" + + # Configure smartstore as if it were a bundle already pushed by the CM. + # set SmartStore for all indexes except _internal, _introspection, etc. + + mkdir -p $SPLUNK_HOME/etc/slave-apps/_cluster/local + touch $SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf + + cat >> $SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf << end + [default] + repFactor = auto + remotePath = volume:remote_store/splunk_db/$_index_name + coldPath=$SPLUNK_DB/$_index_name/colddb + thawedPath=$SPLUNK_DB/$_index_name/thaweddb +end + + cat >>$SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/system/local/server.conf <>$SPLUNK_HOME/etc/system/local/user-seed.conf <> $SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf\n", - "cat >>$SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/system/local/server.conf < Date: Thu, 23 Jul 2020 15:25:27 -0700 Subject: [PATCH 25/47] added sleep to ensure splunkd is fully up before editing cluster config --- scripts/user_data.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index 61fdc12..2c9c913 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -223,7 +223,6 @@ end function splunk_indexer { - # execute base install and configuration base @@ -257,6 +256,7 @@ end chown -R splunk:splunk $SPLUNK_HOME/etc/slave-apps/_cluster/ $SPLUNK_BIN restart + # set splunk server name to local hostname. sudo -u $SPLUNK_USER $SPLUNK_BIN set servername $HOSTNAME -auth admin:$ADMIN_PASSWORD @@ -298,6 +298,9 @@ end esac + # sleep to ensure splunkd is up before modifying cluster config + sleep 10 + sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode slave \ -site $site \ -master_uri https://$CM_PRIVATEIP:8089 \ From e441d9af81f9569089d00fc247fdc5c49e70792c Mon Sep 17 00:00:00 2001 From: billbartlett Date: Thu, 23 Jul 2020 15:49:40 -0700 Subject: [PATCH 26/47] updated instance types --- templates/splunk-enterprise-master-ss.template | 18 ++++++------------ templates/splunk-enterprise-ss.template | 18 ++++++------------ 2 files changed, 12 insertions(+), 24 deletions(-) diff --git a/templates/splunk-enterprise-master-ss.template b/templates/splunk-enterprise-master-ss.template index ac25288..6cdb30b 100644 --- a/templates/splunk-enterprise-master-ss.template +++ b/templates/splunk-enterprise-master-ss.template @@ -35,12 +35,9 @@ }, "IndexerInstanceType": { "AllowedValues": [ - "c4.2xlarge", - "c4.4xlarge", - "c4.8xlarge", - "m4.2xlarge", - "m4.4xlarge", - "m4.10xlarge", + "m5.2xlarge", + "m5.4xlarge", + "m5.10xlarge", "c5.2xlarge", "c5.4xlarge", "c5.9xlarge", @@ -56,12 +53,9 @@ }, "SearchHeadInstanceType": { "AllowedValues": [ - "c4.2xlarge", - "c4.4xlarge", - "c4.8xlarge", - "r4.4xlarge", - "r4.8xlarge", - "r4.16xlarge", + "r5.4xlarge", + "r5.8xlarge", + "r5.16xlarge", "c5.2xlarge", "c5.4xlarge", "c5.9xlarge", diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template index 6c385a3..71f3506 100644 --- a/templates/splunk-enterprise-ss.template +++ b/templates/splunk-enterprise-ss.template @@ -20,12 +20,9 @@ }, "IndexerInstanceType": { "AllowedValues": [ - "c4.2xlarge", - "c4.4xlarge", - "c4.8xlarge", - "m4.2xlarge", - "m4.4xlarge", - "m4.10xlarge", + "m5.2xlarge", + "m5.4xlarge", + "m5.10xlarge", "c5.2xlarge", "c5.4xlarge", "c5.9xlarge", @@ -41,12 +38,9 @@ }, "SearchHeadInstanceType": { "AllowedValues": [ - "c4.2xlarge", - "c4.4xlarge", - "c4.8xlarge", - "r4.4xlarge", - "r4.8xlarge", - "r4.16xlarge", + "r5.4xlarge", + "r5.8xlarge", + "r5.16xlarge", "c5.2xlarge", "c5.4xlarge", "c5.9xlarge", From 201f4a46a0c96a1001f0e35f247924ed2a72af26 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Mon, 14 Sep 2020 12:27:14 -0700 Subject: [PATCH 27/47] clean up instance type selection, and add nvme drive setup code for i3 indexers --- scripts/user_data.sh | 83 +++++++++++++++++++ .../splunk-enterprise-master-ss.template | 12 +-- templates/splunk-enterprise-ss.template | 12 +-- 3 files changed, 95 insertions(+), 12 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index 2c9c913..abb51d5 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -70,6 +70,85 @@ function restart_signal #### start role-specific functions ##### +### +# setup nvme drives for i3 indexers +function nvme_setup +{ + # first, determine the instance type. + ec2_type=$(curl -s http://169.254.169.254/latest/meta-data/instance-type) + + # this script is intended to run on i3* instance types. + if [[ "$ec2_type" != *"i3"* ]] + then + return 0 + fi + + # find the attached nvme drives. lsblk could work here, but utilizing the nvme-list utility due to + # json formatting and simpler parsing. install the nvme-cli and jq packages to accomplish this. + yum -y install nvme-cli jq >/dev/null + + # save the nvme drive information to a temp file for parsing + nvme list --output-format=json > /tmp/nvme_drive.json + + # declare the nvme device array + declare -a nvme_devices + unset nvme_devices + + for nvme_device in $(jq '.Devices[] | .DevicePath' /tmp/nvme_drive.json) + do + # test to ensure that the storage device is instance storage. in testing, I have + # seen EBS volues show as NVME. this logic will ensure attached EBS devices are not + # added to the nvme raid0 + nvme_model_type=$(jq -r '.Devices[] | select(.DevicePath=='$nvme_device') | .ModelNumber' /tmp/nvme_drive.json) + if [[ $nvme_model_type = *"NVMe Instance Storage"* ]] + then + # unfortunate 'hack' here to remove the quotes from the device name. without them, the jq lookup + # will fail in the previous step. however, they need to be removed for the md raid creation later. + # additionally, since there needs to be a space between device names for the md create, convert + # quotes to spaces, and remove leading space. this leaves "$nvme_device " (note trailing space) + # stored in the array. this will allow for simply using the contents of the array as an argument for + # building the raid0 device + nvme_device=$(echo $nvme_device|sed 's/"/ /g'| sed 's/^ //g') + + # save device list in nvme_devices array + nvme_devices+=("$nvme_device") + else + # if the nvme model type is not instance storage, continue to the next iteration of the loop + continue + fi + done + + + # name of the raid device to create + raid_device="/dev/md0" + + # mount point of the raid device + raid_mount="/opt/splunk" + + # make directory for mount point + mkdir -p $raid_mount + + # create the raid device + mdadm --create $raid_device --level=raid0 --raid-devices=${#nvme_devices[@]} ${nvme_devices[@]} + + # create filesystem on raid device + if [ ${#nvme_devices[@]} -eq 1 ] + then + discardOption="" + else + discardOption="-E nodiscard" + fi + + mkfs.ext4 -m 2 -F -F ${discardOption} $raid_device + + # add entry to fstab for mounting on reboot + echo "$raid_device $raid_mount auto defaults,nofail,noatime 0 2" >>/etc/fstab + + # mount device + mount $raid_device + +} + ### # Splunk Cluster Master / License Master ### @@ -223,6 +302,10 @@ end function splunk_indexer { + # run through setting up nvme raid device. + # if the indexer is not an i3, the function immediately exits and continues to base config as normal + nvme_setup + # execute base install and configuration base diff --git a/templates/splunk-enterprise-master-ss.template b/templates/splunk-enterprise-master-ss.template index 6cdb30b..9e2c4fe 100644 --- a/templates/splunk-enterprise-master-ss.template +++ b/templates/splunk-enterprise-master-ss.template @@ -35,16 +35,16 @@ }, "IndexerInstanceType": { "AllowedValues": [ - "m5.2xlarge", "m5.4xlarge", - "m5.10xlarge", - "c5.2xlarge", + "m5.8xlarge", "c5.4xlarge", "c5.9xlarge", "c5.18xlarge", - "i3.2xlarge", "i3.4xlarge", - "i3.8xlarge" + "i3.8xlarge", + "i3en.3xlarge", + "i3en.6xlarge", + "i3en.12xlarge" ], "Description": "EC2 instance type for Splunk Indexers", "ConstraintDescription": "must be a valid EC2 instance type.", @@ -56,11 +56,11 @@ "r5.4xlarge", "r5.8xlarge", "r5.16xlarge", - "c5.2xlarge", "c5.4xlarge", "c5.9xlarge", "m5.2xlarge", "m5.4xlarge", + "m5.8xlarge", "m5.12xlarge" ], "Description": "EC2 instance type for Splunk Search Heads", diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template index 71f3506..e6a0e67 100644 --- a/templates/splunk-enterprise-ss.template +++ b/templates/splunk-enterprise-ss.template @@ -20,16 +20,16 @@ }, "IndexerInstanceType": { "AllowedValues": [ - "m5.2xlarge", "m5.4xlarge", - "m5.10xlarge", - "c5.2xlarge", + "m5.8xlarge", "c5.4xlarge", "c5.9xlarge", "c5.18xlarge", - "i3.2xlarge", "i3.4xlarge", - "i3.8xlarge" + "i3.8xlarge", + "i3en.3xlarge", + "i3en.6xlarge", + "i3en.12xlarge" ], "Description": "EC2 instance type for Splunk Indexers", "ConstraintDescription": "must be a valid EC2 instance type.", @@ -41,11 +41,11 @@ "r5.4xlarge", "r5.8xlarge", "r5.16xlarge", - "c5.2xlarge", "c5.4xlarge", "c5.9xlarge", "m5.2xlarge", "m5.4xlarge", + "m5.8xlarge", "m5.12xlarge" ], "Description": "EC2 instance type for Splunk Search Heads", From 7ec5120c8133f1d543dba41bf4976b7f8ce41e6d Mon Sep 17 00:00:00 2001 From: billbartlett Date: Tue, 13 Oct 2020 08:44:14 -0700 Subject: [PATCH 28/47] Update user_data.sh added sleep in the deployer after restart. this allows for splunk to be fully restarted before issuing splunk cli commands that would fail because the REST endpoint wasn't yet responding. --- scripts/user_data.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index abb51d5..f6c0bc9 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash -xe #### start universal functions function base @@ -464,7 +464,7 @@ end -secret $SPLUNK_CLUSTER_SECRET $SPLUNK_BIN restart - sleep 10 + sleep 20 echo "### sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode searchhead -site $sitenum -master_uri https://$CM_PRIVATEIP:8089 -secret $SPLUNK_CLUSTER_SECRET" @@ -570,6 +570,8 @@ end chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps $SPLUNK_BIN restart + sleep 10 + sudo -u $SPLUNK_USER $SPLUNK_BIN edit licenser-localslave \ -master_uri https://$CM_PRIVATEIP:8089 \ -auth admin:$ADMIN_PASSWORD From 1d06a4129d0fc7bdf3ffb5b9698d8d19704b3086 Mon Sep 17 00:00:00 2001 From: billbartlett Date: Tue, 13 Oct 2020 08:44:48 -0700 Subject: [PATCH 29/47] initial commit of YAML conversion converted the JSON templates to YAML, which is now required for the quickstart repo. --- templates/splunk-enterprise-master-ss.yaml | 364 +++++++ templates/splunk-enterprise-ss.yaml | 1107 ++++++++++++++++++++ 2 files changed, 1471 insertions(+) create mode 100644 templates/splunk-enterprise-master-ss.yaml create mode 100644 templates/splunk-enterprise-ss.yaml diff --git a/templates/splunk-enterprise-master-ss.yaml b/templates/splunk-enterprise-master-ss.yaml new file mode 100644 index 0000000..aa41feb --- /dev/null +++ b/templates/splunk-enterprise-master-ss.yaml @@ -0,0 +1,364 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Splunk deployment with indexer, search head clustering and cluster master. +Parameters: + AvailabilityZones: + Description: List of Availability Zones to use for the subnets in the VPC (logical order preserved). This must match the Number of Availability Zones parameter value. + Type: List + NumberOfAZs: + AllowedValues: + - '2' + - '3' + Default: '2' + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: String + WebClientLocation: + Default: '0.0.0.0/0' + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions. + Description: 'The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address.' + MaxLength: '19' + MinLength: '9' + Type: String + HECClientLocation: + Default: '0.0.0.0/0' + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions. + Description: 'The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address.' + MaxLength: '19' + MinLength: '9' + Type: String + IndexerInstanceType: + AllowedValues: + - m5.4xlarge + - m5.8xlarge + - c5.4xlarge + - c5.9xlarge + - c5.18xlarge + - i3.4xlarge + - i3.8xlarge + - i3en.3xlarge + - i3en.6xlarge + - i3en.12xlarge + Description: EC2 instance type for Splunk Indexers + ConstraintDescription: must be a valid EC2 instance type. + Default: c5.4xlarge + Type: String + SearchHeadInstanceType: + AllowedValues: + - r5.4xlarge + - r5.8xlarge + - r5.16xlarge + - c5.4xlarge + - c5.9xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + Description: EC2 instance type for Splunk Search Heads + ConstraintDescription: must be a valid EC2 instance type. + Default: c5.4xlarge + Type: String + IndexerApps: + Description: Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s) + Default: '' + Type: CommaDelimitedList + SearchHeadApps: + Description: Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s) + Default: '' + Type: CommaDelimitedList + KeyName: + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + Description: Name of an existing EC2 KeyPair to enable SSH access to the instance + Type: AWS::EC2::KeyPair::KeyName + PublicSubnet1CIDR: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. + Default: 10.0.1.0/24 + Description: The address space that will be assigned to the first Splunk server subnet. (x.x.x.x/x notation) + Type: String + PublicSubnet2CIDR: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x + Default: 10.0.2.0/24 + Description: The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation) + Type: String + PublicSubnet3CIDR: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. + Default: 10.0.3.0/24 + Description: The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation) + Type: String + QSS3BucketName: + Description: S3 bucket name for the Quick Start assets. + Default: splk-quickstart-testing + Type: String + QSS3KeyPrefix: + Default: quickstart-splunk-enterprise/ + Description: S3 key prefix for the Quick Start assets. + Type: String + SHCEnabled: + AllowedValues: + - 'yes' + - 'no' + Default: 'no' + Description: Do you want to build a Splunk search head cluster? + Type: String + SSHClientLocation: + Default: '0.0.0.0/0' + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions. + Description: 'The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address' + MaxLength: '19' + MinLength: '9' + Type: String + SplunkAdminPassword: + AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* + ConstraintDescription: Must be at least 8 characters containing letters, numbers and symbols. + Description: Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols + MaxLength: '32' + MinLength: '6' + NoEcho: 'true' + Type: String + SplunkIndexerCount: + ConstraintDescription: must be a valid number, 4-10 + Default: '4' + Description: How many Splunk indexers to launch. [4-10] + MaxValue: '10' + MinValue: '4' + Type: Number + SplunkIndexerDiskSize: + ConstraintDescription: must be a valid number, 320-16000 + Default: '320' + Description: The size of the attached EBS volume to the Splunk indexers. (in GB) + MaxValue: '16000' + MinValue: '320' + Type: Number + SplunkSearchHeadDiskSize: + ConstraintDescription: must be a valid number, 320-16000 + Default: '320' + Description: The size of the attached EBS volume to the Splunk search head(s). (in GB) + MaxValue: '16000' + MinValue: '320' + Type: Number + SplunkLicenseBucket: + Default: splk-quickstart-testing + Description: Name of private S3 bucket with licenses to be accessed via authenticated requests + Type: String + SplunkLicensePath: + Default: license/splunk.license + Description: Path to license file in S3 Bucket (without leading '/') + Type: String + SplunkReplicationFactor: + ConstraintDescription: must be a valid number, 2-4 + Default: '2' + Description: How many copies of data should be stored in the Splunk Indexer Cluster + MaxValue: '4' + MinValue: '2' + Type: Number + SplunkSearchFactor: + ConstraintDescription: must be a valid number, 2-4 + Default: '2' + Description: How many copies of data should be searchable in the Splunk indexer clusters + MaxValue: '4' + MinValue: '2' + Type: Number + SplunkClusterSecret: + AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* + ConstraintDescription: Must be at least 8 characters containing letters, numbers and symbols. + Description: Shared cluster secret for Search Head and Indexer clusters. Must be at least 8 characters containing letters, numbers and symbols. + MaxLength: '32' + MinLength: '6' + NoEcho: 'true' + Type: String + SplunkIndexerDiscoverySecret: + AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* + ConstraintDescription: Must be at least 8 characters containing letters, numbers and symbols. + Description: Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols. + MaxLength: '32' + MinLength: '8' + NoEcho: 'true' + Type: String + VPCCIDR: + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. + Default: 10.0.0.0/16 + Description: The address space that will be assigned to the entire VPC where Splunk will reside. (Recommend at least a /16) + MaxLength: '19' + MinLength: '9' + Type: String + SmartStoreBucketName: + Default: bbartlett-smartstore-testing + Description: Name of bucket that will be created for SmartStore storage + Type: String +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: AWS Instance and Network Settings + Parameters: + - IndexerInstanceType + - SearchHeadInstanceType + - KeyName + - WebClientLocation + - HECClientLocation + - SSHClientLocation + - AvailabilityZones + - NumberOfAZs + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - Label: + default: Splunk Settings + Parameters: + - SplunkAdminPassword + - SplunkClusterSecret + - SplunkIndexerDiscoverySecret + - SplunkLicenseBucket + - SplunkLicensePath + - SplunkIndexerCount + - SplunkIndexerDiskSize + - SplunkSearchHeadDiskSize + - SplunkReplicationFactor + - SplunkSearchFactor + - SmartStoreBucketName + - SHCEnabled + - IndexerApps + - SearchHeadApps + - Label: + default: AWS Quick Start Configuration + Parameters: + - QSS3BucketName + - QSS3KeyPrefix + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of Availability Zones + WebClientLocation: + default: Permitted CIDR for Splunk web interface + HECClientLocation: + default: Permitted CIDR for Splunk HTTP event collector input + IndexerInstanceType: + default: EC2 instance type for Splunk indexer + SearchHeadInstanceType: + default: EC2 instance type for Splunk search head + KeyName: + default: Key Name + PublicSubnet1CIDR: + default: Public Subnet 1 CIDR + PublicSubnet2CIDR: + default: Public Subnet 2 CIDR + PublicSubnet3CIDR: + default: Public Subnet 3 CIDR + QSS3BucketName: + default: QuickStart S3 Bucket Name + QSS3KeyPrefix: + default: QuickStart S3 Key Prefix + SHCEnabled: + default: Enable Search Head Cluster? + SSHClientLocation: + default: Permitted CIDR for ssh + SplunkAdminPassword: + default: Splunk Admin Password + SplunkIndexerCount: + default: No. of Splunk Indexers + SplunkIndexerDiskSize: + default: Indexer Disk Size + SplunkLicenseBucket: + default: Splunk License Bucket + SplunkLicensePath: + default: Splunk License S3 Bucket Path + SplunkReplicationFactor: + default: Index Cluster Replication Factor + SplunkSearchFactor: + default: Index Cluster Search Factor + SmartStoreBucketName: + default: Name of bucket that will be created for SmartStore storage + SplunkClusterSecret: + default: Shared Security Key for Cluster Nodes + SplunkIndexerDiscoverySecret: + default: Shared Security Key for Forwarders using Indexer Discovery + IndexerApps: + default: Apps/Add-ons to pre-Install on Splunk Indexers + SearchHeadApps: + default: Apps/Add-ons to pre-Install on Splunk Search Heads + VPCCIDR: + default: VPC CIDR +Conditions: + Create3AZ: !Equals + - !Ref 'NumberOfAZs' + - '3' +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: !Sub 'https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template' + Parameters: + AvailabilityZones: !Join + - ',' + - !Ref 'AvailabilityZones' + CreatePrivateSubnets: 'false' + KeyPairName: !Ref 'KeyName' + NumberOfAZs: !Ref 'NumberOfAZs' + PublicSubnet1CIDR: !Ref 'PublicSubnet1CIDR' + PublicSubnet2CIDR: !Ref 'PublicSubnet2CIDR' + PublicSubnet3CIDR: !Ref 'PublicSubnet3CIDR' + VPCCIDR: !Ref 'VPCCIDR' + TimeoutInMinutes: 15 + SplunkStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: !Sub 'https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/splunk-enterprise-ss.yaml' + Parameters: + VPCID: !GetAtt 'VPCStack.Outputs.VPCID' + VPCCIDR: !GetAtt 'VPCStack.Outputs.VPCCIDR' + PublicSubnet1ID: !GetAtt 'VPCStack.Outputs.PublicSubnet1ID' + PublicSubnet2ID: !GetAtt 'VPCStack.Outputs.PublicSubnet2ID' + PublicSubnet3ID: !If + - Create3AZ + - !GetAtt 'VPCStack.Outputs.PublicSubnet3ID' + - !GetAtt 'VPCStack.Outputs.PublicSubnet2ID' + NumberOfAZs: !Ref 'NumberOfAZs' + IndexerInstanceType: !Ref 'IndexerInstanceType' + SearchHeadInstanceType: !Ref 'SearchHeadInstanceType' + SplunkAdminPassword: !Ref 'SplunkAdminPassword' + SplunkClusterSecret: !Ref 'SplunkClusterSecret' + SplunkIndexerDiscoverySecret: !Ref 'SplunkIndexerDiscoverySecret' + SplunkLicenseBucket: !Ref 'SplunkLicenseBucket' + SplunkLicensePath: !Ref 'SplunkLicensePath' + KeyName: !Ref 'KeyName' + SSHClientLocation: !Ref 'SSHClientLocation' + HECClientLocation: !Ref 'HECClientLocation' + WebClientLocation: !Ref 'WebClientLocation' + SplunkIndexerCount: !Ref 'SplunkIndexerCount' + SHCEnabled: !Ref 'SHCEnabled' + SplunkIndexerDiskSize: !Ref 'SplunkIndexerDiskSize' + SmartStoreBucketName: !Ref 'SmartStoreBucketName' + SplunkReplicationFactor: !Ref 'SplunkReplicationFactor' + IndexerApps: !Join + - ',' + - !Ref 'IndexerApps' + SearchHeadApps: !Join + - ',' + - !Ref 'SearchHeadApps' + TimeoutInMinutes: 60 +Outputs: + SearchHeadURL: + Description: Splunk Enterprise - Search Head URL + Value: !GetAtt 'SplunkStack.Outputs.SearchHeadURL' + ClusterMasterURL: + Description: Splunk Enterprise - Cluster Master URL + Value: !GetAtt 'SplunkStack.Outputs.ClusterMasterURL' + ClusterMasterManagementURL: + Description: Splunk Enterprise - Cluster Master Management URL (required for Indexer Discovery) + Value: !GetAtt 'SplunkStack.Outputs.ClusterMasterManagementURL' + DeployerURL: + Description: Splunk Enterprise - Search Head Cluster Deployer URL + Value: !GetAtt 'SplunkStack.Outputs.DeployerURL' + HttpEventCollectorURL: + Description: HTTP Event Collector URL + Value: !GetAtt 'SplunkStack.Outputs.HttpEventCollectorURL' + HttpEventCollectorToken: + Description: HTTP Event Collector Token + Value: !GetAtt 'SplunkStack.Outputs.HttpEventCollectorToken' diff --git a/templates/splunk-enterprise-ss.yaml b/templates/splunk-enterprise-ss.yaml new file mode 100644 index 0000000..e879e1c --- /dev/null +++ b/templates/splunk-enterprise-ss.yaml @@ -0,0 +1,1107 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: 'Splunk deployment with indexer, search head clustering and cluster master. QS(5030)' +Parameters: + WebClientLocation: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: 'Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.' + Description: 'The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address' + MaxLength: '19' + MinLength: '9' + Type: String + HECClientLocation: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: 'Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.' + Description: 'The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address' + MaxLength: '19' + MinLength: '9' + Type: String + IndexerInstanceType: + AllowedValues: + - m5.4xlarge + - m5.8xlarge + - c5.4xlarge + - c5.9xlarge + - c5.18xlarge + - i3.4xlarge + - i3.8xlarge + - i3en.3xlarge + - i3en.6xlarge + - i3en.12xlarge + Description: 'EC2 instance type for Splunk Indexers' + ConstraintDescription: 'Must be a valid EC2 instance type.' + Default: c5.4xlarge + Type: String + SearchHeadInstanceType: + AllowedValues: + - r5.4xlarge + - r5.8xlarge + - r5.16xlarge + - c5.4xlarge + - c5.9xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + Description: 'EC2 instance type for Splunk Search Heads' + ConstraintDescription: 'Must be a valid EC2 instance type.' + Default: c5.4xlarge + Type: String + IndexerApps: + Description: 'Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s)' + Default: '' + Type: CommaDelimitedList + SearchHeadApps: + Description: 'Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s)' + Default: '' + Type: CommaDelimitedList + KeyName: + ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' + Description: 'Name of an existing EC2 KeyPair to enable SSH access to the instance.' + Type: AWS::EC2::KeyPair::KeyName + NumberOfAZs: + AllowedValues: + - '2' + - '3' + Default: '2' + Description: 'Number of Availability Zones to use in the VPC. This must match the number public subnet IDs entered as parameters.' + Type: String + PublicSubnet1ID: + Description: 'ID of Splunk public subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)' + Type: AWS::EC2::Subnet::Id + PublicSubnet2ID: + Description: 'ID of Splunk public subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)' + Type: AWS::EC2::Subnet::Id + PublicSubnet3ID: + Description: 'ID of Splunk public subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)' + Type: AWS::EC2::Subnet::Id + Default: '' + QSS3BucketName: + Default: splk-quickstart-testing + Description: 'S3 bucket name for the Quick Start assets.' + Type: String + QSS3KeyPrefix: + Default: quickstart-splunk-enterprise/ + Description: 'S3 key prefix for the Quick Start assets.' + Type: String + SHCEnabled: + AllowedValues: + - 'yes' + - 'no' + Default: 'no' + Description: 'Do you want to build a Splunk search head cluster?' + Type: String + SSHClientLocation: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: 'Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.' + Description: 'The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address' + MaxLength: '19' + MinLength: '9' + Type: String + SplunkAdminPassword: + AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* + ConstraintDescription: 'Must be at least 8 characters containing letters, numbers and symbols.' + Description: 'Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols.' + MaxLength: '32' + MinLength: '6' + NoEcho: 'true' + Type: String + SplunkIndexerCount: + ConstraintDescription: 'Must be a valid number, 3-10' + Default: '3' + Description: 'How many Splunk indexers to launch. [3-10]' + MaxValue: '10' + MinValue: '3' + Type: Number + SplunkIndexerDiskSize: + ConstraintDescription: 'Must be a valid number, 320-16000' + Default: '320' + Description: 'The size of the attached EBS volume to the Splunk indexers. (in GB)' + MaxValue: '16000' + MinValue: '320' + Type: Number + SplunkSearchHeadDiskSize: + ConstraintDescription: 'Must be a valid number, 320-16000' + Default: '320' + Description: 'The size of the attached EBS volume to the Splunk search head(s). (in GB)' + MaxValue: '16000' + MinValue: '320' + Type: Number + SmartStoreBucketName: + Default: '' + Description: 'Name of S3 bucket to be created for SmartStore storage' + Type: String + SplunkLicenseBucket: + Default: '' + Description: 'Name of private S3 bucket with licenses to be accessed via authenticated requests' + Type: String + SplunkLicensePath: + Default: '' + Description: 'Path to license file in S3 Bucket (without leading /)' + Type: String + SplunkReplicationFactor: + ConstraintDescription: 'must be a valid number, 2-4' + Default: '3' + Description: 'How many copies of data should be stored in the Splunk Indexer Cluster' + MaxValue: '4' + MinValue: '2' + Type: Number + SplunkSearchFactor: + ConstraintDescription: 'Must be a valid number, 2-4' + Default: '2' + Description: 'How many copies of data should be searchable in the Splunk indexer clusters' + MaxValue: '4' + MinValue: '2' + Type: Number + SplunkClusterSecret: + AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* + ConstraintDescription: 'Must be at least 8 characters containing letters, numbers and symbols.' + Description: 'Shared cluster secret for Search Head and Indexer cluster nodes. Must be at least 8 characters containing letters, numbers and symbols.' + MaxLength: '32' + MinLength: '8' + NoEcho: 'true' + Type: String + SplunkIndexerDiscoverySecret: + AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* + ConstraintDescription: 'Must be at least 8 characters containing letters, numbers and symbols.' + Description: 'Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.' + MaxLength: '32' + MinLength: '8' + NoEcho: 'true' + Type: String + VPCCIDR: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: 'Must be a valid IP CIDR range of the form x.x.x.x/x.' + Description: VPC CIDR Block (x.x.x.x/x notation) + Type: String + VPCID: + Description: VPC ID + Type: AWS::EC2::VPC::Id +Metadata: + AWSAMIRegionMap: + Filters: + SPLUNKENTHVM: + name: splunk_marketplace_AMI_* + owner-alias: aws-marketplace + product-code.type: marketplace + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: AWS Instance and Network Settings + Parameters: + - IndexerInstanceType + - SearchHeadInstanceType + - KeyName + - WebClientLocation + - HECClientLocation + - SSHClientLocation + - VPCID + - VPCCIDR + - PublicSubnet1ID + - PublicSubnet2ID + - PublicSubnet3ID + - NumberOfAZs + - SmartStoreBucketName + - Label: + default: Splunk Settings + Parameters: + - SplunkAdminPassword + - SplunkClusterSecret + - SplunkIndexerDiscoverySecret + - SplunkLicenseBucket + - SplunkLicensePath + - SplunkIndexerCount + - SplunkIndexerDiskSize + - SplunkSearchHeadDiskSize + - SplunkReplicationFactor + - SplunkSearchFactor + - SmartStoreBucketName + - SHCEnabled + - IndexerApps + - SearchHeadApps + ParameterLabels: + WebClientLocation: + default: Permitted CIDR for Splunk web interface + HECClientLocation: + default: Permitted CIDR for Splunk HTTP event collector input + IndexerInstanceType: + default: EC2 instance type for Splunk indexer + SearchHeadInstanceType: + default: EC2 instance type for Splunk search head + KeyName: + default: Key Name + PublicSubnet1ID: + default: Public Subnet 1 ID + PublicSubnet2ID: + default: Public Subnet 2 ID + PublicSubnet3ID: + default: Public Subnet 3 ID + NumberOfAZs: + default: Number of Availability Zones + SHCEnabled: + default: Enable Search Head Cluster? + SSHClientLocation: + default: Permitted CIDR for ssh + SplunkAdminPassword: + default: Splunk Admin Password + SplunkIndexerCount: + default: No. of Splunk Indexers + SmartStoreBucketName: + default: Name of bucket to be created for Smartstore storage + SplunkIndexerDiskSize: + default: Indexer Disk Size + SplunkSearchHeadDiskSize: + default: Search Head(s) Disk Size + SplunkLicenseBucket: + default: Splunk License Bucket + SplunkLicensePath: + default: Splunk License S3 Bucket Path + SplunkReplicationFactor: + default: Index Cluster Replication Factor + SplunkSearchFactor: + default: Index Cluster Search Factor + SplunkClusterSecret: + default: Shared Security Key for Cluster Nodes + SplunkIndexerDiscoverySecret: + default: Shared Security Key for Forwarders using Indexer Discovery + IndexerApps: + default: Apps/Add-ons to pre-Install on Splunk Indexers + SearchHeadApps: + default: Apps/Add-ons to pre-Install on Splunk Search Heads + VPCCIDR: + default: VPC CIDR + VPCID: + default: VPC ID +Conditions: + Create3AZ: !Equals + - !Ref 'NumberOfAZs' + - '3' + CreateSingleSearchHead: !Equals + - !Ref 'SHCEnabled' + - 'no' + CreateSHC: !Equals + - !Ref 'SHCEnabled' + - 'yes' + InstallIndexerApps: !Not + - !Equals + - !Join + - '' + - !Ref 'IndexerApps' + - '' + InstallSearchHeadApps: !Not + - !Equals + - !Join + - '' + - !Ref 'SearchHeadApps' + - '' + ConfigureLicense: !And + - !Not + - !Equals + - '' + - !Ref 'SplunkLicenseBucket' + - !Not + - !Equals + - '' + - !Ref 'SplunkLicensePath' +Mappings: + AWSAMIRegionMap: + AMI: + SPLUNKENTHVM: splunk_marketplace_AMI_2018-10-16_22_07_36-7b65de6c-5006-4ca2-bd75-fdba95ae5d9d-ami-0d494b5a999e1c49f.4 + ap-northeast-1: + SPLUNKENTHVM: ami-0db36f11d65f551fb + ap-northeast-2: + SPLUNKENTHVM: ami-09c7965888207979b + ap-south-1: + SPLUNKENTHVM: ami-07c20db6edfd45f98 + ap-southeast-1: + SPLUNKENTHVM: ami-0e7b7ca1bdcdd93a6 + ap-southeast-2: + SPLUNKENTHVM: ami-0c8a4d5bdf83f0df8 + ca-central-1: + SPLUNKENTHVM: ami-02f085f4514fa7145 + eu-central-1: + SPLUNKENTHVM: ami-09ce965c3b1a9a1cb + eu-west-1: + SPLUNKENTHVM: ami-0fafe9e81915f154e + eu-west-2: + SPLUNKENTHVM: ami-060d9e50d310e0ebb + sa-east-1: + SPLUNKENTHVM: ami-0dacd4005280936e5 + us-east-1: + SPLUNKENTHVM: ami-0db9d414307afccce + us-east-2: + SPLUNKENTHVM: ami-04b6874c649721f0a + us-west-1: + SPLUNKENTHVM: ami-0377011a3f771e353 + us-west-2: + SPLUNKENTHVM: ami-098f3b1d228f57491 + SplunkConfig: + dedicated-instance-type: + clusterMaster: c5.xlarge + shclusterDeployer: c5.xlarge + shcluster-replication-factor: + num: '3' + labels: + cluster: IndexerCluster + shcluster: SearchHeadCluster +Resources: + SplunkSmartstoreBucket: + Type: AWS::S3::Bucket + Properties: + BucketName: !Ref 'SmartStoreBucketName' + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 + DeletionPolicy: Delete + SmartStoreS3BucketRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: + - ec2.amazonaws.com + Action: + - sts:AssumeRole + Path: / + SmartStoreS3AccessInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: + - !Ref 'SmartStoreS3BucketRole' + SmartStoreS3BucketPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: SmartStoreS3BucketPolicy + PolicyDocument: + Statement: + - Action: + - s3:ListBucket + Effect: Allow + Resource: + - !Join + - '' + - - 'arn:aws:s3:::' + - !Ref 'SmartStoreBucketName' + - Action: + - s3:PutObject + - s3:GetObject + - s3:DeleteObject + - s3:PutObjectAcl + Effect: Allow + Resource: + - !Join + - '' + - - 'arn:aws:s3:::' + - !Ref 'SmartStoreBucketName' + - /* + Roles: + - !Ref 'SmartStoreS3BucketRole' + SplunkSearchHeadSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: !Ref 'VPCID' + GroupDescription: 'Enable port 8000 for Splunk web interface, port 8090 for SHC replication, and port 8191 for KV store replication' + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 8000 + ToPort: 8000 + CidrIp: !Ref 'WebClientLocation' + - IpProtocol: tcp + FromPort: 8090 + ToPort: 8090 + CidrIp: !Ref 'VPCCIDR' + - IpProtocol: tcp + FromPort: 8191 + ToPort: 8191 + CidrIp: !Ref 'VPCCIDR' + Tags: + - Key: Application + Value: !Ref 'AWS::StackId' + - Key: Name + Value: SplunkSearchHeadSecurityGroup + SplunkIndexerSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: !Ref 'VPCID' + GroupDescription: 'Enable port 9997 for splunktcp input, port 8088 for HEC input, port 514 for tcp/udp input, and port 9887 for data replication' + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 9997 + ToPort: 9997 + CidrIp: !Ref 'VPCCIDR' + - IpProtocol: tcp + FromPort: 8088 + ToPort: 8088 + SourceSecurityGroupId: !Ref 'SplunkHttpEventCollectorLoadBalancerSecurityGroup' + - IpProtocol: tcp + FromPort: 514 + ToPort: 514 + CidrIp: !Ref 'VPCCIDR' + - IpProtocol: udp + FromPort: 514 + ToPort: 514 + CidrIp: !Ref 'VPCCIDR' + - IpProtocol: tcp + FromPort: 9887 + ToPort: 9887 + CidrIp: !Ref 'VPCCIDR' + Tags: + - Key: Application + Value: !Ref 'AWS::StackId' + - Key: Name + Value: SplunkIndexerSecurityGroup + SplunkSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: !Ref 'VPCID' + GroupDescription: 'Enable administrative ports like restricted SSH and management port' + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: !Ref 'SSHClientLocation' + - IpProtocol: tcp + FromPort: 8089 + ToPort: 8089 + CidrIp: !Ref 'VPCCIDR' + Tags: + - Key: Application + Value: !Ref 'AWS::StackId' + - Key: Name + Value: SplunkSecurityGroup + SplunkHttpEventCollectorLoadBalancerSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: !Ref 'VPCID' + GroupDescription: 'Enable port 8088 on ELB for HEC input' + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 8088 + ToPort: 8088 + CidrIp: !Ref 'HECClientLocation' + Tags: + - Key: Application + Value: !Ref 'AWS::StackId' + - Key: Name + Value: SplunkHttpEventCollectorLoadBalancerSecurityGroup + SplunkSearchHeadInstance: + Type: AWS::EC2::Instance + Condition: CreateSingleSearchHead + CreationPolicy: + ResourceSignal: + Timeout: PT15M + Properties: + ImageId: !FindInMap + - AWSAMIRegionMap + - !Ref 'AWS::Region' + - SPLUNKENTHVM + InstanceType: !Ref 'SearchHeadInstanceType' + KeyName: !Ref 'KeyName' + Tags: + - Key: Application + Value: !Ref 'AWS::StackId' + - Key: Role + Value: splunk-search-head + - Key: Name + Value: search-head + NetworkInterfaces: + - GroupSet: + - !Ref 'SplunkSecurityGroup' + - !Ref 'SplunkSearchHeadSecurityGroup' + AssociatePublicIpAddress: true + DeviceIndex: '0' + DeleteOnTermination: true + SubnetId: !Ref 'PublicSubnet1ID' + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeType: gp2 + VolumeSize: !Ref 'SplunkSearchHeadDiskSize' + UserData: + Fn::Base64: + Fn::Sub: + - | + #!/bin/bash -xe + export INSTALL_INDEXER_APPS="0" + export INSTALL_LICENSE="0" + export SYMMKEY="${SplunkIndexerDiscoverySecret}" + export ADMIN_PASSWORD="${SplunkAdminPassword}" + export STACK_NAME="${AWS::StackName}" + export AWS_REGION="${AWS::Region}" + export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" + export SplunkCMWaitHandle="${SplunkCMWaitHandle}" + export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" + wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh + export CM_PRIVATEIP="${SplunkCMIP}" + /tmp/user_data.sh single_sh && rm -f /tmp/user_data.sh + - SplunkCMIP: !GetAtt SplunkCM.PrivateIp + SplunkCM: + Type: AWS::EC2::Instance + CreationPolicy: + ResourceSignal: + Timeout: PT15M + Metadata: + AWS::CloudFormation::Init: !If + - ConfigureLicense + - config: + files: + /opt/splunk/etc/licenses/enterprise/splunk.license: + source: !If + - ConfigureLicense + - !Join + - '' + - - https:// + - !Ref 'SplunkLicenseBucket' + - .s3.amazonaws.com/ + - !Ref 'SplunkLicensePath' + - !Ref 'AWS::NoValue' + mode: '000600' + owner: splunk + group: splunk + authentication: S3AccessCreds + - !Ref 'AWS::NoValue' + AWS::CloudFormation::Authentication: !If + - ConfigureLicense + - S3AccessCreds: + type: S3 + accessKeyId: !Ref 'CfnKeys' + secretKey: !GetAtt 'CfnKeys.SecretAccessKey' + buckets: + - !Ref 'SplunkLicenseBucket' + - !Ref 'AWS::NoValue' + Properties: + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeType: gp2 + VolumeSize: 150 + NetworkInterfaces: + - GroupSet: + - !Ref 'SplunkSecurityGroup' + - !Ref 'SplunkSearchHeadSecurityGroup' + AssociatePublicIpAddress: true + DeviceIndex: '0' + DeleteOnTermination: true + SubnetId: !Ref 'PublicSubnet1ID' + ImageId: !FindInMap + - AWSAMIRegionMap + - !Ref 'AWS::Region' + - SPLUNKENTHVM + InstanceType: !FindInMap + - SplunkConfig + - dedicated-instance-type + - clusterMaster + KeyName: !Ref 'KeyName' + Tags: + - Key: Application + Value: !Ref 'AWS::StackId' + - Key: Role + Value: cluster-master + - Key: Name + Value: cluster-master + UserData: + Fn::Base64: + Fn::Sub: + - | + #!/bin/bash -xe + export INSTALL_INDEXER_APPS="0" + export INSTALL_LICENSE="0" + export SYMMKEY="${SplunkIndexerDiscoverySecret}" + export ADMIN_PASSWORD="${SplunkAdminPassword}" + export STACK_NAME="${AWS::StackName}" + export AWS_REGION="${AWS::Region}" + export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" + export SMARTSTORE_BUCKET="${SmartStoreBucketName}" + export SplunkCMWaitHandle="${SplunkCMWaitHandle}" + export REPFACTOR="${SplunkReplicationFactor}" + export SEARCHFACTOR="${SplunkSearchFactor}" + export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" + export SITELIST="${Sitelist}" + export INSTALL_LICENSE="${InstallLicense}" + wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh + /tmp/user_data.sh cm && rm -f /tmp/user_data.sh + - Sitelist: !If [Create3AZ, "site1,site2,site3", "site1,site2" ] + InstallLicense: !If [ConfigureLicense, "1", "0"] + SplunkCMWaitHandle: + Type: AWS::CloudFormation::WaitConditionHandle + SplunkCMWaitCondition: + Type: AWS::CloudFormation::WaitCondition + DependsOn: SplunkCM + Properties: + Handle: !Ref 'SplunkCMWaitHandle' + Timeout: '900' + SplunkSHCDeployer: + Type: AWS::EC2::Instance + Condition: CreateSHC + CreationPolicy: + ResourceSignal: + Timeout: PT20M + Properties: + ImageId: !FindInMap + - AWSAMIRegionMap + - !Ref 'AWS::Region' + - SPLUNKENTHVM + InstanceType: !FindInMap + - SplunkConfig + - dedicated-instance-type + - shclusterDeployer + KeyName: !Ref 'KeyName' + Tags: + - Key: Application + Value: !Ref 'AWS::StackId' + - Key: Role + Value: splunk-deployer + - Key: Name + Value: deployer + NetworkInterfaces: + - GroupSet: + - !Ref 'SplunkSecurityGroup' + - !Ref 'SplunkSearchHeadSecurityGroup' + AssociatePublicIpAddress: true + DeviceIndex: '0' + DeleteOnTermination: true + SubnetId: !Ref 'PublicSubnet1ID' + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeType: gp2 + VolumeSize: !Ref 'SplunkSearchHeadDiskSize' + UserData: + Fn::Base64: + Fn::Sub: + - | + #!/bin/bash -xe + export INSTALL_INDEXER_APPS="0" + export INSTALL_LICENSE="0" + export SYMMKEY="${SplunkIndexerDiscoverySecret}" + export ADMIN_PASSWORD="${SplunkAdminPassword}" + export STACK_NAME="${AWS::StackName}" + export AWS_REGION="${AWS::Region}" + export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" + export SMARTSTORE_BUCKET="${SmartStoreBucketName}" + export SplunkCMWaitHandle="${SplunkCMWaitHandle}" + export REPFACTOR="${SplunkReplicationFactor}" + export SEARCHFACTOR="${SplunkSearchFactor}" + export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" + export CM_PRIVATEIP="${SplunkCMIP}" + wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh + /tmp/user_data.sh deployer && rm -f /tmp/user_data.sh + - SplunkCMIP: !GetAtt SplunkCM.PrivateIp + SplunkSHCMember1: + Type: AWS::EC2::Instance + Condition: CreateSHC + CreationPolicy: + ResourceSignal: + Timeout: PT20M + Properties: + ImageId: !FindInMap + - AWSAMIRegionMap + - !Ref 'AWS::Region' + - SPLUNKENTHVM + InstanceType: !Ref 'SearchHeadInstanceType' + KeyName: !Ref 'KeyName' + Tags: + - Key: Application + Value: !Ref 'AWS::StackId' + - Key: Role + Value: splunk-search-head + - Key: Name + Value: search-head-1 + NetworkInterfaces: + - GroupSet: + - !Ref 'SplunkSecurityGroup' + - !Ref 'SplunkSearchHeadSecurityGroup' + AssociatePublicIpAddress: true + DeviceIndex: '0' + DeleteOnTermination: true + SubnetId: !Ref 'PublicSubnet1ID' + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeType: gp2 + VolumeSize: !Ref 'SplunkSearchHeadDiskSize' + UserData: + Fn::Base64: + Fn::Sub: + - | + #!/bin/bash -xe + export INSTALL_INDEXER_APPS="0" + export INSTALL_LICENSE="0" + export SYMMKEY="${SplunkIndexerDiscoverySecret}" + export ADMIN_PASSWORD="${SplunkAdminPassword}" + export STACK_NAME="${AWS::StackName}" + export AWS_REGION="${AWS::Region}" + export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" + export SMARTSTORE_BUCKET="${SmartStoreBucketName}" + export SplunkCMWaitHandle="${SplunkCMWaitHandle}" + export REPFACTOR="${SplunkReplicationFactor}" + export SEARCHFACTOR="${SplunkSearchFactor}" + export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" + export CM_PRIVATEIP="${SplunkCMIP}" + export SH_REPLICATION_FACTOR="${SplunkReplicationFactor}" + export THREEAZ="${THREEAZ}" + export SH_DEPLOYER_IP="${SH_DEPLOYER_IP}" + wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh + /tmp/user_data.sh cluster_sh 1 && rm -f /tmp/user_data.sh + - SplunkCMIP: !GetAtt SplunkCM.PrivateIp + SH_DEPLOYER_IP: !GetAtt SplunkSHCDeployer.PrivateIp + THREEAZ: !If [ Create3AZ, "1", "0" ] + SplunkSHCMember2: + Type: AWS::EC2::Instance + Condition: CreateSHC + CreationPolicy: + ResourceSignal: + Timeout: PT20M + Properties: + ImageId: !FindInMap + - AWSAMIRegionMap + - !Ref 'AWS::Region' + - SPLUNKENTHVM + InstanceType: !Ref 'SearchHeadInstanceType' + KeyName: !Ref 'KeyName' + Tags: + - Key: Application + Value: !Ref 'AWS::StackId' + - Key: Role + Value: splunk-search-head + - Key: Name + Value: search-head-2 + NetworkInterfaces: + - GroupSet: + - !Ref 'SplunkSecurityGroup' + - !Ref 'SplunkSearchHeadSecurityGroup' + AssociatePublicIpAddress: true + DeviceIndex: '0' + DeleteOnTermination: true + SubnetId: !Ref 'PublicSubnet2ID' + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeType: gp2 + VolumeSize: !Ref 'SplunkSearchHeadDiskSize' + UserData: + Fn::Base64: + Fn::Sub: + - | + #!/bin/bash -xe + export INSTALL_INDEXER_APPS="0" + export INSTALL_LICENSE="0" + export SYMMKEY="${SplunkIndexerDiscoverySecret}" + export ADMIN_PASSWORD="${SplunkAdminPassword}" + export STACK_NAME="${AWS::StackName}" + export AWS_REGION="${AWS::Region}" + export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" + export SMARTSTORE_BUCKET="${SmartStoreBucketName}" + export SplunkCMWaitHandle="${SplunkCMWaitHandle}" + export REPFACTOR="${SplunkReplicationFactor}" + export SEARCHFACTOR="${SplunkSearchFactor}" + export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" + export CM_PRIVATEIP="${SplunkCMIP}" + export SH_REPLICATION_FACTOR="${SplunkReplicationFactor}" + export THREEAZ="${THREEAZ}" + export SH_DEPLOYER_IP="${SH_DEPLOYER_IP}" + wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh + /tmp/user_data.sh cluster_sh 2 && rm -f /tmp/user_data.sh + - SplunkCMIP: !GetAtt SplunkCM.PrivateIp + SH_DEPLOYER_IP: !GetAtt SplunkSHCDeployer.PrivateIp + THREEAZ: !If [ Create3AZ, "1", "0" ] + SplunkSHCMember3: + Type: AWS::EC2::Instance + Condition: CreateSHC + CreationPolicy: + ResourceSignal: + Timeout: PT20M + Properties: + ImageId: !FindInMap + - AWSAMIRegionMap + - !Ref 'AWS::Region' + - SPLUNKENTHVM + InstanceType: !Ref 'SearchHeadInstanceType' + KeyName: !Ref 'KeyName' + Tags: + - Key: Application + Value: !Ref 'AWS::StackId' + - Key: Role + Value: splunk-search-head + - Key: Name + Value: search-head-3 + NetworkInterfaces: + - GroupSet: + - !Ref 'SplunkSecurityGroup' + - !Ref 'SplunkSearchHeadSecurityGroup' + AssociatePublicIpAddress: true + DeviceIndex: '0' + DeleteOnTermination: true + SubnetId: !If + - Create3AZ + - !Ref 'PublicSubnet3ID' + - !Ref 'PublicSubnet2ID' + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeType: gp2 + VolumeSize: !Ref 'SplunkSearchHeadDiskSize' + UserData: + Fn::Base64: + Fn::Sub: + - | + #!/bin/bash -xe + export INSTALL_INDEXER_APPS="0" + export INSTALL_LICENSE="0" + export SYMMKEY="${SplunkIndexerDiscoverySecret}" + export ADMIN_PASSWORD="${SplunkAdminPassword}" + export STACK_NAME="${AWS::StackName}" + export AWS_REGION="${AWS::Region}" + export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" + export SMARTSTORE_BUCKET="${SmartStoreBucketName}" + export SplunkCMWaitHandle="${SplunkCMWaitHandle}" + export REPFACTOR="${SplunkReplicationFactor}" + export SEARCHFACTOR="${SplunkSearchFactor}" + export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" + export CM_PRIVATEIP="${SplunkCMIP}" + export SH_REPLICATION_FACTOR="${SplunkReplicationFactor}" + export THREEAZ="${THREEAZ}" + export SH_DEPLOYER_IP="${SH_DEPLOYER_IP}" + wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh + /tmp/user_data.sh cluster_sh 3 && rm -f /tmp/user_data.sh + - SplunkCMIP: !GetAtt SplunkCM.PrivateIp + SH_DEPLOYER_IP: !GetAtt SplunkSHCDeployer.PrivateIp + THREEAZ: !If [ Create3AZ, "1", "0" ] + CfnUser: + Type: AWS::IAM::User + Condition: ConfigureLicense + Properties: + Path: / + CfnKeys: + Type: AWS::IAM::AccessKey + Condition: ConfigureLicense + Properties: + UserName: !Ref 'CfnUser' + BucketPolicy: + Type: AWS::S3::BucketPolicy + Condition: ConfigureLicense + Properties: + PolicyDocument: + Version: '2012-10-17' + Id: MyPolicy + Statement: + - Sid: ReadAccess + Action: + - s3:GetObject + Effect: Allow + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref 'SplunkLicenseBucket' + - /* + Principal: + AWS: !GetAtt 'CfnUser.Arn' + Bucket: !Ref 'SplunkLicenseBucket' + SplunkIndexerLaunchConfiguration: + Type: AWS::AutoScaling::LaunchConfiguration + Properties: + AssociatePublicIpAddress: true + IamInstanceProfile: !Ref 'SmartStoreS3AccessInstanceProfile' + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeType: gp2 + VolumeSize: !Ref 'SplunkIndexerDiskSize' + SecurityGroups: + - !Ref 'SplunkSecurityGroup' + - !Ref 'SplunkIndexerSecurityGroup' + ImageId: !FindInMap + - AWSAMIRegionMap + - !Ref 'AWS::Region' + - SPLUNKENTHVM + InstanceType: !Ref 'IndexerInstanceType' + KeyName: !Ref 'KeyName' + UserData: + Fn::Base64: + Fn::Sub: + - | + #!/bin/bash -xe + export INSTALL_INDEXER_APPS="0" + export INSTALL_LICENSE="0" + export SYMMKEY="${SplunkIndexerDiscoverySecret}" + export ADMIN_PASSWORD="${SplunkAdminPassword}" + export STACK_NAME="${AWS::StackName}" + export AWS_REGION="${AWS::Region}" + export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" + export SMARTSTORE_BUCKET="${SmartStoreBucketName}" + export SplunkCMWaitHandle="${SplunkCMWaitHandle}" + export REPFACTOR="${SplunkReplicationFactor}" + export SEARCHFACTOR="${SplunkSearchFactor}" + export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" + export CM_PRIVATEIP="${SplunkCMIP}" + export SH_REPLICATION_FACTOR="${SplunkReplicationFactor}" + export SMARTSTORE_BUCKET="${SmartStoreBucketName}" + export CM_PRIVATEIP="${SplunkCMIP}" + export SUBNET1_ID="${PublicSubnet1ID}" + export SUBNET2_ID="${PublicSubnet2ID}" + export SUBNET3_ID="${PublicSubnet3ID}" + wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh + /tmp/user_data.sh indexer && rm -f /tmp/user_data.sh + - SplunkCMIP: !GetAtt SplunkCM.PrivateIp + SplunkSHCLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Condition: CreateSHC + Properties: + ConnectionDrainingPolicy: + Enabled: true + Timeout: 300 + LBCookieStickinessPolicy: + - CookieExpirationPeriod: '86400' + PolicyName: SplunkWebCookiePolicy + Instances: + - !Ref 'SplunkSHCMember1' + - !Ref 'SplunkSHCMember2' + - !Ref 'SplunkSHCMember3' + Listeners: + - LoadBalancerPort: '8000' + InstancePort: '8000' + Protocol: HTTP + PolicyNames: + - SplunkWebCookiePolicy + Scheme: internet-facing + SecurityGroups: + - !Ref 'SplunkSecurityGroup' + - !Ref 'SplunkSearchHeadSecurityGroup' + CrossZone: true + Subnets: !If + - Create3AZ + - - !Ref 'PublicSubnet1ID' + - !Ref 'PublicSubnet2ID' + - !Ref 'PublicSubnet3ID' + - - !Ref 'PublicSubnet1ID' + - !Ref 'PublicSubnet2ID' + HealthCheck: + Target: TCP:8089 + HealthyThreshold: '2' + UnhealthyThreshold: '3' + Interval: '30' + Timeout: '5' + SplunkHttpEventCollectorLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + ConnectionDrainingPolicy: + Enabled: true + Timeout: 300 + Listeners: + - InstancePort: '8088' + InstanceProtocol: HTTPS + LoadBalancerPort: '8088' + Protocol: HTTP + Scheme: internet-facing + SecurityGroups: + - !Ref 'SplunkHttpEventCollectorLoadBalancerSecurityGroup' + CrossZone: true + Subnets: !If + - Create3AZ + - - !Ref 'PublicSubnet1ID' + - !Ref 'PublicSubnet2ID' + - !Ref 'PublicSubnet3ID' + - - !Ref 'PublicSubnet1ID' + - !Ref 'PublicSubnet2ID' + HealthCheck: + Target: HTTPS:8088/services/collector/health + HealthyThreshold: '3' + UnhealthyThreshold: '2' + Interval: '20' + Timeout: '5' + Policies: + - PolicyName: EnableProxyProtocol + PolicyType: ProxyProtocolPolicyType + Attributes: + - Name: ProxyProtocol + Value: true + InstancePorts: + - '8088' + SplunkIndexerNodesASG: + Type: AWS::AutoScaling::AutoScalingGroup + DependsOn: SplunkCM + Properties: + VPCZoneIdentifier: !If + - Create3AZ + - - !Ref 'PublicSubnet1ID' + - !Ref 'PublicSubnet2ID' + - !Ref 'PublicSubnet3ID' + - - !Ref 'PublicSubnet1ID' + - !Ref 'PublicSubnet2ID' + LaunchConfigurationName: !Ref 'SplunkIndexerLaunchConfiguration' + MinSize: !Ref 'SplunkIndexerCount' + MaxSize: !Ref 'SplunkIndexerCount' + DesiredCapacity: !Ref 'SplunkIndexerCount' + LoadBalancerNames: + - !Ref 'SplunkHttpEventCollectorLoadBalancer' + Tags: + - Key: Application + Value: !Ref 'AWS::StackId' + PropagateAtLaunch: true + - Key: Role + Value: splunk-indexer + PropagateAtLaunch: true + - Key: Name + Value: indexer-N + PropagateAtLaunch: true + CreationPolicy: + ResourceSignal: + Count: !Ref 'SplunkIndexerCount' + Timeout: PT30M +Outputs: + SearchHeadURL: + Description: 'Splunk Enterprise - Search Head URL' + Value: !Join + - '' + - - http:// + - !If + - CreateSHC + - !GetAtt 'SplunkSHCLoadBalancer.DNSName' + - !GetAtt 'SplunkSearchHeadInstance.PublicIp' + - :8000 + ClusterMasterURL: + Description: 'Splunk Enterprise - Cluster Master URL' + Value: !Join + - '' + - - http:// + - !GetAtt 'SplunkCM.PublicIp' + - :8000 + ClusterMasterManagementURL: + Description: 'Splunk Enterprise - Cluster Master Management URL (required for Indexer Discovery)' + Value: !Join + - '' + - - https:// + - !GetAtt SplunkCM.PrivateIp + - :8089 + DeployerURL: + Description: 'Splunk Enterprise - Search Head Cluster Deployer URL' + Value: !If + - CreateSHC + - !Join + - '' + - - http:// + - !GetAtt 'SplunkSHCDeployer.PublicIp' + - :8000 + - Applicable when Search Head Cluster is selected + HttpEventCollectorURL: + Description: 'HTTP Event Collector URL' + Value: !Join + - '' + - - http:// + - !GetAtt 'SplunkHttpEventCollectorLoadBalancer.DNSName' + - :8088 + - /services/collector + HttpEventCollectorToken: + Description: 'HTTP Event Collector Token' + Value: !Select + - '1' + - !Split + - '"' + - !Select + - '1' + - !Split + - ':' + - !GetAtt 'SplunkCMWaitCondition.Data' From ba45368c32f41043c364bd25fb332905c6710d17 Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Thu, 21 Jan 2021 19:50:45 -0800 Subject: [PATCH 30/47] initial adoc commit unfinished docs, but commiting so that they may be shared. --- .../splunk-enterprise-architecture-on-aws.png | Bin 0 -> 58890 bytes docs/partner_editable/_settings.adoc | 14 +++++ docs/partner_editable/architecture.adoc | 28 ++++++++++ docs/partner_editable/deploy_steps.adoc | 51 ++++++++++++++++++ docs/partner_editable/deployment_options.adoc | 0 docs/partner_editable/licenses.adoc | 1 + .../overview_target_and_usage.adoc | 3 ++ .../partner_editable/product_description.adoc | 5 ++ .../specialized_knowledge.adoc | 0 9 files changed, 102 insertions(+) create mode 100644 docs/images/splunk-enterprise-architecture-on-aws.png create mode 100644 docs/partner_editable/_settings.adoc create mode 100644 docs/partner_editable/architecture.adoc create mode 100644 docs/partner_editable/deploy_steps.adoc create mode 100644 docs/partner_editable/deployment_options.adoc create mode 100644 docs/partner_editable/licenses.adoc create mode 100644 docs/partner_editable/overview_target_and_usage.adoc create mode 100644 docs/partner_editable/product_description.adoc create mode 100644 docs/partner_editable/specialized_knowledge.adoc diff --git a/docs/images/splunk-enterprise-architecture-on-aws.png b/docs/images/splunk-enterprise-architecture-on-aws.png new file mode 100644 index 0000000000000000000000000000000000000000..6ff34819e5a3f090b6cf56dd24cbe03cb2e2334e GIT binary patch literal 58890 zcmY&;by%BA^ERcpQ@j)?(BjrYvEZ)3rNs&qDDDJ@qQ%__?pmNg@Z#fc2Uo~spJ!)hcXnp(dqR|f(%2ZUF%S?Cuw`W=R1pwfdLbYnCZQq1B@H6KTj3w* zb~2wG5fE^?{{Fp4V8$Vb3sIe96(v#E(8-8+n7*dtrT!z5)OHeecKUAXfKXg9Bm);= zIl)B|CXU7q=5|izwl)X^=+v}uImTbPxUHR=gSpvvCxkNGA%3_N=O3wqiQ(U&Z=KAo zO%Og^VQ!H=XVrbjP_ToW$0jI zZexb6NJlW|AYS5o zK-ip?l@L{TT{vt(byD9+c|I1Lf8g%Vh&UJShnd!x@c^sqs$RV0eoMv!MYow-U42Ea z`)95PWwGkTqLVVR#D|ujIVeT6>LOy;m!bTMh*s|SChn8Z9y_6f9IuDNr8sjLS9Uyc z&75`;lTz-NuQ^B0g+@K3Q6r>s$G>yEj@Wi@@~3+7f8U_8|4OB3K@)#}{X1wA`0poI zs*+=&zM1kMc4%oMr($EG?oy1{gC)eFMEw21SP4Hr)w=SKrViofNBaOj~@jxW)cEvCR zCSK7sj3s`R*)KiEzW-SWI^SYGy`NKFGA8Ym-FZY0RC}QT=s;9I(4VZ+fZRSqmzOir z(wbb378)FPfSE#Gn@2AHnfHr<&eyM5jF}24ACaN2-n_vI;`6vF6Sgk|<}ya81`8M9 zVn+jzz~IQy?oR%Wms1D5dq9n*3*q^h8DcWB5OyqsMcZ&XFCTn-{DyjRpRloi_T<2k znUV3s7Qwgyx8t?~$I!9QvxhIEzCt=L{$g5MnpX(UU#K+J0DgzP`=XyMdDIam@oVNyI&7ut7j6tluY$IMKZRd5H(PaYSsRG z|MPTk?5c={l;ZeixkiOoxv}h5>8{S7ZJ431+W2R`EOtm53m#F*8!h8b%#9jf+7XPQ zUu-V@x4kolSY5^$)HHwka;~D)^D^uU=`2II1@Ho+(?`H~1B3p&YYLy_qov2+TWPUV z6p!dlW~-&))7w!#JIv7i>o;Gt)R+?ba!}Z*-$HlVuPN;cTOY$M7Vl3)8xi@tFI<@4 zr(k8jNd1Ms?}ts%Ba8JGbOH#8`*;3f$~%dPuw?V4;EVZ}uqkfS{v@FYKQP-maIwnu z+Zel>!)&ZAhavH1q*8P}{=f63J_eCxt}-Yf91%qBql309XW8sEqL(UE&%=WEIuI?k z1y{UpX^zSNa}HFju8;uGjZj={tUwZA+B}RuF>052w>ia|ut@vX@5$+kT1+v35+8o20Y1rTbnsN9LCtNu^P|_!-qY4j%Qox%cQv@1laZ16qvG~VDUGfJ z{l8R%K1*jh7Ba~caaPJD7Xv2evSUwOvj4efqz)pe4b3cCPjO<7HZR zl5*)btYJ@I_5ZzHB5a*$jFk}*DO4qW%0fMrsx}$%-w+u_71t^Ju_-A(9`r|)%u;6| zD_%Iozv_BA3l!hPq>43m&N+&kN-nerfE@^+Qw_3y^Iewz(>g)zv?6FytJ zc^3Jfu^i{{ETsQX%)@MUfVH}gUlZ6K@XHhYz?dj6-#G7l!3r%!>Hf47g7NOLj|8jT zrOee_S%1<%C_nU0n|nuyBi~_A;_)_jPI2Wa&S-w}?AHHRn#F8VN7c^_vw(rtd*RIz zOWdOm43(f=F0l*UN@=0ECslHw(T8oe24NKq^{P!-YsHVpr10<{GkosLNGhTTsdE}}XQiPVCtA>cZK{7-ts!k=%9tCcP3wv1 z*331)hAqt|T2H0ho6Uej=IU{2|8NU@lUk>IwX`In;JokYFGX!NVV)2}P?h$JyTG33 zPZ84-`8@PRY7Q&7u+dXar%mg5BYQ-c9jwgaA@z0vHp~BNjPt=>&k@I#1g@hPCu#K5 zcZh?WPFhYsnhNYj2LH6#VJ|N9B*yd=_j>sem0_Tvo^j&SnXLc5RIuo1RJ2sCTPtbj&VuPAbwH(Dk{D)M*d*4HgoL~6G+{7>J(Pu=#n)v1z8E$<1QZzVax3Bkg}SY8tN?}k41=DwOh zN|T31QgGCu0XFayxF)9G9V{x5+dSzO!o4Z#lfs3>52c-)LSz^h!@>(US6!wutxp~4 zgV7>O#joFF3+v&c%gj57aNGJ?+4yWFf<)sw5<|gfW72pQvorZCd0$$53o%g`6NM`+ zSqVf4UfczWt2edo`*I=#$6Jx47oVdbYEP$R2OaES&yE=56e+?awh1siORk5G@hD0K zKZ50a8YOh_Uzk_Z6|41@=D=5epUcpBNj2=k<26fpiY4IBFnyH`X~H_g%(&0PzZbiF zoz4DDiRexYs^n)X^aSk&&Aq;QrtUFBUufa?_IG|uP`0O?Qas)I)pCC zswC2oY82)|ap-6W;{Aqy&*(MJt>@T)N4 z5t;0%xfIh2UXLwSSHZnL+#BLN!74EOES#&myr5N|;Neur`GrV2Ld9}u7jUf5nhZgqq$~|R0qC3Ai3Jwv%(b*Ym z*dk0McU++*0}av?4sd>Lvd*G$!a;uUi~NA9_9tA6x=2n_+% zYBUA19+}0bt!S`#m2d`mU%cJ+-)Dd0&#nf~t8(wv3i*DiavvxS^r5c{q11}C2#Zx2 z5mHW8H(X;zDp6;873o<*P+tfJ7f%w;rT0Zq&6`4sf!>NbuaNd|dJlAJu*{f;GYSc( zJq*)(mP}et@1npwh7ShL)}L*>3$%AJn=(EfVct!4d*6BK3Flfa7cM-2ytLnbRUsl= zCAD!$7}$N$ZEo+Ni%4>|2phBCxO%>i;GAI36xzc{y#Gn~qVEv{AAxHqJmWNN_z>@K zp7v>*%r$7_t;hu}q}QqNOaMcWmWHN4DHE2;+w>4>v}G{O4F>lxr5Qaz*7iS3_MvTU zgTg0yuv6E|lUG7Eo$@*{pVT5$lR<4y&WEPT{akLACzYbhk^SHjhJlBw;VA) z_iM(lt=`itl(4?!4_=%)CEbCZbB%LLrCcFfAGu!zj<9b{s3=~26!78L>kH{Jm&)u2 zFL+ODPpuo7*}(9y@ZlI|r{tamFJxy@$->1QG{9u zFOIwDtT`);%Z`3`@)jEM9U^dJxCmubfO$&zR4LjSQjU=LZI|kcq`X@jrA4m3#YGSl zjWe>qum1U~4)BT(yU-%$gpCl`QIcjq$#tKI;dQTCs(j76L&bt*~*c)Qub*(u6)A@aVGs;oZCPI$P&}k{%5{`4A02-Qq7V&!8zF?A>lDIMUNcQOz4-kn~@7uZ2BpV0Ljrfv~LB?K*1W3dKQu z-yTwGM7xhk26$WiJOOz2Ei*2QE|<>E>w_KT$y`0w`XLoT-#w1y2hto1>)vZoe(a!x zsaxNRBty+PiYEO{IG+RdGK{|J`M@|zAcLkWVUUJ)nVkJ}A{nAr1wUr!n6+BIe;1A@ zN#8HC8`|Ky`*dK}Jt7$%eM@=wlgS$;Hu^&Qhh8~EwzD>rN*`9?-i!>xBFjFi2p8DK zWn{xND4$P~Q=vQ?YnTaI!)^=H&2Xl^M1EDcx5M66WXq}|t+aLdWQ@)?|c;!<=RI zy!k-DTJ!IIaEGe6I2ST`0AD;xO96`%_<^E8eLr#&lS1=-r)4(ULkY>H^;XC4p!K81 zjr^Wl>{1mYwJ1W@@-I5zJb*q+xL3sI>iKKKC0cb&v3#ZZdY>3CA9jHP_`*~QQOVdc z57Wti5Z+`N)|XeAg8{fZIyc8OasKt}TST2lTb=s>B!SXHJswWdYT)OGuLip#lWtrF zwcgEaL$x-*ut+6cb;!lIr#Gfv;g60DhAgv9k)+WZiEnYO=mTmduaQJhGCmNEmeaB2 z&8JCXa>G zj#nv1x7Id`vvLAY34t_e&PfG!xqJN@Y0ELA9EbE;o<_h+eH>dh~!jHg=`n$7EzlGpm(9CXnA{c`4F>jaTV2) zF=jWJ?&%=X?mo+LoWl_Llc7pDDiRsV)29*9V^(*X)e700h2O2OoJ#>;F+!7_*P7oV z1X*J(FErcUoT}=-izmakOhliof@Zj)!jQc9g8_>Nhsi69Ebe@`%-!hijnxd2U5H+X{T3CODZtBOZfk5OXr^(8bY@oZ;KG2K>PpxYE(=GIAzbmDODWm7d$(byCS59t- z6K9}J+AQ9AjB^Zm^|Xvn_a5q}2IS!+eg}l;$5)Q@PqgbVkqtt4$^7aWx5|y-m)?if z<+Q!cL(Dp;x!EVaK|lvp9ff|c+IN`93;ra5eC=DBYU%{bUPDCwjDVgA+n3?YcUMfS zk)~)74fcsE^7U<9V-)EhF3ITe?~#M-P-Yk_9X)fNjCY*M*b>qNTyhHeKp8B<{I`#G zrBFV?Lk4x_k7yx}C6K)ys=E%kJ$Pm{O-5av@?08zr)^t?#qM-WKom-pt0F>a zc!5*f?6@&+`h$){Fd+Do932@On2Xqy-#;a5pzm58oioOHY7a^AVTQM1vSQ-&hJ97o z4-%qnf_=U@B;TbH4~nQouIXB-#R*cMBeC-Ca4x<%waV3>p!slp`eCcFt$4j{T)k^A zGU2Vqgk6;)C`V2wlTCqO;UUtfU+tssUPrLIngM!*XxvSU_ER;E=U)8xrW0cphb-;p zlrdR1XAqtr0*uu~M^*I|Dd{c}Ouz@?@*MoKN?WDgdE=A=+e6()R7RaAYi-tg;dq@8iSni6Hi+5t7fQ*Gd?*@f7;27n_I8IWlONuZQMbT(Y1`R|($? z`CZFdE@>@Er1eN*u&`lNjhe2x`7`Rv6Ds_j9`rV&lnVJ^oL!K+x%8l>h;W zqa@dve&P-xi7&F#Sug3<(r(CJMo$@lhrU56<)g{bLT$?yaO<*E7LJ-&^?Wt#&wMP2{)Cd`IJ+Szsz_!EWS=u~65U&!b`U|)oh!tjeHnXnuj=ETN8%>7;8KZ4u z(CC*Ws7yP7zxU=lF%F5tT#`U>Ki1@@Bc7Qrs-z1(9d}auW$!~1*ylD5CH%*&xV%S6 za<>Wxx(yImeoNgd$Vj>xT2ixx#YkKsTgHNCzp>8-e<@E5plZRSg4cO0@f#c_ByNCM zx>NBlH>|8I>GqEI5n-uA%4?^)4DLA}zQ1}Mw0#QL*AzU)srL>)@=98B9ss=|fUh-s zCYgK?T326xeK31`IA7BOuard%$m*Fc!S`%KUT9cmRX<-5x2TtSOIB@bbXS{&N6Ez9 z$x-9_;}co-VwCk`fv|U|*lu@(1G& z@O(mDB|H6>m(AC<3lU_Q(@^xTyXy{mGG4IJZpNR_e8 zT%_U@4LqbdG?pF)qVvP|?8%{1XhUJKiA*EUQ<+~e3JgBPTyl%4%oJsi`uR)8-etr? zgosn4m2kw?}|b*v|(}Dadj@zVX2Mj9RI?v#I_OxsQDJhRW)&5*#NVh zsOhs4`f@(N4z|PuKON@M<_$N;cY2#p;qqaD-1A@C-K2V!pLa;IASH4cxuLfTEj%(U zK4ki6gNW=ncpuk~9Nluyli?!5ma4ftqTgN3_FR$&Eo5}L z9Co&TRXhuW*X|$UROcx`Y_I8bI7pX=(=vCEr$_d{#nChS?l_tiWTnCytQ8Q33Qt2- z$;+Q~9{EPM1`$sxIyC};`HL#_-w4dyT+&p2RLe2YI5I`yBZTfhHkTf!lE8F@p3N3J-7J~S{?^UUt6eU-#qMQ^l?$MOp#1__ zoU3~g@c0dx{M$JSdaD9JYn*VO&C3GfDW_H?UuBAwbKb|M%0iXTx@5zlNypvCR_x;S z{{HH@ER$eZjRj|HyL>O&V71<~0YIvS`I|nXo)a-z=m*v7t--b;rEQCe;pwF&rtrdc1p$36^5`uD4&uq-eOXsWJk zf~9XAtj4w9YwHNCd};2OBMC^Id+1^rjS(zecqBrcUy47%68V5FIY*!!Sj2f3$FFqt z*doXf5MV^HMjQApFYAxarQkM>a)59)!6-UbiDFE!5Y3HpRforQpa8YT;S`Q(tS-C1*8 zyVkf;x4b1Nls}0}^2*j(;>~?nGpXJB6p9#-l7tzACV#1Kb)X=>@>pwi^(e^vj1yJ7 zO4GuMj($=C1p9CvdPr*3lVp3w3nso03{3VAnXL^QliAu&B6|%}1VI|Cmgz1l%u-Y& zZsqY-b!!1HthR?z+S}W`hQPT}5d(dFcAWO0BHNP;__RAL={$#+k@o;4D%AiXKg1N` zEP`L8gjqn`83TUm_g_k0nHe?~cFI?z4Urw81{}qj#s|NW7bBy~7Kn3;3pmTkj>>9( zm~o$`2w$NUW*cDlL+FuQtR=#S1ypWto3a>8B|*_a%;^;rFdo9nb!+KcZce=-f+PuJ z13Rd!W-#e>E^%yVK(ebZzej`U`#4R?iDy@th7H;ju&m@vgX8kc0Y#r#?r*E<1?a~N z(v@;g%e)^hMCFSmqjKQ$mN^GQ3JhUOiwq9Wq&{ zbo>$~p<%u35??u(EDXZE7h|VGwn+>Q=hy+dz9GSud;`roENdwfp3EBgk^{YaL1+1e zd2!x<^`1jl3;#6T;gMV$ipF;wR0`(I!I~Xm+-Swq&8RnfjUItT_5MTBusJ}RcRIWG8;q?(6qWh-Xii=Uh?)$p+1Y2Ru`>z+=2cO zYadBlbAAkw+q!G(Z*7w9ySK-1S{`uewdnK@{3FQZ)uT9@Y1t6c5D{9tF*Fe#AeB>` zLj8}qNnd1bP~Aa+Sib-)zx80n=Wx3Kzlhmq~0!z%mEz zzemy&z-X>dKOH*B1qTg50iwa{uS$xdF17ecvQ&4Rcpdoa> z^+jcwg)zax!^6{g?Q`y*JNwqA>rGFCa(Ty$r1%mY)=*7^K?BOX=11C7t~`jLSZmG= zrP*o@J|k3RBRaF$DzC$aX3>%N6?HQYl70Zk0OJuW5%#_$2N=JcpUJ|4Q8E6h--bhGYgpR9eKHrxKCYvjppuEe>LA@ zKX_ydc!d@U?!bn#Q@R;mf50w@xJND2)P&4_yOAW8mTJ^n10M0E&qff}uD5{E#Yh^^ zng9L^&`7Hi(f#K_+cLgFOYf*Ky$tc+ihSVl)#T!WTCslcCNT7j7}m83#QW;u(WKKr zuqPqI|| zB*Ll;xRh%{Z(P!t$&sV}NZQ^3ggG~W@Nf^`dhotD>Nl_3Opx}cE3|>8Z&DO0h!CQWdh6R$48I$MceMnt%aA~?lLTOzUzHCFKA#oQIdjt- zUwJB}TAGnFoe|{ntOI)Lg)Hy#-ea1*ld2q9u6eYxt}Eu6U6r-YEozPBza?_sx1^vT zX`EC%#t~*7epuj)YLAFD$s7(Xze*$ zjh8RtwQzsGF|oGW$=KrYv#BI+`})ghzGmU>0+_UO`l`DmX>&xId@{&%B^Yzf0ZjdL z=fu?sv6?7vJmvWV_DDR}p#`bN7pVn@iR4%&j-)+}ue4|V9LV6;-Jphs^n=@Ohi#z) z;I^A?_A)JO=PoX}>E*1*6NFk;9y6_CzhGw;^sXUR@q23`t`lZzVa^ZVV8W|#CF9Cu zV*ro4#d?s94!^}ma9EHbzP!c*Pagx%(*#k@(EzqBM)B4;3Wm89!xcJgxbncapGmob^ z{E%Y)Sn!rQv*n4ZbL{KCTIJM~n}m#8uFC1)e?;XJ1>B8DMZ8XkiCLqANxULZO-WCe zamrD}f0BsmIM73uF8;{7>NyhhNuFfYOw8+enSYq_f6ig;+#LFwox%2H$$1cpxv4ri+wUVw69B2MM8&NRI(m-e>RxgF>wQ|{?RGJpK&qywg}W=wlZ zh(}XoyYSc-#)UDEVWmDeGXzh0?8ei<0jx-$rcFw?MjGRB*hkpSpBbr0zw-?&Oywu0 zm-UN>;|ADRSkUBtZ^!E%Ab}Hs8UUdVCj~Q$UTI!dAR8V%+qYs(26%~`9g~#mc;giV zU>sOW*8a9R;Qa{OW4k&UQI#9n0hSH!4c#J@kPnm}ABYD7!T{xHY)YGhmJUg0rultf z?^7~;tDzLmt053BqkoyEQ>L&CHwfX?D7doWrJV!w^xpWt<;U&c2}*bzs}>fc;0+z` zIXJS)%ZI0-A@We?Sv~!Ja8Rikyp^TIf2kdeX9No+8YO2_KlO%BA;i8Ev2l4S??{im zJF_)k_zDdEPWd{d;Ow3Tq^f=lkd&3}S#8JF{@gop51DL`+_)5;c|Azi6auK~X!=V( zkoW2&!q1978`a3-C&Rvw&$vv2QGoGxTv+hx@>cQh!asu%BS$|N>n96&rJl=|FRJh_ z-$KzloO3X>X1`dlq#e@1)KM@;-7lBt)3;>Z?nO$=waZvj25|=(xwLdJG!+(~^`FVZ z1O~T4da`7{lcoksou%yyf~uvJ4+#rGe`<3%Y;GV(kYw*rfS_w$(Bd{v3{2zKgR@IG zKa+84cd2jJv-P-fS}rSY3V)9)%o(oXiFUXRnYj%lg{xa<76I?%w8)Ji?ap(IwiMrQ z8Rv5`Bkn=1Jk2f(Z#Ry0l<;5s(`6fer);C$aYFqY>2u_V1Uc*=VFezIQGliG=w7;_G(!*$B{zINZ3-UyYts#o z1T2q%#5r_(J12&g%5nWdrg9VB$?zk8E@s{T<8evW+P3$=nDkUg4V=6mU?o5<=<2!k zj~8w(8$r`7WbN8_EIEohsowz@X}rBQ~p<%{Z3@ zeE|LV+{7zH9e;a>hO5rz@kOn=)xZ0k!J#l}|BH_7ez?|k%k1-AhoKjxwe-s|EG`s9 zvCf;LX!wo?f^#;+baaRY1_2a;Ex~`AGNjPHD^YxeI(T}HD?jd`7*cOEw!k@n_IAd! zB_%K!6GG{Jqr)ZhLaKygbb_Ad`ys-&&QD)WrU*MPF{K(4Kt)6yVFx6?R76I*#aRr3zq4J^303T?<(ZU^6;OB0qF z1l3G_nYn#HRWCm0e}q%0iC#WYM)RC^1POknzwHQ`vllGdS3;(DzO5{=rrk=L45|A| z%^QySf5eYG9xDO-X3~Ii&4&vQm@efnw<+)@NKxZ@DE#c!`Ml^Qo8|DR{W!0>JWO~# z@1+`AGmR=ncl5@`_RDk#Ea8h_QPK)IBQ>!gZ; zN&u>FS-K+$b5=#l{8^ft?wJqY>J~iyc33))p^qJIFlaaue{AS%jMET{9QQ-DE;Icd zFzzy7nZa15x$9f;rhn=F2(oK`O{hrrQ#R2?Tq)lkNYD0K5T?(S_1IVL2R4PGpESBu zP$JR!r55X`Kt=Pa*oB|RoKVs6STni?ewgCOn=4ID8f_dupRY&`)w)8u&tEc2q7bco z@`?~-%^(Q=$=-P9`?)PH$9)v6tT_C_RS>K?JBbNVW4F~R^H{=r{WS~_+$SzY%9i=+ zO**P(zv*&*=6;E*K-Rk z6)vHHyoZZmq0>*KtiNu@1`1_vP)g@*7lxcW`SZUMA^R5gED|c(S?lb91Swm=1QpPk z1)emP>ry@;HD}X+FwOxnYZ)Q8;E46iv-e8yG!Ly(Nt3aIvW-lGB+N_b+YTa3n@@Hn zb(lOA9*#<|&St`}??0NhRT&=&%GzE7&Mv?5(h{*HpB8hN;;(H&kk|qS*K#1g*RCeW z1lLCZHaz_w%;NyolyeDy_csKijIBL5P}tWS$g3Go0=)a9L!zZ9?ABVcfK<+wiu`GE+KKg-19rGaV^Eukd9P| zxGl*|MlS*0;YT9z)M@#a~Gg5N?6sq$G;)t zrk!12MM3cTK}B#fzh?JQ@)ryK1_D+3wj7{W1XNZ9xCYEW>uvW(<>ukJ=LgLcWa$@J z!veOiq{kJ9j=B0O80uT2&{I1uhBuGDtvn%*I*qTGLp;Ue+Vtbm8kK(znMvnj!6?TKVeY2*j7cxl7Vsp7tV&8vx|k2hT(af)$wFFQ~gMUr}5Z~ z*0HR2(@M6vKOF5nxbWgf$_h>ELf8Aufkof-Z<|HztB^O_z)6aCHZ{S3BfhbL2jDoE zF>t$y(&qGG!e^K(h;4Y`w=1wld`Or%O`H*)bi#h?6wyb$$z4{sxIlpk{O;9d40yfn zxD2*|&gDx`^mr@}h1q12@a#+ytprQ8x*T6sU3WbkEr+9D z8=pFrm4>`?%F0v78CrbrTM+Z9irl4#nintF*5fFHwQ@O(VEy+}1D~M5AGyJYor&xz zxzEafJtF~tZ;gxfX4~$A8~f@=*n3$9lFHw~fI!J<)S?tBATOx` z!88euri1|Vj5-_u;(|SA)j5F7W>ii(xoZ~2xqqJ+JxTp@Emh_>$J}#AanKr`k*Ayn?rMB`Qq7JJ2Z77fM{0vZqEmIXi96!(C{9 zW3vjhX8vQ|SfNVF)@4mktCejp%;lx0EB}}c*b3KnMxWNPRM(pZQSEPix*Gvs`Caf_ z$U(w5?LT_2ty}G@rw)Ejq6TUIgDrs@j`aV4&2VP76e)|aszmG7%i}AXmU|#7gKW0rYZ%*i~RB(kc(E%|1=yu)UYwF zmFmW$mLWXm5bxYuZ@0mlo|VcxJR3mH(4klA#t;PcgV^Y0$AAvdG_GJd(rX*0|jC#gh0NY%P;E#`_>w| zq)trg&1G>7QMLGa=c0 zG_1$IrHm+l72C-%7M_{GsfdHR&aJ&PXz^r`15GQ?wbbB|1o2Zx_jj$KC6iYq3>{%X z>?qk9^J`QG6%^a$3h;a`3{e-6e`R@2+apiXrTDW;m8^Zfq~qn!pBWFHeQ-c70*W3% zb}pu>8jI^dui$p+Fq0D%eV+m-elGqjZo~3A)Qa+3jQ=x~Q5S!T~3o zF6*&zC{%WSbL1@O4wJrgG_$DD;SP@p+q{BedN7he@Gsh@0`Bmho_a$n;2LcUf4ldV z*jnl_Ph^9~4*50Q2cNUeanqCeHixcp8`U5*6={#6K3y~8v3^9EgQM!FLIr)`c%oe- zT{Z<`NX@U3ebH;I6s=N&INs8*Z;Xs!f#z#Do!=V>IIh%zf;;yh zYYESeQFi5XxKf0bPiG2}v3IJ1wgv+_nT!uv&_S@Td<@{4f~A5tSzkYTMm^4>uKblF z+%}XSy3T5H<`|(G%Kgj@1VPBDD7ch!HA=xeZ@SGe?!_`4%uGcM&7U%2o2P;X4mrz- zHi7V4&kX<)%asxY!!e)@D4*kY`0DC0+|Y0z!+@m|PolwC*!oeOh<6I6;{JhKnW1Fl zO-~U#J@>pI8Xt_$>Xd!p_iiDMZD}ZiSKkpXsNiKE;QNyWX!+K5-J0XPlo9g&qiS6& z;4vK#X5&Er0RCA+n-7M{!b?Kiosp}nTsUk8ZXE(29Ub*NuOW}F0pE5v*+wCo;E!QXmRs$?%O@YIDCy}Q!WO4=Z#>y{q~-OGeS;_pCr zAfz|h9@@XwFy7mUOxqtqs<+_GF&^Eq0*txnfVK9Ngx6G~_EWJovj zquy5*yWVzYN^WL#*C_v}8mOSV4uVFnL~ws6L{^!89Bl(p1fGzGIQjkv{x&xwNv z-=cW*xwt&`Oo_r$h+!E8P+!@>ir;!d9=#hxgc({5%FU|0b|`$bGEPLvd99e&~aOy-uwd$_oh!3&v7wwntYF zL5Sn*vfydRxU##Zk!XKwXrsR?CV&HNHRr8}!Su0!ZknLajQZQ|K;|J-w8WU+??=ko|lSO50XJSdG&1IX3JY zUKRkR8?Aotte~jclhL)Q&0uWcAZqSn;)UNZnJT=0GOh6OdCVUEE^6>FB8JK9Xr+^Xmh~wN^GDd<)S4=;Y%p`0 z%WSmn?;!h`5}RJ6zuz@p9U;sT8KDc)gNAgG=dIkl1@T9#Z+6jR3V;KE14OBuKHGWM zD-N9^2Q=`dA(RNm&uBw_zjy9fo1=eU+a;p(NkUMq_UN`Fg59*z3mM+L@tNw{NNr{o zyZhiEHEbSPmk7yja2G-1r!I-y*PQgCfVtY_nzf5>w6pew;9|+;UND@ssa1g#?73hPD$hG~aaz2)8nUF`Zp@wg}zh}455+tBQc{`gEkxSkD zCv$F&MR_kS7$mfq{(C zfGXj1X%w6c2_mK0aZ+U?GL@oX>}`TfX8I#sM%*IW!zis|cx|)ISjN=s+-7Wih;4vq z>?icxb;(C5XWWPvhiD^Mh!9t&Kk2}LSy`EXRK79XAcB5Yjm0M=UG<0ZIcyR%G|0ks zfQ0GdN4Swl@$w0=RhFy1-Yu7>5O`+Dhvpl7x3NgkE9i$h!eEe@cC_*ICCuJMdWjMu5*v#Ao^$@_yIy%$v6d?w>mtMtf zzH?`m=@Dy;u!YiczpOK;%QwakpN1O^f#Hy?#D+rf!+6bnQ6en+oY>2BbiG-L{+}0r zohBnhpeI#f)3BDDc}P(M^Nq(r_s$aLJp^ZRNU0AxlwtT7`cI?J51>lj4A?sG84Hms z(dv)W5T$6LtlzkGwU^93QotD*k{vIaugU%|ZE%>ogrfZyiIe&~ngQ&EYU1&$Bgzpt zb9VywAtXir;-!8tgGqRa!zT3rvu*}A>K8NnLLZbD9BGp;)(<1TywW!wT3VxAo45mO z$NcPGW4uNy)gMm2`Z1}SQLzT>qnw}xEfCMxbvnEbpdJ9f$5Iho>^uP7>EUHHkTUMr z1dRZXJc)stC@Th@v)36mG&99hE^z9b0e*44l&g}IA&Q{1 z3Jd_W-F>5(oMYrUC{?1<1!(P5Imh>bN60MAyg!*NXl1_gXW+q9N3A<5D#1s{2b`+mIj4TBI!S}QLEkxDdtwxlH{G&!aNxub%NwnWOPcK`5Pz!r^3 z;6VXJ#fJE-D~1&oY8F~&R8{xQ#+FjYn+QpS2-I6WtJe-jbcfxJ*@iLm;UWDp`{|q| z4Uap^4PHbaemc}})V?GT=mW#SFh6a^pfgGnN}1c0=UZDXK{fa5IXDw9;#dVvSfiK; z8ImQjG+AWq!%B)ywV)l zYTLtLn=2jYP6-boUC-S)YVxbtjQV)0}mB-8a&`X4W#msst=)V4W6==^$i}KZtgl|5W=M}zsHcFgV<%b*K9HGK<0$2ojERHqK~P=#Dr0F(R@ zm^iGvM(slO@o#nnpBA1cJJ2^wx_ttGQNhAn!(&YBVNvY9bU)SPIQVs5FQjqS=K;SK zz6HVgF!;c@95_LtDuh18AZ%bPIoB?Sfgk!_c9gBTZoSz_;Ym|Dl=c<0lq(8ae-6vFty_l7~!gi^#)%<9`#5 zHw}ss+#0ECAy`FCaQQO?96ELycaVNcoQBC1+O_YB{JVGu`flo(iXVwkb3JS#fO{u6 zxs@?tN1~!JfuY%a20wPDi9j{1Oz~9V^(gQ^d%>3-189i@gw68yfcq4*^!S*prNO{= zB|7OB=5@$%LKLOB@9cJ9{M-k?rqin`bm&+M6pS>7IKm9j9Mwn_ zTZmfG`h4<#Qvm-y_^)xVhR>4W!11QcWS%o~H!t-h7D(Y`_pQ=5;64%PPVLh5e|vyC zk)8N46CWn%-#m>^Hlh<_bVNmsI%-AudRsoTCM9*E;CI)BFF?<_uAzo$MypBW7!U|^ z&4Cp<6<(u-KML1r-uV8s|96Y_DeSp1pJ%v}?tHzkYBKk1-W(Tm^}hNfTyWrI))Z%T zl=&8QgasY@JVI$MhY8fO_~!f@W&yCr6@C$jm5|xoozzcG0>|CzK`Rt*4)Cd30I;c3 zhht64?&6I+rN4&&D$AFbkWy=FYn4~D%)ro4P!0QfRd5A*_@T0uN1$0Umh&K5E-8#ph-7D?-u#*mJ6OZRrHsvX^UN|Vy-iX4LH8i3>W_W zINwtQybw@(W%L*lfJHsYn3fEi|75(xQYix^2s6_cObzV^w+t~aWWEuD<+AS(ZMPOmwUv5&1D^M-2_KxCw-VXpf}? zKLC}PLwtI?i;T|kS$PyI*_cyY3FL|WV16hqLYw8Sc5vS-?r`&9P@Mk^Q8UiYp- zs)v@h^z%*enP4Qvd8UA%D^nQjz>1ni>a=zms5zfhA8yzKhQF?(j$7bdF;dpk>GWBS zag6%IdmF8XNN`jAacI;67>@||y_8385Y}t;^t1`JtzZFkBC4Uo|4(@aYDT&beB7U` zL7Ub6l4(*}wjLGK`(zM-BlrS1=zS-+v?wr1=4-Z`cGQj4M8HKnDZ84(#d3UdR2`b|_=d~zfK0^jN~X46 zDsm+~A}qY_Zw&?929~|~dHJ#*+}aNw216U(RWZ1Yj?94dL?>}peXP^J5x`C2m;%Bt68;nba+P}a@g2a2!@bzx!(=|Ul(-Kc--!U}{{K81PB7cP8QTN-E zedDlYA4l*QU;nk)=wc@Cd)3vEA_yb^!un^-A60d~6!+~^Bo^pje}Ls3ZjXdB(Sj(E zK%q7xf*v5_95Xh*@7?#SNM}-yu=+N^Ma_9Nu=WQ$evg9jRCn($YT1VRcQFgf=G8@S6}DU!x+OEi8=_{@cqf`U;QB)iPO(_y?WyqvNr-B!H` z9z8YL0QIY6a!}>HF%7`M?SwM@+_s;e>E2WcRl4uP@&W7Feb;o4oe;ftcJ3n;b+s9s zjwOb??3FAol84LRsIwg!^#b{%gB16;+1Cq()>ntDI)@*xPK`!jz;*a0wCyuex1+Wk zoK)zyq@-kmMYfRvGtw7j>)MzoNmJMcDGfRrt!#;P6Wq0yGYrxj{#2f&;Aj=xdgeBD zJm0xr$W9fx-g=~K?e-&|f=fqInYF}zp{)sUiWGv)*dpsl`xiHz1gU zb@$LXLN-~Cfe7==;Qc|^N+LPFM4Wua1E~{nrDYI*inW{OP8MzH_iDTRWDtkPBrCNp zbJ-EJDIeayM>Y3p;~lLb>RCHYm-)*MsC6e}D4~^6%-qr!v#Hml>X~_lLkMV8H1GRC4OK$OtFH^i*Rdu4zFc zgd6AQQvL&X>CWcMKF>~IL0(+0V1}3&y zI>5JzC5riDWj*^z1{{_3Q60}J?XId~g?=S8O>g&IBCW{H!$@edFSj+Z%SD3-h$_3uMSl8~#rOA~NXp}L5(xn%ZL5?PKGn)(cUeO3MOqO2Zi85etX zZL?lMKLSf4kz22T%(IW41SPRGZY2ON&nYofOoO8^lR&gC9cbczHnI-|A@LoOf@`2x zkKfsj=IKUV0vUdk}43|}X2)WA%9WPWgrjbEd`zf@bPUd#n2 zF>`JOeD0(2IwF{OhRBZpt{AY8Wg?)a6T2d$?5-quHs0qlLOF8v z;6`4#=|Fb{k`IUl@b?lvyAJhVVvM5rZX5F}4-JzXNNq^1sA>&b(RUUV76&2i@i%G( zM2tW+_l@9ZfQ%=Q4=ki+GRu)5%4M+PhEJ=sJv!d%;jE%i>omT}DIRdBKi_S zPFtkk{w{>C|1ps01=FU13Jb{>rB2Mss#e1e4Rn)0?6 zm@*I}zRQF^ls5(6EiR3aR(G7>l(1|z4@j84b5z;>?Twxr#q&Q5wawx>Md6U%6L5VZ zv>t3F0S`+Qp8t#Ek#+_7x9evI;%fbgU5)U`cM6+@j&og1ATmPkzYG0UTn0u4JHrn! z5h=7oG1A4h2%4J**1BLpU+(_&pt-hF?*yt7DwUOVWGdq9(1=)Uvba4BewJ|cVkiM&H#{% z6ld-XlFlLzKmiYduGUtkm_>`H5B~<$^3ZxHkR^tzCcV>Nv}0%Tl>-kCR>ox5@mE%3#gPjlrG3M>4k*wZ&IuWwBmLCJ&i5uB z=Zngc>M+@DA^<$qoK??Us67$vNPX{u{xbOed+E=EbEMo8i{PP84bnU3BU-dnBEY`> zgi6;d0^17)_W+0l9y*y^F3643$v&a3rlTfds`z z?Pq*IgU}zd`UEn;)gK8u3k2cKkxtc_=mFk1x>OK#z|nUC;6MVdSP-ku7NTT~F#O=3 zHMmjni)c`JrZL@p)yW$ag(-6gS?UGJcK?<)jsGrSd7cxwH~6BLE%gb1n8Da91J$oB zZio5K8?@~4x;p$?qi%K&1;Y|zKP?QTxDgdjfvY7p%IKPy!m0g~%b%8fN$M=8C`clt5FF2K&G@Xap1N~NcF zXzI~?hj7EuQGK7oH@>M>DDFP`jUSzObVX$VP~WS2h-zyBT%l8fLRWSLhtzXv#STW3 zRoAg3tpg`P`p2%q@l>Y)+!$u+7&sY2Z%h6kgZK9cTyoVbYv#7wkIORkS{~*zH93l@ zhU~b61XNfsU4tg1ZN5>N@irUBb0$l&IJ|9>Rw(Jr7A~#pFQ}8;|8)#bX&}=2HX&e% zAhM@*GM+c_*?+9oxS?m(VivK~@9r7X9i0$-Q@(oTiAFw%t;ZkNYJtUqW^f^NEr<>` z$AY98CJqA&WhO%R=BEp-^&evJ-d%ss5u+F-9ga&-N$MHqVG6WJ-JI<|_G1HLTT2^@ z^(@%@D0o6-1erMbAAv$ym9M^kp#^IDe*^PtbugK+UOCfxXdNP+`Oez?9|LYwrEqr-h_z-I@oD){xCriB>|NY{XPX78RQ`-5j`rVg zslKOan{`%6gt1Hu$uxQb4-3C>fd6fp@|Sy2B0xh&bYwB_t`Wtb)X5E2QMX}8;e3SQ zEY{)o?GN6!<%CQOG5v)R`}0~Qnc0i52UIz90KL=oTmL8D|86V`=p%uRufUj^0Zv=45g*DLJ^p7Gt}(^U z99yf6S4;zbVHxKsXkb8`g)IVlnD7|0I zPaZ5LNe9q>HY;v%58{~LSI6**%GqkRci&wK@T|?yF2MTAV)>G%<-+{Cif4s7Q#&`) zd&Gp4t~F#$_K$6Qor|zBF`8;jX~x9ho6*p#etUQ%jJ0xAXvSmN`1Q;XouRI`AzCAdD?mS#Y91uMb2aS;k z|0W^{Y57t$e4s+S2p&OXn0F&`Eg2`E5CxY=k0O_=rpjU;GWIvMF3zz0EnpTzx~9y9 zA4vL(tZONsWaQyw_Mh~&o^mB{w>68?E+=8dn#k3?F^WL~j{J~96ZJR87sYO_9GOm} zWEot)7ioX9Rq+P_6HCZF7A5^u432Q^9CJ99!b{f#b2ZCM_a=096u)}1cHiBZh{Re1Tg`!GXSAd3wJ?`m$<1iF z^W*|Ux;w^nG$O~f_4*w%eA)ga-Nva#6`7d$D>8^sTu(3yhiTH~ci ziv%@6E!GtO{V z)9cs(Gz)FY2>fz7K~T`&x2;QkuPvJ$+6t%}S1fXvyqB^P^Hc<%$eA1}Q^I{Vz!wKp zdVqp!7R^Geys$GIO>6yGvEA^g1LJO~n+D^u_bh44`NI4U?Q`q-b1<1BCRr%%^nH^6 zke#P~T|3lngih2K)f>c}r;$`*M*hR8X=dD|!uJo_V{$E?h|P+58qzme>DqR$9{=p@USNK@<%!GHD8=d3o3~ttZQHHb(Nb%Pp6}zRP8sR_}%s zb(&$-9+A>PTyP*|Y9&-m7JSj%p!{#HBGv zqx_fIZxVG?D$Mj=F59QEag%m*!w?4>jh{j8YY;`@aqq?4+BdoAET&>&R^o#Rvzwxn zbZi=;aC_zNwdayUjk)JFsyk?e2IX&!R}Op32!V{)WO6g%jgk&Y_{Le7apxU7t!GG3 zQ}0xJUQJQHh`$;ayciO^*b}_ktG`@VzuG}uU9JdTWM8=-P0bX{Bwrr4&0HLo*Pkx2 z?~ppqW{K`uoE;QgZOt{L>VXq#OfMocUspD_2`qwLJwlP@OE)_@RObR-eKgQUeX+Qg zy-{x7&CWaKl-ok`;n@$kwV{Kd`$_8h;Cg3K{EyD6iHT+Z)5kqH5?b2!I_euO>bmvQ z9<2l&>{&kk>y>`Sc5Z&m6K`EAws zf^>k)bEX=9QvEcSIu0U|sF4fM($Wf}vM@LQo|n(e&cedP&XS*<{ob74e*ZnubQ5lV zwTq69kv1%BZAj4dvNG#xH&#&0LPzT3jqmIIT~Z*h1<|W7$+d@sZiwH0j#v6(9i_?49Z*_G z8I;HE+-Wc3@u#;vRaNV!Rq>gbuaAolob0qF^(&2t+dJffl4oxiEc=ec#c&_PKkjs}ZdWckIh5aQNtY;`X+>*k8$q-R!e=IDhfGun$@# z5uep-d3`Udn84!38IfQ|?2^UaIuUurh92Mf$G%_yOJ z@`t>*!I_jQV?|<~?l$(+;qc2ukw5jBv(;j}Amu?cgnT0Rnatpm8w8EJjv$&&+?iqx z3j>@tFbMOq^n)sji8GLNi30t!r5V9{0;$scb;sZG({%5^KvZRMtw7y{0+49~y3Sxg zJm0GX2Ge&kN6>db1=^t>D_(?b99Y#~mJhDmLc(4XO?%4c%7ikf9&@s=pN&E;`P@#F zYNiRuE|5_!n|^FX)|%F3H}s>+ZQ$5u!9EXK$_t)h3zpO^0WrQWFiaId?Ku6GF)m0D z3kwhCyaKgmn?Hb0{j9)KR+_Jdk1#Y1OGRBD_@N!uO&Bk_)ZLS&*_QbbxWBUvC>|Nv z9iHF>kUD`o}ZUlL^jYE5RQKM!6;YDH61Rt^R6xm8@^ zc^=<|m#-wbwnl^G5U+zk-l^{BH*!6!SvrJQtzRCb${!w-l7pZwC~w?=qzi03t( zj;{yD0VuUbEYD)&7%~ksr2^EgQ2;l@_V$<4JKurC3ui21w)oH(Lo)W^dU|fUFg7Zq zC47Q+h>e+onzCC)lUEyf^<;Q!F2*}kf)^)j=CLnNZ$YFz=&|P(0T|&LwlLI*!(?fq zM6fqLHG3@D``G~=?RWz?1(fQCLP6gI<;v@UHitAK6;auU$17;=?DLt;P+E|{K{pW( z3L^M8kSw#!fIGy5G~9uv6Y&#<(MEU)@>^;dsSoFwQweI zx;3d33a)9Y-owzLWI?V@sYlypY$lwATK_*6IxbdpTg!{lKxMX4~t^<16 z07bg)KV@blF+i6znsl>FuOevaUZy=coj;^_bp^50BC>=$w|j~k8z{qW^m%-Ky6K$ z4hxtwt>Ecy%+Wi7z77%UUx6%mnAVfUrOLv$E7$Yz!T$O;(5?%OC%o+zJN?~HXw zz3pEpBq!;`@xG!uIZu49s=`I$P0GtBDelAfOMo;@GOU9<5)d%VS-@n03$Gfl;Nsc6 zyqnN&5zM~at9-_-8{%{ukITVYD4Aci8uRHII-Y1w|4ZAfdK(5SN$S~NGY0AW3zfBD znDb>r=0?}69f9lrU&jvceQ7wq(wC_^7juc@U(DgoWx+}q@?!x&k9I$h!bjHA7jXbI zJKY2o9HFXMZajK4;ZJ&PvcY&uy{DOJ3zZ4IR#(TG&EM-fz=8Mu0G1x~v?R4cSLW*! z@1fGTEhzS>DQZ3{B=I6G^2oZf28goFVz6FW(n<25PV>95YIiG(a}OG-y2xi@p1NvU zc7qiv+|??YzCyinx?*3sn+{dC?UkpgQZ+%J9()^(xgt@H<=-A>#YDwqoioHdk zX)}iZ8`c4=jRn|Xl071W&(=gQi2F(95K+Y*%v+8lydH0$$*wkGNeYe(G_#^A_ujP@ z<#Z+eLWq2k=)uIpLb6qUwzn8#&q)6<7u5q9Lcg+9zxRNWQ&&X&SxIT|PC*48Kr@p4 zrfk4yI?yBs>w^Y#5h?_TeI=n<)ab)1LCX`F>~9iS>E)CPvGNsMn+sPj!Qa}y4L2_c zw-O|l0E7aV!U~Cs01$g7N(cX?fGCm=*K11Qy1%Yn?6m_4D59ddEc@I=t|eldrDv0s zqAPT5G!0>ELg6%j0z3J|-pu%Jv#z9#?OBbv_vD&^jyLk1{`}`$12qf-IDcH-zWA7A z29fi2?)EK!ni~{=JOF=>e+$gn<*1yyDQSCufMpY-wohk@KhF=-HLpWouzO1 z{_%j>lZhKg?)>`ZeMoD-3(FRSrdr9}Xn42D3b4<20-&2C+K5c!;_m&+{$79jZ*inv z-RShqM-68LCTsIgaB5)XR_SueQ(hF4kiMejFYdQ)h8|{mb7X$qaA| zW1-&rbdEZN^|-?j9I$krL-sxZVJ za(+_N!q!SSeJocwWKaE^SYW*}VkApl6GejMjHmzQ4t_RWe!_M7J`%*+ed9=C?SpS@ z6rgBvr_fBWaELiW>wI3@_*pP0uN+xJL9*ZVS@(+SZx{3%{Q9zpO<0Q6oeW&%l{l0biBsijOOlhc?I$|Ny@1N;Rz&;Yc8 z(3I%Vhi{rr!qg;yb|+wKE;G-p_!^=>?p~mtRivRPE~pra765XOqbA6r8Ax?dVGd~D zW_wOP+vD#%1fe5~Z~0`^9r)#CD}rUKYG?d;REx0X{89C{Pbc3T4lQ#(5CjYd6)(tf z2dC%yth}&n9;Y8oq9e@Zd?VlzjNPr% z*b;IM-8$IW3YcF-Y_20vOoPlj$p;J0kvV4dGf*;=qLNM^`4Y%EuC>6J+Ec9pVZb$C zb+tbU;%iFvyS&%emoYsPW=vm>xe`Dy*HP_HpFpIWJIDv|Dv@0qd~o8RsJ%aFW79Z* zQ$sVm#GhKSD}7eVTs(r!cRPKo_aL|(s$CGc0m!^k zm*9^MRWbLn5i*Q+{KqViR}@!sJwcirym|1&8n(L`VdYRI%v3rNi7k4WP@nFiKfAKgPXU2GxbsX?q7%Xmr-@v5*@5x z>-Miq5V8&FjKv3ib_fTGT6O4I{qzF~6Pp^giiMA~X(`X{scQdPa*xsZMN3221`8>i@S3Qx%58rNm%M?+j2=C<$w z0&ZHx<@gHw&rLe8JCI4+aT$QVfSs>Vt3MdI<(M&_}5So#c=oDV9ZZ~(lE0*Ae@ z(l+ku#I*{zUKz=k+TM4+1v#&n5-RPEa*uQf=H}~JQ4SlB#Of&g=pPdz$Frxu z3n>z&CxNu~Ki-@Jzd!g+g{1jeZyz#;5ebr8=v{gY+JftDVW-(qU_c8o%Nj+-;;iA_ zlQk~l)eKoLYxIAam3xdV^%B*dlWDBV(mu)Z|Mwa|6u@dw&6k z6`AgYlH!q;R$nCSC5cH0Gi-XRUh5Zwb=IO?xB1yvhCjDlzUQkKIW{dPed@ASA9Ae4 z6V)&4fZDRRT`9HgY zl@N1P4w+xStQUHTaRlRvyE`Fk;W)Fn0+)1uX$vyHF#WP(thxb=LZs_e4Cguq?#*u& z-i~RYDi#3l-GQyi!O!P}mhoH%w^n-PHiojwJ>H#ia+`l}pY%S0^9@&XeC?x#4zb^k z+-v&7M<2hid2oHF40nM}3G31?XGE>naq2i_Qkk;pR&tZGjU%uV?HA1)$y3Y^EI;23 z5Ky%1dfb=)eaK@X-Rad%ZC1^1nz+6sA^5(TmBzqni&^WTX8%@8rPV90a>I*f>n{(3 zI=_{Qep370m`o(##CNXMWY()CKUc#8GWVjR_h3Vshyzg1BAC&vmqA&R->Wj{M9!+) zb+7C~2hI<>$bUSADAVI%@5Lp5i-8ngkLao|Tg`UUIi+7%y98VBR=t5;GAc;TibY5L zO+5B%)(r@~_N1dlfu^SVry~W2nJD&SU8@A{#VKd!p^?~a79enUEivfhumBNrv6`uQ zc8s0y3P{9B-)R0a*z@B+=%XQm`_n1&i}yxf+r_JNJI%GC_DwP;60DHiy{2MWgh6Ge zm3)~^R(`fHTCr~52YQ$MIDU>6^aupe4MSX1()o}f?*A-#x8FI~o#$ZzgR@-QI!#&y z<5{Pfdh5YiF%aoe46cR}hnZoJjFoRYG=H|&!qtupq47KK-P^YybM3Lzm9%qv1{)K_ zfe{(@THos&VthB$udXLyv@dz)Y)Ptb=2dpb)&fD{@NDL9|1wOI<{Oy-+Q$I}C0h)p zoCQ#i@e?n_tc1_-9^@5SZa>Xt*$nx%RR#@^p)sy2uy05MdP1^T99esx%IPR`&~*V* zD-Eqr>3}no^&qDz)=FxeH~VLSpJPUSK?(fD4FAayJ1 z%{HAqMf6&rMvh~Bfopk2I59;Yzad~xW_c+(_;Dw19dJKP^?pWysjFUjY*D~_hVePC z*sH^y<6+9Me6HQe;_u3CwfR@08)z>6AU_W8uTD5_o8@-zKSiFVbeoLg-H$70H1flH z6IWc@U7mx@{*buri{qQVQTv7I16$t?Ga25E{4mh z>N=)&fxuKG$IpC9#Hi(rqKYo*I}A}hCVZm)6UzzQ&?8Oa21nUOAG~e7XSZ(=YZ0zS z1b+fO2D;XIk4uaAH=>Gc3cfgqzA!O9kuISvp(|l5iSyHvHal5QCzyY5rDR3mY4Uw! z%*Zjw>9thMG9*~CV>4{2m(sPINjI_9)e&bVic4lgP<_`Wb~9V1EZUo62fMK?d-~4( zsZx`bNlqEBBrD=WVUU~2%GuJH<9Eu$Wkk(dW^fm&JcHadqUs$R&e02Z!AUCf3|3C) z+kyAu(HBfc>8X(}KYfczbLW^aUEr(GkzT6roXmy5kFp_|?a*xng^$qb{;>+qc_0B3 zI$j)ROkXh2fIsTJ8ismu@?Ma`D&JCZyP&F0Tw`f`qI}~VDy;SR&?dSK3X8*sC)R^% zH8ji==q+_lzj)MSHpKqy;C5Py`JJ2QJT7pK(f_+>Sw2YAS>P63AkozwZG*0osi8+x zmSMY)Qz*26o8eDR-br<<@yBCvcLN6ew;2Il%IC89=d$Ew2<&wPHgT(Kcj4oCqE&oj z?#)|-ThD$WVny-^lXlo_O*krE2E=@Fsq7Xs3fh({rOZQ>GiY_G_fbBIsa(RE^TBgr zAlk9F_MHDp=q%g0&ktFKPwfjk>!o(9L&}H(mLfl%6KIivHS}JX`B&HF z%|0m3cLGtUFM>zsmK%x)Bqb%f@BOe@^DxLrnKL0#hhTeuy>|hv*QB|0Yb!);&fI!U6zGg&0D{D(3%NEnPxfDqnn7R~26~vqiUSOYQ|7|(1 z$8YQ!nv_x)h@k;osh7QRoLTmW=>yIR@fSob`N1N~*NfvL znahQy9JU{Cdlu5V*y?i>P59M+T&by8o%giFo*yN%T&`ScJJ?N;dRCUG>V>Emzp_|Tok^QT5UH;(vi0w1YCJXtplOrqxt5)03W78q6c6xgP z26sI<&|ap>z)ui@buI^bg5MdnF1MOIb9mPB>+LJ4$amPaZ*ODGOMhf(AgU$JF0()3 zDwl9&qY!=gx_e~4%6{qTFyVpDl=>2!lwC0PIs2F68_1@U$z{})%xb~W%+2~6H>Aw` z(-kXkOC{FJrJnJxg62~C@UStw$T9)Ewg;td?%jE23kj-uNK@p&{go&`(SFR>tSk{XcBrwQ-~(_ymw^PQEZYa)VD}% z_;Fa$MA^Z{w*zthpAZE7oY%uThWOah^TKl<#U*Mcp09DLg;o&VKIh5dy~Kk_196-h z_x`4|r(!3zV@}`c>UsLqV(AH!o$ zBM1r>cyUos;$prC8XMidb?5%=CoQc)k%8CNQ>qJEq5eSew1ZwR<~-<-bB3GSn)|%@ zSZsS^mOGf5`-@lMEs0{y1>fP53UA@p92;L3d!I!+FYkj-ihFzS;l;ih|6r9+HAMY% zvRF6uRv>;~dJM^JOg*WopE>7QqvMmi3y(t6BKhBs&8K}!z-kD|ROtH6HK}IR!vOTJ zAzc77ro+L({UvfrZ@Hdr$UV$`rlc+|)aB5l`7;#p28Ljt5EB(#F#Ls#kSy$bpc&Er zgXQvuJX8-{81`37A11IewBOwN4S$;*yC_`c)%+qih{oBlug~??bHvdwsuBDZ@HrFo3$p*ouD| zQ>um0Q}rjU`FZAPLyYuK>h4zKQB1g>Z@gLrFKDWj-G6?6$X$6!zQ!w@AKP-?%nFou zzpsHOM3!R!uqEe3JRA@CCogPLs6M~LOKf|_m%|4ey(%#)WwdJ1spy0JO*L!y=WeUmS0_ucdE2I?(aVA(z& zEKi!JMhFM1VgK~2hTP`M%AL`u^E~R_gx=pPDvLEde+==rmpr3yD#a*0a=_&Kl)pzd zUw-#zYU3L@bG2iTLmt6?(8zoF1qc&_4fNb|HR4g8fEiYEv)TC9SH-j$-((d#rgc_r z?6?ulSp4an#<9^|lr*g#LpDT~?d6$dzYIT&MDtxB&4UST<({ng1?OHe&`Yi!*nL;_ z{vx;o{U^J1A&t6-;B!UGDg3jgSl2qiQtrnP2Hlcm#g7C8Pl6TkC4;wG3z$so&Jugp z<{rR(9~0%vk!)7inUf?!31YfR5<+o>BgLv<48tbFb58eKV z=o`1h!yUX%O-?jJJ?PBV^U;1!j^d4P+)EvL>1pz|46P)sX-&}I7~4r#3}5y> z8&}ko_Q0E9`h4WGnY6r2&QI2^t{DsnJ zx{+ILE-VpWlyRmxC9=TF7EI}`l%O~EELC{8Smc@U=nO3y11*aUO%l{hb#?em$Zlr9 zhehVlhfBH0F&(l9zqm8`t1bU)J5y+oCPXXctg{G4Gf8WNbkKdDaicVy06(3U zM=*1*eNtyXNIIvu(^zD8<;ry*FVYaVQ`^;Ex4A5MvhWL2fftu>+>!(?xMLh^zd3|Q zBH(@nQ8Vx(T<@^Fd3vN>v;H1!<1p^IoN3=9E4t2^2PON2t*%e%yHpBZ!5;7=A1`(M zdN6s|*f`{%`#@y;*-v!pa3?9sF{aPnVdHk)sX6@n-zlcQ8r{<=O?(q-62knUvT5dl zlOVk?P461zX_8i%^u@fBcLI(|y-RAzx8NC^8K(XWf{36L6O{L977(cN>B*`qX=X`_ z#r=u;p!C-&FecTRM(8#deWKGPasyFIqp;uO5cpspn#*4l?8H{*fil?@R+m_YUo41?E;fO=e^L6CoN$ z?PV3jDT^Q@9pN}3S(Weo;LKm+ri;edM>6kyf5n_`pRYF)zIe-n*x`F`$HmdysxbG6 zA402z?i9e0=rs4DJ^fm=Kx&maP=zPf6*_JVN|Xj zpfUR3qna_eZpBuI(j1gP3!_Jk;V#m5Kir04)Mv7Cpv>FTm-hcDZ)EE^*UPf%ub%g@ zeD@t7R=Cp_6(*Bd2&SiJGYUlul2&}ZipQ-I!@M+5M9+L>NJ^rcA5&LmSRWkAi-ZMkR&K_okpGu+`36 z6@~Gd-=lr|0fe3T{RKfrV9UaUN=48LWH8tlq_cmwt7yXaA$I(Qde94-H&mvhiuY21&cb9M?svoZG zS2<4ONBQTU5kBk0{N=sUz}UM8w#dTwd>VMWj`2zMtvn&@`KRQizYr76R>7_q%CNEd zyCLJ`5}qdAR7;P#Z2O-R5TxQ0&5c@r_{cHW6}ly^c)ql4kd}k1TZ7X>RS{&T@9M-C zUZ(suj*nH%1Qimdspi|A8qP_iLCkco(R^q$I_tV|E~^Vg{(e(^v>_|+1+;1rg8d7^ zwT``#7BQ@x_V9h4Rx;(R14ec6{5utE~UBdUYq8s8cd!SLq zEiRZoA*Li(TXSQrY4qWeV@tta=AZJ$?__A_(jcT zM_irHBD823(V5YoUc6CIPO#YeFmGQ}PZXV9^VM3nNf4*gmz~pkS@?tJ9nzij`zJKE zh=3WeT3CyP56W{xSN?M-BV4qo#+N5uaK1EXqj+fM&!GM2VxH^pOg6be#E4HSJc{Jf z1tD(hWHAf=?Vx^XYRy3CANnM0*5j53I}>@38^Lw}YjXO5f2XGMTV)k@Oi%+aWUdh-{7Hbl=AkT(SUIC^%V%u0Bx#%9W2ZQy=A$PbVWEfgnx^62z>s5DOE%YtL z@*6#4O!8*>#fi1Dvgo5(Gde-EglO*b#XJ{@lRQ;Ca#b)7@eXQ;&Dkw4OH!&yeZS%5 zC#K{_B}hw=cC3;2*c`Zn!-#@LB{kLs*Ep{a?8)%O8vbJNy2~AJL`LM0r6{2Xsyo`d z%~$MH!StH-p2)Gl4mNiv&_A)8K-qN}ajzrUReo{ypk8m6dRdJkpC*fU_mtY+o z$SuYZ3>0@-e4GWNX786OdibNp_3SPe(PW-3D--E^+vZ|fpNWZJc1r zrg&NVK9hOn+&#m@yPWQp{>Wj4{!8d=*NdO{zD}`pt7Qk#Tg>-IXPM(8C7(D%uvWb; zO!HXj7#KCmtO?tebK-lQhXV|K+}t;zqruLU#8t6|z-CWjm=_?+EO`~F#57Uo^}XlJ z-C^c(ld|HaPf;clRK(W5fzFH2r}@E$CiP$z3?Eual^7$)ZjZRiC0HR7GZ|G)I*gZb zC>Z`&D3t#Z$$OR%rPl8KNJjc>v5M+vkR2tW%Dw%#UjU9U{<0-cIYg!-E@&$BkB+C< z$?fI}xa4NHxldIofMNr!^~z|v)q3ssa{$qZ2%j~1V~nz%+iC()2aT>Ws-@-xQv>x! zE-%8NH3bjLxE0jt+fv`qE7K>07(E$866b1EZpSkgvquMg^U8hpIz?fyax^|-`0G7FFmXJb&Dy`E|LE>{NmE%wA($T^_ zT`MlSmH2;Ur*C21RiDuJpV;I^5d zY`c!k}P!p04SA5?JKoe2Fqf_M)>Q`vzT7&y3G_956B@N&b!av*a;c)!rN$y zNB(a3HRjDok4a?UCD`hn zj?8wd?$`%gFoh!|vp=2eH}%z{bMYniY!O+6r`)g}r~Tn5E{P2`IM9R+;{qBukm%vG zNj|QswG5*!!FtgZhL%D#)^nKOOYTb1hoNEMUA61ehZfD+KRi0!* z@xre%(OR;WsZIS%jOoshC)uRbLjEH!HhZ1)(E*y7Wh(Ts|C4!4bejqJ3NE) zlvAFklM)6hPdM7YX8p$#*E_ChDMTN+CCe{Ap;Zu7u3$b_e7_gv^SY>B^Zo+Y(x_GA z!>85+-U83fCA70qt12zA6bS0x;h}IccB%v|GDZb$QnL!pw2msOM^Yv~EWz20ie~bn zvF@iq7vG0`WcoHiCjxGn3w~-{*P476P8&2zamW4M#c$zCJL5xe#ml)Gyxc~hBjHcL z;i7@@POjh-R8Fmh+H77`ee%mle!i4oHwv(=HJ8!6 zJQy@LAnKD?G(AH@P(blx9q6CBmJH|fzmvH`A6A=TRTg4=uQm~)3an$2{%Ter=eMc!MafQ^`4Y!IO36BX*?zcCOAbQik8i)cZIq^)sd<2=R}>T?D~-u( zz$Ps7mAVbfT#*2M9wGWZ)9J-eN-8-f2*TU-iHu?CPTss$q!pnB-Y0x+$@iZ*eo|fG zceyzty+44{)zb)pv9s}wowh+<(e@zmADvO(sMIz%p^EI=amzwJAoGM~|KUuJhbNdh+)$bRJKE6~A&N3$1?_z{0lnj$! zI)P9FkJ_lZS?jV)k95u;hEE-c0^R__J~v44%vXOpsdQ8>=$jpJflt69*NBX$K#V5W zb6_rZO@@cdH6ykuuEZcgFpaqKp;O*H*A;urim^F8vQCvF{$uHHkr6*E-tD~#U%b^Q z6YxyooXM;W5?|^rmG22!o?oiRUmJ1?CgB*1vFNGIKP?7+5wGC3Ymh8k!Rffc&T7=9>wwYQzL z&Tohu&@Md^Ka}rxi7PYGmthWlLN1ldpo^yVdALlfrj`7;Pw3R=95yVh%AC_o3zFrX zQb|A06M=8aDU{L_l9uB@z3@-&fHMe%*qYb|!1+u@tt6ShUQtXx0(w=XZSM{G^6=Mc$TmFu`j&}k$h&qCfg<(@rclYra6;dTZ+4#?B2Mvs zfFLYG&rQopJCjb5{v-Mrbt=(oi4T_vJ(=ddHqg)*C$hY4 zfzb=+97pO$vZng_(fvfNKs<*vkA@Uzk_KWfNZ`#dS)e>-W~;^o1UG*$hMm=z7ym8OtskBOf} z{JBjUm@obFZU&WD0j3{@6SP zsK}~B6VXf$CEJ%!p}0<_Ff!aqb%NMOo6$<~*0gt)pZ(h4qptaia}TxrwiF%wC3rOV z6_wFB3Sr-ecN&N9L8z-lsgK*8sSDd7r``G`o;OOl5OoWw6H%Fk?iUnAjEYSc(66ro z%!u+qZVYO((M&K6+ik2uW9bpgnuc2x@_OjQOhVH?bm?_N&bDiN3{S1%FLzpvdNEE~ zIA^h&eNv=IgiI66VE$hXF?dN#p1viPd>S>%`~da{i=a`&tM1)}))dpNluFn7uLK$eej~!PLL#2T4Rr)bxMS39G{Q@$uASc1m66M zZ|p)qWB_2k2~{g?;I{(}UPRd9!m&g3Nt$l0H>UcL9h$g!*IFy>74b0RQ>*8UpO1(Y`3CYFi&)OvGT!F#`Gb%{QI z3R*z9MFwy5a$9YImL<`xim)1UU$|=UFji`;H}8nGdx{ z|JKK2hi=+uG{j#qi0R%v9u7;aME`u(tW$biQR5b+;HUU#?u}y}nlS%G2BM*)`9*NV zKCUllL2UWZegE%3wsb~45mwKy(x8V342?Ss{*OpEveMnK)d=snKg=b^>r{Dx!A@UO znbKW$Heupf+P@CI-Fe%O#)4my;`S3MVTW5dAIYBEusXC5aRecLa+SOzxpg8ykol2a zgTL+PQ#!ohmVg$kcc&6B{XnI+FyS!X)6|mZI#Ir$;_@ZLB=m0y2A5Ef-FJ>SZ-k{v)*PL|tPZIgFrLRKR=nlUe)J%6mF1ovFVWqS+gya1 zd92uQZp%}*Hi!!xr<3}<=|?C3$mPQ&6?g;E2{T?@Gt#H zK+Rw%EIt<9K66+jz#V-_gYT_Kp?3Ds)o8V?DSt`2|${3 z4fxeBn-SGwKRM1Ua}Il`#8Xlsbb5*_x=?1e$>^m|3#6kr9b`4Fr?8m#$*BTzbXJyAXMgAOznuq64s9*)fdai#*y)OfSD5kSRl zhK_|~Xtd`upm=API;pZu9~#D2blx*yS$C=)ky+sdQV*&@;!SP1wk%$f{>sl8Z(29M zW$#qfZic14zl}oGojLS^iWPbH!pZ*L*#p^tTV{eVoZ@RGDQ3iHDt}h<<=hjRrhA_l zsbXo8CR`^!6P!-nAL)u805P^vM`bDTN6dXQ=7!#qx$&il5QWNqRDU&+4uTp`4GKs%qv;k$CigXL31Z!&ntvuZyeR%xPi zRKTvWD(sj9UU^KElgIkNj@j^5?;Nh5fkwcMZ-O~@BUrVm2j^N%U4Xpg9gu9%of=lD z^v=gmp0hM^N-wl(@hCooS{0vs^AxdH1N&0lEdX3HS2;~E`URxVgzoG^l98XC(%8_s z7cVyyUS+wYaBFy$&$z1=Y2uQ0wrv#SZH@;}o9N`X)1pYWU=@!Te{j<>$JpbZ*SoKY zouFNZ4}`ypDL&w|c#Nrg6E=6d#S_!Z;Pu^ygA~LFm{d?!PU6vS44%8^R~UB+DA4|V(GBC@ zRMhG3laR&{Sl@@XCiZe!KFA~wxpAX(!$@|iu3<%l+asswkl`G*RP?Y;zrI$}vphb! zKhqSKv5y(WwT)+ao_n}ZOqD;48;Ifg0VIXsaKh~EzgmeRFUVZ+$Hc^P0_a2P!tBI> z+@g3p>Su}VN+0?0l<_XpRhb$EUJ7~k<&!jQ7ZYNuc>uJHQ%@jbG}gKMS$@CHxs%qhhLw5)Cke6{3Kif+`|h)HA~Vl|afLekt6 zbN_LwH1R=xhf)|kKKzy+%Jyi5m{xUx_E%T$KW-tf)W-DPAx4ipy4$)r`<4|#LwL^J zfTIU+#ThCF#2phivqn)gz4@jt{@kH(hd#T1(g`Jgu{pcTfL$yv99YoJ^pUtpDDl}g zty`AH^Y&bSEHUg1>cuURX`c5XugwIBD?Y{wU63~i%O<$S7;jZ1H1auL#$A3tN3z~> zYFr0`5r;r}0>KX7-x0t_HM@6;deG<&Q{&LAoqe4|68>ZL1C5%vdIN1t;6Ztx4a7bt z{eVr-?@-vI*V+mrwcgW}I=i)A;li9M;#>aH%6kR5bwgqox)tHMiH3 z)pA49^)Dp`u`mbz{K{BMPrj6ChK8uNv?ZdOvlIg}U0JRiK#lOe2g5aqdOOe@YUpqK zL2!1y#L@Brg$=J#U6HBOvBPMHgSej{T-?nSh==YRVG6t4=|EtaD;V|PM!=ber&;r+ z{k?Gy^R*U6;B~j{=j!fG-rNsfz8Sx`eGaji4%+-Ygv@%J9xI*9UwmifN~=Qrm;v)V z_*uNEY}i(La*B0xD@vz-jVN_)OLJ&zR!44?QI*M%EP(%=w(LEKu-VD)_Ir1s1h>X# z#%1gP1~Olpi^uzW7;GNmONW?R&^z`A3SwHvjA9Z?TTi=j-!Od;ktk4vbR#Lq?QWfP zvrTa0RWYQyjK}4zhb)zNOH=0^`7X0!(?%tNh zh&3RDFyHOTp!d;V{(46e9dl(({$pun_dEQ)O!otV#UCdUm@Skh+mDywO<=vjTjMM7 zGtZ?mp6zeuzf;!4$bd_XquaFpdC{aDhLt!_G%n(id|2|p9Uxvn`RI^|KKVMhwMIJo zZXT=`al__&_LEr~Zy5HEY2T+ivLRAHO#6+mV>;GK29(ppfO3x zlUD8?A#un+C5I+cRRi z2G`ndi!M^R=pP?aX;N_K1faMwGq=cbWL&pHW@psj<1!XCb?>)`1JB6sqDbB42J1Fz z7pjvNr9w1tYbs$&)Q;Ya!+Sv-R!LeTZsA z*Y1z4Y1j10l*jofs9^C@;v~qsdV88pWJ&GUqM^vc{G6$kY3>T1i?mr)AoGUoE^K0WdCE(aV^0r>;%=-XAz|dv1?`^@w;>>>Y^1Re48p!-TKCXyr zXqHF2xD$Z-Ak;B`#jNMk_xE%Y+72*##gb@#)fs4$os5*brS1<9^wYh@ z4U9i95!E*I?NuR|>f+90rbtr)cQ+ zkH>`tYb3mi=zUJL-!W58_sjEA4~i^uS)`UlXJM`i0!0@3L{pjfh#w_9_m5z^TL*=s zM$V=U0)IMljSFf$`*h^u@-*B{V!F7;vqvU5CR{nEEEoBvL>%E~sN1$epxo?eEziQL z_Xzu@@vZwl37`8i)3G zk)d57em?GE^(aZ^vuogYdLbVU0jt#*L7ia?(|KQb>Zh_fRoq$dub3V>uP&7luk8z+ zh3Dv^_^PjLBB~?|{boCNAY211UX7JB~qdBE$#P?KF)$w|DjHMly1kn2hE{;rfE z^i;tiL%5RoD$0@Xz`WEjsU(NBwhDX2B{HN;flU2d- z(1z-V6>s{xPY~1Jx^pcB(bX@;Gho;aZ)s@}$yt0%`8wg88~FiDVaE*2dC1W7h7_zX zWIg$-qcma-?%(Y8Yv79Mp>A0}fH`7U4sb{OMA3I)V{*uNsVC7)DKd<$*Q-1R=tw1Q zj{N)*Kz}nWTmL6pZ?NCPHr;g!IpyVr!6{sd&r5ka2OV>zV(+HPWLvj*Y!i##Gd#aF zkaB-gZS-cnuMhg6&rk^5V7ftJSp7QHUC0h7f|iE-cE~vN!l1PmpBG{{vvF;Oh1wKg z-)x6Bx^vBP$7*Qzm$bv|4?iAP^79BeW!N5kz^CF3lYD5xp2V9I&S^Nnvry$W@n)kB zBtd6OsF;I8*dpo5>+~9U2v`5bZO0q1JZvD=Dhks*l0wYu#TawEmap?ilr zAa3S)4Z+%Yb8c;RY%oL+Gh)P5DQ-T3Qn=>C50`;RIe$F`(BXDO8+u79q_j1b2JU-P zSnZN6(u9nC#2*ZZ^%Zzn^chN7SPX7S7ZRFpH>8MxH{phFKMfk! z2=^_<+d(qa_m=6lMyl`neg$0gPWaGau6HRF#CM$ZJJ-HQtN$oxc=G(npu7F9M(5MY z8P?9nMt7HxX`Ra1T9<{7FhERp%D*ecWxkUi8z>wYymQa6eaV8W1!S5(0qNf+*c=TH zi^Gdncq#r#hkdDD5-7H2RHLwXR3Z9B6@M(8)54jLHQ(7Sq?q_f_SQ|dKyn@F?;uI63>CNY#mSAWmjFZ{-uEYcA7rZc9n*XTh2h-8^_85xiD~vh#y8=f&R8p(pbJh^!j;#=I&4e26I^OD(76p<-Ky%4DR!5Q)t$fzY+!M!2p z45U~JoP4m}28;K^EoxY^n_|s1b5mCcisPzC# zdkg1Pz6u^vv++uQy~ZHM$3(uMSkwG9A$9{YEnyy$yB_h|Y^mRvw22*#{h9X0^w>y* z`${E{Q!{@eyE*N=*Df$GS>T0_yCLP^xh?8yYe&Od?(3{_6+`w>#pr}wAY?>lw;WQ$ zDCl``O9GanELccukEsN4SYBTIM37JAWxdAE93lGL}}C)W0_Pu`1(KD{PcWYW>K*A%o6}cVD>A*RGMNIB=JP!(4e0&@@oAI-Dw?{rA5k)q;E3!Kum9n|L$m>>p zDn+_UI^><__0mp1kw(a)7J7{{;&c;g!#!5v-c!L4X&}X$ix4i99m?K0(wbCbzbE#V zbQsTjsGh&`QWcRG3qmqMAK zOmsj>aGlpm)=pR*)nQ*bMh+|pfumxNDoC>ZVQnFHnBjwnZMCKncj)|@3N!XWBx8SZ zKVPQN-b`+y6%(AToEK#>6#rTHh; z?H!-c`EL$vP0>HA8a$!Mcul06hg`Dlv%!YNogm+ri2dr3l-^rfHHb7mdj^tOFA!xu zGvcD@PuG0beP_eJrosY6>F{kFZ_B6ET0I?H_S=GiO2>6_-XhD>UPaTCD#{}vXW8~1 z$0h}xkC1;BJH42tvd{DP48lp9gzSj97?0z5u&uT^3l+F{R}Ts(7%soqq714ZPocv@+53bc4Xb98H#+fs$Ybp{E}W7~XR z0yUl26#(J$h+e)RTDp_xC0b#bPPvy7T}+zzTU&TFRzNo~b|~@BQWW~>-uP9$Ra?wL z=K~Q*M?eAa3jK9?F~gc+L)3g)QfnCYc)c*#DsuX4kRzvFoE)&fegJh+;3b3!CNcca zvHj&@;g$rVO8l@E`xVf@br}UsGt4YunU-$nhemspW43fw!^t|q|4im#)7vIZ z;AK;}xBm6@G+xdDH?{$-5!K&y&;$1Y4y}Uy=0169uOXj+0)925o2ePx7HdR$Ezkr` z4^;d{Jf`oAM8?OpBVL}@QS9~+Vo>+McnF_0UN?KZtDk}WQr_6dk2~V%s<_zc{$E8t z#J#X&P6`JrL;N5ELBmHI$|O)P!SW_y47#&AxZ_ph=-Ow6ioKN@f@!?>+qr%dKc4#3 zKaW#H?ejpBl($^RcVgwQDznjHF@}o0`i;B{tXI(Eml#07?^FBb{(Wd2#ln6*4!YbL zQe?M$27J~9u+&5=#FQDKfg=&gJ;yus)UgiB!I)b~E@zAPuL`r#T00Kv%vk?O!_P_t z2Ercl0ivzfuRh8lQ&;#T}?XwdA+=X93fH};IMlAlh?3E7uSFV*Elo)eDGC=0CEVr z>uU)7|5}&-HXNFI*xEtkesHXw3+t3u111^AHz|cfWck~@>9>;Fvu7sl^(ZkEwRnnq zKr$VJ{C;%Uo_R!5a`}{cVU4NZ`|16myU1*;X!#5OF_1-jG@IcGpbN7; z!K@q@Lb6JIkCD{tgoTL60nla+8Q}mP1g~9&O_H8&+_-nZoo3DY>{}8;;_iL_+)abb zVgwq2RA?wA=gos@?6Z46#IT;2s(+XEc9uor zG2hF18I972E}=5;DkdY@-E0tILwOYLJ!O$mav-Xk*E%e)^i_!Csg{{|H*l>a;- z?D4%UlO9!Dd+vXV1J&%76T|-0l98xr!{8QOuNde!;R4X@xp%H$TGUgHlyDI_@?Bo) zpAbak3;znSGu9BtdEyr%kvDD6LjPFRPZStgE`%-15923jb+n6l4buxEjnnKPgKdM> zx1p_v!P3t=MVI}BH^?`2j-a`$8n zwYmt4ci_Y^zwy%2ub01Vx+zX?kqq&YLi6-%r4`gPOQ^6zzh#~Nxsf&s_J-ggDFDKw z7>1XPpDW~?MK@$L#sQ7}>PhoILjk2|g6}-1+LX$j<4bD+!*J^d=}qMQfi-ZitE&w16;8<63n>8*fSiB|jae|KJy7)mhzx$W zc@S?r!PZjd;sj8Mam!5Bwcn`KWfqKMc;~rFnTLy9GI$;U>j(`2l{T-2i7Cn^!?0g4 zK&t{kBl*33_kq)kPV|h|+K)7SMw^=jgz4P=c*AEJO>?GkPc(f)fpSn*vl9+Z`ztIN zG+xd10hr$%bA(#=%VezNJ%e3A*!=U`Uz|}t?Uz5OxP=Jv&PrMqK8UHB+2l?q~t$Y>d*CB`m32?b_ zwGH6VDvIA#70-UqYQ5hb`3B=E&+Bj5hwdh64ot(q<|5Dz8(Zh&s@_oFoREo6pD4an zsZmW?EiP8_HY@xm2uPYkQmFrrF93i<)FEZa<#I9fRjDz=BGEDB0Alv4IHoCVgIY{%tAD>TB6ab4j5{v*IUWdnoVe34F}!uDa2V^a78A_TMoc=0k-y4ss6`zy9+66fJSc5 z2W=E5kN<2Az-NVlJ~6|c9qRp-sXg5M(Eu|JSK#@8sus_my0>$4h~{rqtk(JIK)g~CUXANUW+&#m`fCltF4&QW{&;; z0k_ecALr!(Vhs%C9sQfkf;ELRJri)$YLrmcH%8?TMu2Y3MCHV!a}KuHicu(@&J;b5 zrxGfy+pKqo&cyHyjFP>stv z1VBUS?~?j`s-oh*Fn9&}0zlmurhcjb`~mZ^wp}HaG;|5SX9Ar$ZO2CbfRVn()xAE= zB?{if)H7R^JQ%I@j{$Sc5P*i0lc0ymk}BF0RFjapqHzu3I`Mcf>^y_F5>qaDe;}v^<|-~xXHC)y{)O8 z7I*0QG*kNPxj~*A=Jn)px0?+0iDV%T4$LL*!1-gp=)NHf{?~9U=AP15(#R5ENF@$6 z$BVys|4RWs(P8Lnk>hb-J9ZgT4Hh=jWAEM?9p011>#@?czt|%kNErVYs0)`;DnNOp zt!mj&UrDp3Z0QsU9~p#8ZjMoH*hc>5u($FqwziW9^;O{E5KZN`tlV3vGdnF))}Pw? z!^({mOz(I{OgWV}KGQlFC_I*pCH!A=ze;05uBxIq_TNp_cwL-Lald$ffl^Shp_|@b z!o{~K`jhSZueA~l0;T>|iHtq;wqH|A$o8Qtji;pJhqL=RP?e;IW!U)1KJjr`ScR=&pJ zda4GBzIa8GNCvdUM1+3PtiJx+z9DLXNewLjOnhmnB(*74t~CF8lQwy1Rsj?}jIzJF zqo7%LP9OkuJ|6u#QPBKdrw+xIVBACI`*WV=UCy$|Io_!W59hY(i9A>>U83ytj{F08+#rw2qpFB|`j1~>~xC$Wpvi~$_ z2Y?D|lxM)5@2@N>Wg*lL@!tQzq6+yJmB$s?h1xac#ebP`a%dn7t|WdEvWY@EsG$9e zd8>0PzdL~6xXj!4ueY>bFU)Zua7H81wl$)6FIcndBX!N0hXL=pp zcIl;lG=SOXbPJk|5l%k1BTRPI7J^B4Z4AzwT!SzH2M4j;XUQeZlMF*rT)M$rK+PU5 z%XW~9zz%rz2Aop-pl=IdP)++w@1@HPl1`c~rCy2b3XLg7!ZG^ltoe_Ze0Jr2AhPq- z&grh#Ty@9gW`BwoYu5y?49SvGFNll+_#lYxv;KR)N>fgTg@ncDEE&9CWyA_0iOuEq)yuI0tS}S@an^5itYnZf4!k zJQObi6@!1Vxq@7(H)Gzyw>j~u66`WIQt){0i(QEi2nmw4&uzYkwA@-JNXq?ilWBzl z1KOENoA+`OydrS)M*G4KR?p&9#VQ)hfPX(+KN~XZuaWcD;@fAZ8W1G>=3v=I?eH52OvOFOYI%dQs8E z$~Z5btVkPx^p)_qCQM~8HVwd_nt|6M}M9U=l;eDD-as!5#Vd%&+1X|TC6MX(F zO~5$e2jC{Akb+|2w`mrySuIJ}3D1J{9;o$&UB9FpP?`h)5vPU_n*hnuKoxE2mbwKy zNhXf^CX?;`lqi!qLGXUZ%A*jbQhn`Bx8l8Fe^JY|L6S)dnl6|OjjR7DmBiZX6#w1khUl=)9{4q8iIt&x)$ z)T%bYic7x>_9p)a;xrRRJo4qc*f*OhsZ6bxhj`w<2~X?tK_-or8X&=}gyAR&QtZq} z)YV2^A1diq4?A8BaagspMz9>xIRvpP=Cta_`h z&gXcT@x_4=@EcPGjjIS(HCg_cXanj~KceXp|JuicJ&lgpFf?E#+7m<}n*UtoT~`tS zrw~Ghu{>59x#X%$TzIoL3{ddn1BfZ4MRyPZKamK9=SPeb-rA zoT#gfz`wS;EBIDI#Kj4E)sDmSjN_eR3MtySCn%?)Ve{~+KR?(1zSinsZKT%7PhLa- z@M5A>R&dAx+Ft2Dg&BCwAH@E1-6PulR;v7YP0;#vpWh`WmM0wsoJH69|Gwsdib{fA z8;!8N)AhJQGMRb@X~i1ZJASs>-EpPOiMslm!1sUvW(#fg`dx}( z7z+N12LA{R0O_qI4L-mZv@fgGKX1#H(iXKHz#{-?0?=#XJFvd(bW03+S`_>h;D~Wp zjt@P7EJ>L~z%_>2HN`X5jI*8nOfRb`Rx~nKo*)e|+D!%ONCS+$;vqYOrD!Sm4;h%_K-g#z4iM?#_&(+&S7Y z$iD>Gc%iQ`sWR|T1BZDao4I|l%7J<0s+KZbwFH^9R-Uuy{oxffHmnMht&|<>CI#k$ zC!|3mG%~Y4-%R6xa;&yf!;@j<&w$!@hyv`}EtFuD{Tl2MzsCdq#pF{SBZHUHu=%ghCpjkz+-uNa%qHabkOH!mzgb8n+cVLJsl zt!WRe7#x_*f0I@QIuwDEM8TlmJc+I%L5geJ4t)#yUH~pO3r3;U@P&={xiAJTkPd)= zvM=5BsJ@TVjNEvc^HS|Lg{w!0#P222j*07x(0{r#nMKeMm|hex!=7-+p~Mp=maV~r zXz+Xh_VO?8sdZ9d7d;t?iaWgp!URyvLsS3$<(d|e1cZ6*Vz@q;EWq7pxk_yebOPMa z0roXpE6}F-=NdEIYx7Xk!THX=*vME33Iov)*=P?ca5T}{B*6NPKI=e>SATDiTzQWx z6G354chKL>-BY^y^}52B6{rkT3*Y#gkMwGaz&9~}Ii(B#CUpab*>dtfHGJ*(2mumD zB8{)9=h1l{Xc=%l5WxL>P4D@?TB-pbk!JM;gviPNmxcP*y#JZk7m!{HOk4EcI<~{d z^mYIV7;t=F{ddJW#R3$gUH$v->+}Df#@}lh9ru5q1>jjhFVO#f)Bd0REco?FqZTy1 zkA3gJy>#swFb5zRfo@t$*?(dUE~I=*g1eAkh2_K*2rwb)G$9!yaEBxbl zpVc3^>Vh(zC-g@Iy#+8CXIc~3ZN|#Nk@0xQtS31Q7*z%yJ8}VT?8ZxArFTN>97f>- zMREgT5rg%gChInG@@g7uR{)iaa+L&-2at^?`JobkUJZVO(&VB8qE+^gufi7!18o)) zH4=0HJh(E7WRz0$yRCymh7E`X;6-JNiM76_D|kRqTcsv19635WS;luWRh(WXgR-a|u3LG@KRX{qNE$xpc4mvin(tbMPhREGU)U=inF z4H{kD@)6W{Q973{t{cgkmU5rG`$e`XPzWC(iumvD3sMdxP#KlGP}Yq6h~! zHavXHs3Q1y_<5u#V66gyvXjLF#+yxqwN>=ofa+l|ywy+YsFr5goo>oQjitxKR91|A zkyR?=?t%O3uEtCtk^*92#|>qI%o9=)t{t+xU`M;nXZ2BoFGVQ%3QniYVWVhSI+;x-nsvNi~pxU90hPs&@bav8WaEoeD{7?Z#D!(Y5^N_?Wi zvGvFO2nn@`oROXS(u5((zSIY1ycI7p=c&XAE&?cL_)yuKBHwKMhx0Dx3X^}fyzM#h zI?m&-9H0_5c_4W4F)Su*8j--up%K)wrc6guW}5CTo>>i*#nKTN;sj+qkR~jp|I*-T zXF8Urm(_l3zs+4EHxxjTCsYU!75dyeEf$EkR*D#;_*3z zJB$wdW3cz?D-%MecXRC{7t=!>Gg}_{^KXL=tzCd1!qMb1{Cv|^q8%n^rD;&iG${nI zP6<#w6Rc2g%xxzV5u==D9^ApF#m<+}yAL7VSq6k#Q^{-M8sYucL`_rEl(1ybq!+)r z^L&H|DWcVOy(dmE%}-eUlaJFjL*VOhzI*s#Tg09DmfIq(p6AXZPZQPKlC>^&2=5Ls zzfS_GD6kbpfq2QnC@dW^a7{J~e7E4Exxvi&^HmMX%TQdgT*|Sw=V!0u=5Zd}hLOM2 z2;=MccrHOP7x>z`+YA%~srgrOh~8Gi$ntF@K2zpvopu$)?}V^f(vw-y%P(E-B|{3K$! zb{HHFS`;Cgen3u`0dr|i<`Z|fU1`y>-|HbYNiZ!B14-Cj4FJ7+gDWYD&7DN-D^~o# zw#Q`v4heKkmOpGGO^Nf)H+PaH5h5hTiog(}a{h&pMz16D2QkT&L8c1@7e5%i5GhG+ zp603xp#x+Y0XscdH)n>*KEZbKg9BiKRA;d5#j{!$l}R0*zVGLm#qE#NYDV0jY*p)l zO5P11tKNpNB3FGAcyp-WdHqE@%p2z2Mg2x{f%3XZK=IX+7N0;d0*iyfDnVyz+|H*4 zs*o=fE^hhDmBa`{d=_0i1}w&YIh2Amj7oU-A@t|ZpF(eko6S*YsJGM3BYN|-Z^m8) zRkYlj4ki=4)PDlvrV!Ywkgac`GJ7Swlvi~)4)$@8Hd#l8gQng(F|jM>Y6dLwUdPC&lWp$f}zvi{&Gr z@Ap?`Wl-H69a-w>MLmFyC6K!;;?~uWsw_ z2n>G2`1KmOdYHhwPU+qJtP4GcIJpB*bckat!P-Gy8{kg!aAA<_S8eOZgx=!yi`i8E zdIB?%S}hiGtg`I0q<{+9=z6z?QqZE=+QQFK(AcqFSl_AMc$wwI?6Y0kc5V~)_=CGDiq+F~?%ug0-VQ6| zd~G_cecEhN8t5(74)m}0OfD>oPrzz`CUk??_3UF?e@i(ezF5#drxuSfJgZhqwh zD6BifJsMQL#DUuLa)0Vn@d2b(vj;S|2e3>7EQxbS`WeH)iu=0k@qA=rIj?@zlsnbp z3-Wa@g106^)%2?yhCl0)qG4g8xK`EI1>veH! zF)|q2YA%h>%W3-4nAFsMa8rKuq3y3}k0JM*at)!C^CZ}pbdafZ`E6Ydj*6Ha^H7JG zp1A%;!!`N^jO;Xwwm)ASw_^a89=>hJEwqqg=VN;96kYZaRLBP+stdaft%?IB2)eTh zIzKh8)If?)R+pXbCFfgB7ls{WyQ{y#(H_n*faVHJ?nW=q{Tf*1K`r!pos zA^Cr+is9gu1iD5m9$zsyLk}4|)KwVhmME~|gzE0@&eg~; z2i%yyCVyv{u;j&K4`QL<&1 z;Wz^Jyi#T^tgVt5rK?;jucgv)l1$9gztse#%XHz^^d*$^@&a@VqHj-^!++fo;&f>i zY&of`PvGsu6*j?LKp31fCIJkmt%N7rG?|Nc@mUlHkIoM*i1vPlAq~p<1K$=oBZC!O zG|Qj9bB=Iirrn$@ByXpF}gSX@F}HS?!TR##UQ8epy|&si0t$93V6-*r7zj0{pn zX-0ud?r8Yi$={Zs>^42R1-(^xbNt%9hxTPyFCh*$b?~W#x=ARVu%VPtx7|+Joo|hG z(uJS`dDRUPb9-jKkb;lBsZWBwegffFiMyGlx}ux@s&Z9SX77~3!VZ8UO}1|feZtaf zf???;)fA~xTa1xqnv&EKk(k|twk~b#<3JH{ylM6(Q~l~uslG9uzQ$0)h!mhmBHI9d z1cIVW>G7+AK|A%gfM$cW9-!Ti=<#tZBFKM_*0#bhF)=e2ar3$JIY?U6V$ePqQpXIQ zT63WEgMV&U4(PJxX92hB2EhhUt<3CXZjJ!9PT8u!iX_S(UT)k%b%^Sjj}Dj<3`paU zlerptp}cC;Yh-ZnqGGfSCnqN(^rFPUJdASa1EOrNQ`SDk%pirlvz1mxZO0B$Y_6iN zq46t4M$3VjwkZ%_?!ZI;H48xrwb_-YiOFF(Q_WAO^nDLKr4u`JPAz{ba&a2JJFhO25o@O5o~?1g49@d3vh_RZlBZsL`w{zdBmD zyJuQDB1Y-N3!U@L|EU=5u4)hhTsK0ZBtKTn43*fi=z0G_{QHEY*We9nq(%`cMCxp7 z$$1ZBy22acVn0SAw@x;FG7Cm(Jb1QtoT(4p!Dy|4x!R3yT7jV z_;xJ$oo^08<-KExv`k6&KW3%T`Sw#pKGVLbZ!V*AtM@G-^wy-;Uc%iHNCP(`IoX;` zLz3rqKJ8ZNT@&WAOqy*m+I<1O=5JFBES*Y7+?A)Li0*FX9Lv4~K!VjVdAx@IC@;R+ z?R{joSnuduoMlJ_&OLI-7((I_&KX>IFmhGCNs0_xGk>_^zBz`?!g_hfDg)IOyjRU9 z*1Y>$#y%7$zWzejYV9_aMc-W{t5W&pha_t|l6=zc%qwST08bbi+d9m6*#!#e0G?JF#NSh+Dlmlk~Rtg_Ept z=bZ*oKRvw0BktK_PbR;4)x?bd-pWqj@UtK41r6nR8KM5P)4a2>qbjJ77f}hM=*Y!4 z!VH-QQU^|vtokpS8IPHfV>2xJ8o3l^rMW3E(-8;e3QiWSfJO$IK8sWyJm?%pQG&~R zVZZ~RTfj%9Y`IWVRcW$mFN+DcBFrI3pOk^v#ce&U*U}G?nUYQ#Kv74Ly&IL+<`0EA z41AcR=aT@=Q0_VjU#*Rp6B8y>F_(F_Alxgd7yayvTUc^b@cY3<09r$T@O_kc1*DjZ zLXL(_9Ez31*nKF?ADTFV;~rq&lf79rpDFdkley{~gW+x3BKTMJNRp>h1I*V&@!1#S z0g*|7=Pm@mb*X=e9Rv&Jg(KI|0GDmXpXy-I!nT`IbR84dMxq=`vkNTAnZ|Ng>HE&J%rnW;fSk{g(V$lW+tSOgr`3yEw=!WCMvp(VW5E+l(noZqaZ>|LvcA|(I- zg&9=}W`NE>%{~KRy?N$*ychUQ8_EY2dsIivo#a(ihH}3v)=SGK7yM^~#B7z^mo!*4 z@OP9LtOGz&(6Ru1`w}Bop_M@#^l9`sb72AeDVwxY^AvcumOdsSgs#Qmc~kB{*Omra z;0i9j%AP_wT^f!Z?a7UYL!vYG&ot}ME6pLH54{J zgFT;T25iEX0oLJMg?!D`;lV*oDpw8)fPUNFwRiOX`OL9+34~wg5zzJ9Y??{kyAO<* z+Dc0@eyIx>?Mp9CtA85ysVa)ez=R20YORPVKIdn{#5ZrYnXhwn}=qDkKS z>1p-qmq>`BIZC;L=%sp+LvDdG&4U~UsJiA1xo_}+*ZEYw_Rf1vvGT~auirqaTQ8_P z6NS^2PGj1I={?mu&`Cg93+l~cfCGr_Ple-Xfj(N*Lcl;YAeU})S|t}02~4tz?$0yZ za?2zkdl8Lr7F$Ae6mAkoHek${F^I&PuJf#Z5=6l0-_{O;?|SCx#$lbDIkjWAi=ABD zjurVk1Tm5$0$puZJC_lW>Mds8kU`;n|F99=F4oxVM~5p#I>CM&r;w`zpLPiu)02tw z*LWX=vGdOu>^XvE=??9eNwsvpuw>W(fh?x!9fsKqt3R@Sv**)YiNan``v+9Ke>EWb zie<3aVb-)8S?0az_V|SfJ(-|~mz;<~BTUP{voxJ_TV)yiE5xyQNrh?x-Zo*Vs%h|n zPJn?EGfx$%P!OyE%+BGb*J$KLldtk2PUl2auwZ?|V~sX~o5?w(5 zB14aHp|5ha`^(l;e>!I5oe-U+v_JX4P68!*s21W7j#anQ?l*E-Cc6@}kLjhR$@lz? zdq4pp(B{xBvm^ryalyB%;@b+(hn=vX#=JkKFAmFv>>**4g2TD5=Wham8D@6lZjry< zag3!zNA)$r=J0<9i6oj~2Wvx0FJ3VJ6J=Q(1shGKrKF^&rz--j6`S{Lymm;sdJ7(6 zqBVplfbVN>D(<{27zC&g$b19%Q_n$uiZDcXJ|N-TF2C^|R&9?&6<0PPmi8CP^?a|AzxziW zeuQJ)7-R%`J}WIWLA_{n?rO}P$9kFQ;_ZL2-8+Al$KrzR<^eyJ+i=OVCV=yHp2FsG z_@0>fn?>+sNiI1;;=Zd0iPsqn^n07JDw-9i)p)3gmXL0qDZj6MZqJ-?tf#g?Kuwcr zN?cK>B{^M-E>*?AhZ4f5ZmyizbU zJuI=1j5{b!2&T>1thmSo-B0pSH8zh{5A`@5o%_nv=^xf(xEz z!s&%mYy3+uk%E4c$p#aN58vsXLVEmwAl&IEme(yX34|2UuBEqlSr^>^&nlRpklHxR zL#_;l&`q`Q^KR`E200kS*?n4vsKG@&TwYRn?`b1f+9I)$L##I(r8W}h&%ir(okHeT zMsU{&7AfvO3yMs>9Ap5~>=zxyGJJfe^_U8q;!?|$^sQ>|NByAp<~yzQX1d+fIAUM! z58^Gote!q6=ncl(L5})8;Rw<`n)(&Uu=HKiyWaH~gY8j(!5`Z`p2Ph9lZ^i-&=qAsZ~q)JfwL9C>)6?Bwe{X+3RsZ;%?jBh?a^IC}q2{(@m5Mo%vFJ`?4(e6!%R877&&e&s z!h=-)kYp%`px$u)t!%j z{r%K;e)?8#TlnX-cx_?L`RYib^s@IZ;}xm2CSqrtK_+WlcqNyw?*&xKH&tX5zj|r; zk0<-MrU&_hDIGdXZpyLA+Q^y*VtJa+M9@wXZ*rcZOQg;*0giYFeV&WE(Fk%sq#HmHxNxwx}J z-Pvr3XY2aO^r805H{+@w$Hms^Vk6a^odGg_sVjUiTTp-}&Rz;P{NR;Fxcw8^)bJVy z(}z)%ukSiDec~`iVXgSq1uG895_w)2CUd#^JChfw$}NB^@|3IfCs8#OwOd~eHn+&) zxu`7y4-$w6u_ATE7OsjqidvUnZAyTZ7k5^uJ5}7NKw;P(a=+V-9-%bzx$FJjJ zaj_GnJ2lbYfW&AEMJ4<>`8!=*U;fp-ddD2X8Iw`0TJeWRwN8<*vhVU%=xr2vY0Z42 zD2N_){b*dG^U>WQ{6oAJfd>i4gM?X>qCkH7Sas^Trh=W)ep|L|xqJ6+1G-a8O-;?t z&NijEyAQP*P$`m!T3l?ME;eG_xx6&AEvWN1#`ulvbv&1u{`t=YWiT_d=cuT!D!Y<8k{`%tSU3|uTOc0zQg=35`d z7Uo}$eI!EftgU)MM=)ihKII{t9_#0of(>L8tMBTS$j+AzD{t>nvX*BQxg~3b3D*7| z*aBLX?hox9OgGZf`!7yRwjB>rj|a)wT2RI^f>G2qZBSC_9yB;%rWrT;(VNf4GL8%` zwjLK7sqRcemCCR`eKMpi+`rYeg^RC57Qa~=fh!8Dc<0eAy|R4?{an4d>kreS>vjIx zSBwD`T$bfV(X&N2*C>3u$ouHrNKeSRbNSQLkIx-yFAqOdp9cFh4Mr0)eGwj{HV@*j z7EV9=P-Q1$MCo-U*?W$mS*`AznVFfMo^J3cm<;36FTRV5#l^;}JCzMoPO$aKiBZQF zJMpztdj8>OlRAh@1md7`)rHoG5ZN*O+xc|fgpr4dNdpsaKmX*`#mPys<3VciAZtE4 zph1-W(|)?#tnNI1{P^L+hkLG8t?pD`k;HGa2V(i}AG9AovFBd2-HnJg;{`{WtvMSIV%Zz6lT%+};Q)$Yc!`o1=F@AKE z^ty?3rW3J@aRNX|Pb>lt5~)#WYN8X{RYs*^s%Ax2|1CX9IJ;7Pz2}p(ErTl+7aPf< zabD8le>;)Re&(LW7FZ_P94@|M%pr|*j(^tar(KJfxIsPfAQ(kB9Yr&$HCF*mM*l;3@NoYG%HOe!Z`4HRBX0^Fy{rRVjN zX42|TtNVA<-mCdxxtduTFXhybF6OdKA7L-QI_BJZ0gvAK7Pi0=*7D$sbfhHL9IhU% z#~c(oTJ;X^znEIY1dT1v67e(Gy~WP(VF&GFSegoJI=5~+$TdG@&*78m)}29xJk6u6 z&Y2m}aP=1R@#~8EsC}4AoTbio_4HQK>6YkLbDsY}ol~62o%^=%?hDugOOwq*E0<#Z z=Fs&H*WU0g;_8oN5ehYNf>`SG4!Y{}@MEL?-D(p>B^sIrGZ&4Wq!E<*Uq7jB&w5T3 z-$0|$!#f%Q&OShRi{=$ntxq=Zle==!!WP&<;TF`#@aRj$7rVY~ZoeY&P4y(M+CpcH z&+Km7m}s`lXrLp&7TCfXS!w6c>X?ISj-USfh8e)2L31$AW2r?b=2~D8t%cY8CXa>J z2Kw%7fi3jd!j+?I%x(UqW{qN8QN{Xnry{YMzNmb*_y)tD%b(5b7Nhg3W%cIr_VfPD z=>Dz2bOu{s3#D5~ufEUb1A2IsEi9f>kjb+Jd*ky~Plux)NU5*|w$RHWLi4O^EMi55 zW*h$W%3wN!EwF{sE$G72B`0N~N1%G@Ool+BQ_?d~-6>{gXQ!s7+5i9m01z|7iMpib zy&OUs0{{R3KsXGY#I9R+Y7QmMq{ImW0001pl%bn;lKS`chaEU)00000(ILet-8tNQ zlScM<&z?Q!&!6Ya0RR91M8u67H&ip(|A3uA=uVXdXs7j)^9KL`01yR|o6>KRoLM?^M*2QwRV601ySEkHwxexc4(NGt<-4oJ9Zt0D!>JyhNIvXvB>q&3=bLr&j_1 z004lRIeYf(-o1NA-%ir_H`%{`|J>XhXA}Sc03bj#2&QTyhwdc`OLyvPNI}!y4gdfE z5E|+t(#Y%Mn&&(T;VbFONJle|5dhTB$&)9OByk57K62#9&Ye3SK78n{qvVWzrPXTf z+qciYVpcG0*s$U1)vMm8nDvtkLl0(r^XAPhTef6B2moM=EG{leq3P$iHkbtU#fW+W zK%E#lc<9ifjT<-KxpT+7cIv-rFT8&zw1v{UA?eN;_`e zyxCh503Z+)=^U@<3`lpjJ5f(1+_?nPOLv<4`+)-oW@l$P-vCepMj+n1ch60l zdm2#^)2?G*RE*Oo%OXMP(U0zQbMbBf)x=g!2LJTw)6YEfjQ-{3+1)qVt(g_HzBIJ? z7f1O1! z1*2vM+?_PPoBg!9(|x1+yNTM`Z{dAG0DvMiz@_rfW9eRxLwB}2L&~e9fQd8#pgP<- zPA|7^|K+C9wT_838vW;m58c+HZ0fwIuPFP8t|r!hz1OXLw7Szq7QfXFex?0eEG55x;)ynHTjVN@(pRR0m zyWQQ$tE+uo-RZ4hUiXA1x)T7(Q5TVP*ND?#Myxx9;+=|m4n58Y06@uOy(yY>aRY}Y zlkVo$i(br<6?xe_yVv&a=}T9SqB{YgYIHABL8qi=)gP3Ee=KyTminyWSOCEKAzSb0 zC8mwIbn7^CU(D5W{pe1kV(mWI26=BkOVa38ce-!Pu7K_YfD+U^q};l?x~u3Sic)vB zS90#UWmi+$JMbHml0SL#!}{ah#jFbYKjwkw=z6=X@7W;P-2RcB_agNnvca%W3& zdyiZp>yD#z?AWnvIJ0CNC3GhMBR0~l(Vb1t;r$O0v_4X?oJobT10RY0stL6j% z7!)i_g4#zUqkg~GymtY=Dh0GN28X=9(c8GHbMK2gk0rJPbw4NlOL z#C!PW=H{f+}IqBxyVoGRsPwpAvH{ZLADN_t9wsy3E!<^ccz01T3t z5}GPdtYKiz^`bkikXLQ2s^%38P!^uHcK`qYShuJNTLI2Zn>OiZPz~A1gdJ!l-_>;_ z0ji&hfHLYQ000222bA?y=*@)T6yt0>rM@n7r$K`Pm_xr~#|~99NbKwAqd@@x0AP|( ztB@5uHs}^|* in each row to specify the number of resources used in this deployment. Remove the rows for resources that aren’t used. + +|=== +|Resource |This deployment uses + +// Space needed to maintain table headers +|VPCs |1 +|AWS Identity and Access Management (IAM) security groups |2 or more +|IAM roles |2 or more +|Auto Scaling groups |1 +|Classic Load Balancers |2 +|EC2 Instances |5 or more +|EBS Volumes|5 or more +|S3 Buckets |1 +|=== diff --git a/docs/partner_editable/specialized_knowledge.adoc b/docs/partner_editable/specialized_knowledge.adoc index e69de29..7cdb04b 100644 --- a/docs/partner_editable/specialized_knowledge.adoc +++ b/docs/partner_editable/specialized_knowledge.adoc @@ -0,0 +1,3 @@ +// Describe or link to specific knowledge requirements; for example: “familiarity with basic concepts in the areas of networking, database operations, and data encryption” or “familiarity with .” + +This Quick Start assumes familiarity with basic concepts of networking and Linux system administration, as well as basic knowledge of {partner-product-name}. diff --git a/scripts/user_data.sh b/scripts/user_data.sh index f6c0bc9..a9663a7 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -167,7 +167,7 @@ function splunk_cm #- the CM's local ip address export CM_PRIVATEIP=$LOCALIP - # Install license from metadata. This is only relevant if the user uploads a license file. + # Install license from metadata. if [ $INSTALL_LICENSE = 1 ]; then mkdir -p $SPLUNK_HOME/etc/licenses/enterprise/ chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/licenses/enterprise @@ -203,7 +203,6 @@ end chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated $SPLUNK_BIN restart # sleep 20 seconds to make sure Splunk has restarted before applying the configuration - echo "#### sleeping" sleep 20 # log in to splunk to execute several commands without requiring -auth @@ -223,7 +222,7 @@ end pass4SymmKey = $SYMMKEY indexerWeightByDiskCapacity = true end - chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/system/local/server.conf + chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/system/local/server.conf # add base config for peer nodes (indexers) as an app under master-apps # peer config 1: ENABLE HEC input on indexers @@ -236,7 +235,6 @@ end sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector create default-token \ -uri https://localhost:8089 > /tmp/token TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token - #echo $TOKEN # place generated config into master-apps mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local @@ -252,8 +250,6 @@ end # ... is also added to each indexer as if the bundle was already pushed. # ... this should allow easy recovery for maintenance and future bundle pushes. # ... note, SmartStore set for all indexes. - # ... also note the first part of the file is base64 to get around a dollar sign in the . - mkdir -p $SPLUNK_HOME/etc/master-apps/_cluster/local/ touch $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf @@ -272,27 +268,7 @@ end remote.s3.encryption = sse-s3 end - chown -R splunk:splunk $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf - - if [ $INSTALL_INDEXER_APPS = 1 ]; then - for i in ${!user_apps[*]} - do - echo "Downloading app ${user_apps[$i]}" - if wget --tries=3 ${user_apps[$i]} -O /tmp/app${i}.spl; then - echo "Installing app..." - tar -xvzf /tmp/app${i}.spl -C $SPLUNK_HOME/etc/master-apps/ - if [ $? -ne 0 ]; then - echo "Extracting tarball failed" - fi - rm /tmp/app${i}.spl - else - echo "Downloading tarball failed" - fi - done - # chown the installed apps if any were installed - chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/master-apps - fi - + chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf restart_signal # signal with the generated HEC to show on cloudformation outputs section @@ -642,28 +618,6 @@ end -master_uri https://$CM_PRIVATEIP:8089 \ -auth admin:$ADMIN_PASSWORD - # install search head apps, if appropriate - if [ $INSTALL_SH_APPS = 1 ]; - then - for i in ${!USER_APPS[*]} - do - echo "Downloading app ${user_apps[$i]}" - if wget --tries=3 ${user_apps[$i]} -O /tmp/app${i}.spl - then - echo "Installing app..." - tar -xvzf /tmp/app${i}.spl -C $SPLUNK_HOME/etc/apps/ - if [ $? -ne 0 ]; then - echo "Extracting tarball failed" - fi - rm /tmp/app${i}.spl - else - echo "Downloading tarball failed" - fi - done - #- set ownership - chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps - fi - # final restart and cfn signal restart_signal } diff --git a/templates/splunk-enterprise-master-ss.template b/templates/splunk-enterprise-master-ss.template deleted file mode 100644 index 9e2c4fe..0000000 --- a/templates/splunk-enterprise-master-ss.template +++ /dev/null @@ -1,590 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Splunk deployment with indexer, search head clustering and cluster master.", - "Parameters": { - "AvailabilityZones": { - "Description": "List of Availability Zones to use for the subnets in the VPC (logical order preserved). This must match the Number of Availability Zones parameter value.", - "Type": "List" - }, - "NumberOfAZs": { - "AllowedValues": [ - "2", - "3" - ], - "Default": "2", - "Description": "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.", - "Type": "String" - }, - "WebClientLocation": { - "Default": "0.0.0.0/0", - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "HECClientLocation": { - "Default": "0.0.0.0/0", - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "IndexerInstanceType": { - "AllowedValues": [ - "m5.4xlarge", - "m5.8xlarge", - "c5.4xlarge", - "c5.9xlarge", - "c5.18xlarge", - "i3.4xlarge", - "i3.8xlarge", - "i3en.3xlarge", - "i3en.6xlarge", - "i3en.12xlarge" - ], - "Description": "EC2 instance type for Splunk Indexers", - "ConstraintDescription": "must be a valid EC2 instance type.", - "Default": "c5.4xlarge", - "Type": "String" - }, - "SearchHeadInstanceType": { - "AllowedValues": [ - "r5.4xlarge", - "r5.8xlarge", - "r5.16xlarge", - "c5.4xlarge", - "c5.9xlarge", - "m5.2xlarge", - "m5.4xlarge", - "m5.8xlarge", - "m5.12xlarge" - ], - "Description": "EC2 instance type for Splunk Search Heads", - "ConstraintDescription": "must be a valid EC2 instance type.", - "Default": "c5.4xlarge", - "Type": "String" - }, - "IndexerApps": { - "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s)", - "Default": "", - "Type": "CommaDelimitedList" - }, - "SearchHeadApps": { - "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s)", - "Default": "", - "Type": "CommaDelimitedList" - }, - "KeyName": { - "ConstraintDescription": "Must be the name of an existing EC2 KeyPair.", - "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance", - "Type": "AWS::EC2::KeyPair::KeyName" - }, - "PublicSubnet1CIDR": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Default": "10.0.1.0/24", - "Description": "The address space that will be assigned to the first Splunk server subnet. (x.x.x.x/x notation)", - "Type": "String" - }, - "PublicSubnet2CIDR": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x", - "Default": "10.0.2.0/24", - "Description": "The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)", - "Type": "String" - }, - "PublicSubnet3CIDR": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Default": "10.0.3.0/24", - "Description": "The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)", - "Type": "String" - }, - "QSS3BucketName": { - "Description": "S3 bucket name for the Quick Start assets.", - "Default": "splk-quickstart-testing", - "Type": "String" - }, - "QSS3KeyPrefix": { - "Default": "quickstart-splunk-enterprise/", - "Description": "S3 key prefix for the Quick Start assets.", - "Type": "String" - }, - "SHCEnabled": { - "AllowedValues": [ - "yes", - "no" - ], - "Default": "no", - "Description": "Do you want to build a Splunk search head cluster?", - "Type": "String" - }, - "SSHClientLocation": { - "Default": "0.0.0.0/0", - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "SplunkAdminPassword": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols", - "MaxLength": "32", - "MinLength": "6", - "NoEcho": "true", - "Type": "String" - }, - "SplunkIndexerCount": { - "ConstraintDescription": "must be a valid number, 4-10", - "Default": "4", - "Description": "How many Splunk indexers to launch. [4-10]", - "MaxValue": "10", - "MinValue": "4", - "Type": "Number" - }, - "SplunkIndexerDiskSize": { - "ConstraintDescription": "must be a valid number, 320-16000", - "Default": "320", - "Description": "The size of the attached EBS volume to the Splunk indexers. (in GB)", - "MaxValue": "16000", - "MinValue": "320", - "Type": "Number" - }, - "SplunkSearchHeadDiskSize": { - "ConstraintDescription": "must be a valid number, 320-16000", - "Default": "320", - "Description": "The size of the attached EBS volume to the Splunk search head(s). (in GB)", - "MaxValue": "16000", - "MinValue": "320", - "Type": "Number" - }, - "SplunkLicenseBucket": { - "Default": "splk-quickstart-testing", - "Description": "Name of private S3 bucket with licenses to be accessed via authenticated requests", - "Type": "String" - }, - "SplunkLicensePath": { - "Default": "license/splunk.license", - "Description": "Path to license file in S3 Bucket (without leading '/')", - "Type": "String" - }, - "SplunkReplicationFactor": { - "ConstraintDescription": "must be a valid number, 2-4", - "Default": "2", - "Description": "How many copies of data should be stored in the Splunk Indexer Cluster", - "MaxValue": "4", - "MinValue": "2", - "Type": "Number" - }, - "SplunkSearchFactor": { - "ConstraintDescription": "must be a valid number, 2-4", - "Default": "2", - "Description": "How many copies of data should be searchable in the Splunk indexer clusters", - "MaxValue": "4", - "MinValue": "2", - "Type": "Number" - }, - "SplunkClusterSecret": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Shared cluster secret for Search Head and Indexer clusters. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "6", - "NoEcho": "true", - "Type": "String" - }, - "SplunkIndexerDiscoverySecret": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "8", - "NoEcho": "true", - "Type": "String" - }, - "VPCCIDR": { - "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Default": "10.0.0.0/16", - "Description": "The address space that will be assigned to the entire VPC where Splunk will reside. (Recommend at least a /16)", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "SmartStoreBucketName": { - "Default": "bbartlett-smartstore-testing", - "Description": "Name of bucket that will be created for SmartStore storage", - "Type": "String" - } - }, - "Metadata": { - "AWS::CloudFormation::Interface": { - "ParameterGroups": [ - { - "Label": { - "default": "AWS Instance and Network Settings" - }, - "Parameters": [ - "IndexerInstanceType", - "SearchHeadInstanceType", - "KeyName", - "WebClientLocation", - "HECClientLocation", - "SSHClientLocation", - "AvailabilityZones", - "NumberOfAZs", - "VPCCIDR", - "PublicSubnet1CIDR", - "PublicSubnet2CIDR", - "PublicSubnet3CIDR" - ] - }, - { - "Label": { - "default": "Splunk Settings" - }, - "Parameters": [ - "SplunkAdminPassword", - "SplunkClusterSecret", - "SplunkIndexerDiscoverySecret", - "SplunkLicenseBucket", - "SplunkLicensePath", - "SplunkIndexerCount", - "SplunkIndexerDiskSize", - "SplunkSearchHeadDiskSize", - "SplunkReplicationFactor", - "SplunkSearchFactor", - "SmartStoreBucketName", - "SHCEnabled", - "IndexerApps", - "SearchHeadApps" - ] - }, - { - "Label": { - "default": "AWS Quick Start Configuration" - }, - "Parameters": [ - "QSS3BucketName", - "QSS3KeyPrefix" - ] - } - ], - "ParameterLabels": { - "AvailabilityZones": { - "default": "Availability Zones" - }, - "NumberOfAZs": { - "default": "Number of Availability Zones" - }, - "WebClientLocation": { - "default": "Permitted CIDR for Splunk web interface" - }, - "HECClientLocation": { - "default": "Permitted CIDR for Splunk HTTP event collector input" - }, - "IndexerInstanceType": { - "default": "EC2 instance type for Splunk indexer" - }, - "SearchHeadInstanceType": { - "default": "EC2 instance type for Splunk search head" - }, - "KeyName": { - "default": "Key Name" - }, - "PublicSubnet1CIDR": { - "default": "Public Subnet 1 CIDR" - }, - "PublicSubnet2CIDR": { - "default": "Public Subnet 2 CIDR" - }, - "PublicSubnet3CIDR": { - "default": "Public Subnet 3 CIDR" - }, - "QSS3BucketName": { - "default": "QuickStart S3 Bucket Name" - }, - "QSS3KeyPrefix": { - "default": "QuickStart S3 Key Prefix" - }, - "SHCEnabled": { - "default": "Enable Search Head Cluster?" - }, - "SSHClientLocation": { - "default": "Permitted CIDR for ssh" - }, - "SplunkAdminPassword": { - "default": "Splunk Admin Password" - }, - "SplunkIndexerCount": { - "default": "No. of Splunk Indexers" - }, - "SplunkIndexerDiskSize": { - "default": "Indexer Disk Size" - }, - "SplunkLicenseBucket": { - "default": "Splunk License Bucket" - }, - "SplunkLicensePath": { - "default": "Splunk License S3 Bucket Path" - }, - "SplunkReplicationFactor": { - "default": "Index Cluster Replication Factor" - }, - "SplunkSearchFactor": { - "default": "Index Cluster Search Factor" - }, - "SmartStoreBucketName": { - "default": "Name of bucket that will be created for SmartStore storage" - }, - "SplunkClusterSecret": { - "default": "Shared Security Key for Cluster Nodes" - }, - "SplunkIndexerDiscoverySecret": { - "default": "Shared Security Key for Forwarders using Indexer Discovery" - }, - "IndexerApps": { - "default": "Apps/Add-ons to pre-Install on Splunk Indexers" - }, - "SearchHeadApps": { - "default": "Apps/Add-ons to pre-Install on Splunk Search Heads" - }, - "VPCCIDR": { - "default": "VPC CIDR" - } - } - } - }, - "Conditions": { - "Create3AZ": { - "Fn::Equals": [ - { - "Ref": "NumberOfAZs" - }, - "3" - ] - } - }, - "Resources": { - "VPCStack": { - "Type": "AWS::CloudFormation::Stack", - "Properties": { - "TemplateURL": { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template" - }, - "Parameters": { - "AvailabilityZones": { - "Fn::Join": [ - ",", - { - "Ref": "AvailabilityZones" - } - ] - }, - "CreatePrivateSubnets": "false", - "KeyPairName": { - "Ref": "KeyName" - }, - "NumberOfAZs": { - "Ref": "NumberOfAZs" - }, - "PublicSubnet1CIDR": { - "Ref": "PublicSubnet1CIDR" - }, - "PublicSubnet2CIDR": { - "Ref": "PublicSubnet2CIDR" - }, - "PublicSubnet3CIDR": { - "Ref": "PublicSubnet3CIDR" - }, - "VPCCIDR": { - "Ref": "VPCCIDR" - } - }, - "TimeoutInMinutes": 15 - } - }, - "SplunkStack": { - "Type": "AWS::CloudFormation::Stack", - "Properties": { - "TemplateURL": { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/splunk-enterprise-ss.template" - }, - "Parameters": { - "VPCID": { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.VPCID" - ] - }, - "VPCCIDR": { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.VPCCIDR" - ] - }, - "PublicSubnet1ID": { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.PublicSubnet1ID" - ] - }, - "PublicSubnet2ID": { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.PublicSubnet2ID" - ] - }, - "PublicSubnet3ID": { - "Fn::If": [ - "Create3AZ", - { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.PublicSubnet3ID" - ] - }, - { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.PublicSubnet2ID" - ] - } - ] - }, - "NumberOfAZs": { - "Ref": "NumberOfAZs" - }, - "IndexerInstanceType": { - "Ref": "IndexerInstanceType" - }, - "SearchHeadInstanceType": { - "Ref": "SearchHeadInstanceType" - }, - "SplunkAdminPassword": { - "Ref": "SplunkAdminPassword" - }, - "SplunkClusterSecret": { - "Ref": "SplunkClusterSecret" - }, - "SplunkIndexerDiscoverySecret": { - "Ref": "SplunkIndexerDiscoverySecret" - }, - "SplunkLicenseBucket": { - "Ref": "SplunkLicenseBucket" - }, - "SplunkLicensePath": { - "Ref": "SplunkLicensePath" - }, - "KeyName": { - "Ref": "KeyName" - }, - "SSHClientLocation": { - "Ref": "SSHClientLocation" - }, - "HECClientLocation": { - "Ref": "HECClientLocation" - }, - "WebClientLocation": { - "Ref": "WebClientLocation" - }, - "SplunkIndexerCount": { - "Ref": "SplunkIndexerCount" - }, - "SHCEnabled": { - "Ref": "SHCEnabled" - }, - "SplunkIndexerDiskSize": { - "Ref": "SplunkIndexerDiskSize" - }, - "SmartStoreBucketName": { - "Ref": "SmartStoreBucketName" - }, - "SplunkReplicationFactor": { - "Ref": "SplunkReplicationFactor" - }, - "IndexerApps": { - "Fn::Join": [ - ",", - { - "Ref": "IndexerApps" - } - ] - }, - "SearchHeadApps": { - "Fn::Join": [ - ",", - { - "Ref": "SearchHeadApps" - } - ] - } - }, - "TimeoutInMinutes": 60 - } - } - }, - "Outputs": { - "SearchHeadURL": { - "Description": "Splunk Enterprise - Search Head URL", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.SearchHeadURL" - ] - } - }, - "ClusterMasterURL": { - "Description": "Splunk Enterprise - Cluster Master URL", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.ClusterMasterURL" - ] - } - }, - "ClusterMasterManagementURL": { - "Description": "Splunk Enterprise - Cluster Master Management URL (required for Indexer Discovery)", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.ClusterMasterManagementURL" - ] - } - }, - "DeployerURL": { - "Description": "Splunk Enterprise - Search Head Cluster Deployer URL", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.DeployerURL" - ] - } - }, - "HttpEventCollectorURL": { - "Description": "HTTP Event Collector URL", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.HttpEventCollectorURL" - ] - } - }, - "HttpEventCollectorToken": { - "Description": "HTTP Event Collector Token", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.HttpEventCollectorToken" - ] - } - } - } -} diff --git a/templates/splunk-enterprise-master.template b/templates/splunk-enterprise-master.template deleted file mode 100644 index 0ed0c23..0000000 --- a/templates/splunk-enterprise-master.template +++ /dev/null @@ -1,577 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Splunk deployment with indexer, search head clustering and cluster master.", - "Parameters": { - "AvailabilityZones": { - "Description": "List of Availability Zones to use for the subnets in the VPC (logical order preserved). This must match the Number of Availability Zones parameter value.", - "Type": "List" - }, - "NumberOfAZs": { - "AllowedValues": [ - "2", - "3" - ], - "Default": "2", - "Description": "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.", - "Type": "String" - }, - "WebClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "HECClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "IndexerInstanceType": { - "AllowedValues": [ - "c4.2xlarge", - "c4.4xlarge", - "c4.8xlarge", - "m4.2xlarge", - "m4.4xlarge", - "m4.10xlarge", - "c5.2xlarge", - "c5.4xlarge", - "c5.9xlarge", - "c5.18xlarge", - "i3.2xlarge", - "i3.4xlarge", - "i3.8xlarge" - ], - "Description": "EC2 instance type for Splunk Indexers", - "ConstraintDescription": "must be a valid EC2 instance type.", - "Default": "c5.4xlarge", - "Type": "String" - }, - "SearchHeadInstanceType": { - "AllowedValues": [ - "c4.2xlarge", - "c4.4xlarge", - "c4.8xlarge", - "r4.4xlarge", - "r4.8xlarge", - "r4.16xlarge", - "c5.2xlarge", - "c5.4xlarge", - "c5.9xlarge", - "m5.2xlarge", - "m5.4xlarge", - "m5.12xlarge" - ], - "Description": "EC2 instance type for Splunk Search Heads", - "ConstraintDescription": "must be a valid EC2 instance type.", - "Default": "c5.4xlarge", - "Type": "String" - }, - "IndexerApps": { - "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s)", - "Default": "", - "Type": "CommaDelimitedList" - }, - "SearchHeadApps": { - "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s)", - "Default": "", - "Type": "CommaDelimitedList" - }, - "KeyName": { - "ConstraintDescription": "Must be the name of an existing EC2 KeyPair.", - "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance", - "Type": "AWS::EC2::KeyPair::KeyName" - }, - "PublicSubnet1CIDR": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Default": "10.0.1.0/24", - "Description": "The address space that will be assigned to the first Splunk server subnet. (x.x.x.x/x notation)", - "Type": "String" - }, - "PublicSubnet2CIDR": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Default": "10.0.2.0/24", - "Description": "The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)", - "Type": "String" - }, - "PublicSubnet3CIDR": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Default": "10.0.3.0/24", - "Description": "The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)", - "Type": "String" - }, - "QSS3BucketName": { - "Default": "splk-quickstart-testing", - "Description": "S3 bucket name for the Quick Start assets.", - "Type": "String" - }, - "QSS3KeyPrefix": { - "Default": "quickstart-splunk-enterprise/", - "Description": "S3 key prefix for the Quick Start assets.", - "Type": "String" - }, - "SHCEnabled": { - "AllowedValues": [ - "yes", - "no" - ], - "Default": "no", - "Description": "Do you want to build a Splunk search head cluster?", - "Type": "String" - }, - "SSHClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "SplunkAdminPassword": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols", - "MaxLength": "32", - "MinLength": "6", - "NoEcho": "true", - "Type": "String" - }, - "SplunkIndexerCount": { - "ConstraintDescription": "must be a valid number, 3-10", - "Default": "3", - "Description": "How many Splunk indexers to launch. [3-10]", - "MaxValue": "10", - "MinValue": "3", - "Type": "Number" - }, - "SplunkIndexerDiskSize": { - "ConstraintDescription": "must be a valid number, 320-16000", - "Default": "320", - "Description": "The size of the attached EBS volume to the Splunk indexers. (in GB)", - "MaxValue": "16000", - "MinValue": "320", - "Type": "Number" - }, - "SplunkSearchHeadDiskSize": { - "ConstraintDescription": "must be a valid number, 320-16000", - "Default": "320", - "Description": "The size of the attached EBS volume to the Splunk search head(s). (in GB)", - "MaxValue": "16000", - "MinValue": "320", - "Type": "Number" - }, - "SplunkLicenseBucket": { - "Default": "", - "Description": "Name of private S3 bucket with licenses to be accessed via authenticated requests", - "Type": "String" - }, - "SplunkLicensePath": { - "Default": "", - "Description": "Path to license file in S3 Bucket (without leading '/')", - "Type": "String" - }, - "SplunkReplicationFactor": { - "ConstraintDescription": "must be a valid number, 2-4", - "Default": "2", - "Description": "How many copies of data should be stored in the Splunk Indexer Cluster", - "MaxValue": "4", - "MinValue": "2", - "Type": "Number" - }, - "SplunkSearchFactor": { - "ConstraintDescription": "must be a valid number, 2-4", - "Default": "2", - "Description": "How many copies of data should be searchable in the Splunk indexer clusters", - "MaxValue": "4", - "MinValue": "2", - "Type": "Number" - }, - "SplunkClusterSecret": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Shared cluster secret for Search Head and Indexer clusters. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "6", - "NoEcho": "true", - "Type": "String" - }, - "SplunkIndexerDiscoverySecret": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "8", - "NoEcho": "true", - "Type": "String" - }, - "VPCCIDR": { - "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Default": "10.0.0.0/16", - "Description": "The address space that will be assigned to the entire VPC where Splunk will reside. (Recommend at least a /16)", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - } - }, - "Metadata": { - "AWS::CloudFormation::Interface": { - "ParameterGroups": [ - { - "Label": { - "default": "AWS Instance and Network Settings" - }, - "Parameters": [ - "IndexerInstanceType", - "SearchHeadInstanceType", - "KeyName", - "WebClientLocation", - "HECClientLocation", - "SSHClientLocation", - "AvailabilityZones", - "NumberOfAZs", - "VPCCIDR", - "PublicSubnet1CIDR", - "PublicSubnet2CIDR", - "PublicSubnet3CIDR" - ] - }, - { - "Label": { - "default": "Splunk Settings" - }, - "Parameters": [ - "SplunkAdminPassword", - "SplunkClusterSecret", - "SplunkIndexerDiscoverySecret", - "SplunkLicenseBucket", - "SplunkLicensePath", - "SplunkIndexerCount", - "SplunkIndexerDiskSize", - "SplunkSearchHeadDiskSize", - "SplunkReplicationFactor", - "SplunkSearchFactor", - "SHCEnabled", - "IndexerApps", - "SearchHeadApps" - ] - }, - { - "Label": { - "default": "AWS Quick Start Configuration" - }, - "Parameters": [ - "QSS3BucketName", - "QSS3KeyPrefix" - ] - } - ], - "ParameterLabels": { - "AvailabilityZones": { - "default": "Availability Zones" - }, - "NumberOfAZs": { - "default": "Number of Availability Zones" - }, - "WebClientLocation": { - "default": "Permitted CIDR for Splunk web interface" - }, - "HECClientLocation": { - "default": "Permitted CIDR for Splunk HTTP event collector input" - }, - "IndexerInstanceType": { - "default": "EC2 instance type for Splunk indexer" - }, - "SearchHeadInstanceType": { - "default": "EC2 instance type for Splunk search head" - }, - "KeyName": { - "default": "Key Name" - }, - "PublicSubnet1CIDR": { - "default": "Public Subnet 1 CIDR" - }, - "PublicSubnet2CIDR": { - "default": "Public Subnet 2 CIDR" - }, - "PublicSubnet3CIDR": { - "default": "Public Subnet 3 CIDR" - }, - "QSS3BucketName": { - "default": "QuickStart S3 Bucket Name" - }, - "QSS3KeyPrefix": { - "default": "QuickStart S3 Key Prefix" - }, - "SHCEnabled": { - "default": "Enable Search Head Cluster?" - }, - "SSHClientLocation": { - "default": "Permitted CIDR for ssh" - }, - "SplunkAdminPassword": { - "default": "Splunk Admin Password" - }, - "SplunkIndexerCount": { - "default": "No. of Splunk Indexers" - }, - "SplunkIndexerDiskSize": { - "default": "Indexer Disk Size" - }, - "SplunkLicenseBucket": { - "default": "Splunk License Bucket" - }, - "SplunkLicensePath": { - "default": "Splunk License S3 Bucket Path" - }, - "SplunkReplicationFactor": { - "default": "Index Cluster Replication Factor" - }, - "SplunkSearchFactor": { - "default": "Index Cluster Search Factor" - }, - "SplunkClusterSecret": { - "default": "Shared Security Key for Cluster Nodes" - }, - "SplunkIndexerDiscoverySecret": { - "default": "Shared Security Key for Forwarders using Indexer Discovery" - }, - "IndexerApps": { - "default": "Apps/Add-ons to pre-Install on Splunk Indexers" - }, - "SearchHeadApps": { - "default": "Apps/Add-ons to pre-Install on Splunk Search Heads" - }, - "VPCCIDR": { - "default": "VPC CIDR" - } - } - } - }, - "Conditions": { - "Create3AZ": { - "Fn::Equals": [ - { - "Ref": "NumberOfAZs" - }, - "3" - ] - } - }, - "Resources": { - "VPCStack": { - "Type": "AWS::CloudFormation::Stack", - "Properties": { - "TemplateURL": { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template" - }, - "Parameters": { - "AvailabilityZones": { - "Fn::Join": [ - ",", - { - "Ref": "AvailabilityZones" - } - ] - }, - "CreatePrivateSubnets": "false", - "KeyPairName": { - "Ref": "KeyName" - }, - "NumberOfAZs": { - "Ref": "NumberOfAZs" - }, - "PublicSubnet1CIDR": { - "Ref": "PublicSubnet1CIDR" - }, - "PublicSubnet2CIDR": { - "Ref": "PublicSubnet2CIDR" - }, - "PublicSubnet3CIDR": { - "Ref": "PublicSubnet3CIDR" - }, - "VPCCIDR": { - "Ref": "VPCCIDR" - } - }, - "TimeoutInMinutes": 15 - } - }, - "SplunkStack": { - "Type": "AWS::CloudFormation::Stack", - "Properties": { - "TemplateURL": { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/splunk-enterprise.template" - }, - "Parameters": { - "VPCID": { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.VPCID" - ] - }, - "VPCCIDR": { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.VPCCIDR" - ] - }, - "PublicSubnet1ID": { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.PublicSubnet1ID" - ] - }, - "PublicSubnet2ID": { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.PublicSubnet2ID" - ] - }, - "PublicSubnet3ID": { - "Fn::If": [ - "Create3AZ", - { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.PublicSubnet3ID" - ] - }, - { - "Fn::GetAtt": [ - "VPCStack", - "Outputs.PublicSubnet2ID" - ] - } - ] - }, - "NumberOfAZs": { - "Ref": "NumberOfAZs" - }, - "IndexerInstanceType": { - "Ref": "IndexerInstanceType" - }, - "SearchHeadInstanceType": { - "Ref": "SearchHeadInstanceType" - }, - "SplunkAdminPassword": { - "Ref": "SplunkAdminPassword" - }, - "SplunkClusterSecret": { - "Ref": "SplunkClusterSecret" - }, - "SplunkIndexerDiscoverySecret": { - "Ref": "SplunkIndexerDiscoverySecret" - }, - "SplunkLicenseBucket": { - "Ref": "SplunkLicenseBucket" - }, - "SplunkLicensePath": { - "Ref": "SplunkLicensePath" - }, - "KeyName": { - "Ref": "KeyName" - }, - "SSHClientLocation": { - "Ref": "SSHClientLocation" - }, - "HECClientLocation": { - "Ref": "HECClientLocation" - }, - "WebClientLocation": { - "Ref": "WebClientLocation" - }, - "SplunkIndexerCount": { - "Ref": "SplunkIndexerCount" - }, - "SHCEnabled": { - "Ref": "SHCEnabled" - }, - "SplunkIndexerDiskSize": { - "Ref": "SplunkIndexerDiskSize" - }, - "SplunkReplicationFactor": { - "Ref": "SplunkReplicationFactor" - }, - "IndexerApps": { - "Fn::Join": [ - ",", - { "Ref": "IndexerApps" } - ] - }, - "SearchHeadApps": { - "Fn::Join": [ - ",", - { "Ref": "SearchHeadApps" } - ] - } - }, - "TimeoutInMinutes": 60 - } - } - }, - "Outputs": { - "SearchHeadURL": { - "Description": "Splunk Enterprise - Search Head URL", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.SearchHeadURL" - ] - } - }, - "ClusterMasterURL": { - "Description": "Splunk Enterprise - Cluster Master URL", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.ClusterMasterURL" - ] - } - }, - "ClusterMasterManagementURL": { - "Description": "Splunk Enterprise - Cluster Master Management URL (required for Indexer Discovery)", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.ClusterMasterManagementURL" - ] - } - }, - "DeployerURL": { - "Description": "Splunk Enterprise - Search Head Cluster Deployer URL", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.DeployerURL" - ] - } - }, - "HttpEventCollectorURL": { - "Description": "HTTP Event Collector URL", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.HttpEventCollectorURL" - ] - } - }, - "HttpEventCollectorToken": { - "Description": "HTTP Event Collector Token", - "Value": { - "Fn::GetAtt": [ - "SplunkStack", - "Outputs.HttpEventCollectorToken" - ] - } - } - } -} diff --git a/templates/splunk-enterprise-master-ss.yaml b/templates/splunk-enterprise-master.yaml similarity index 93% rename from templates/splunk-enterprise-master-ss.yaml rename to templates/splunk-enterprise-master.yaml index aa41feb..97bee71 100644 --- a/templates/splunk-enterprise-master-ss.yaml +++ b/templates/splunk-enterprise-master.yaml @@ -58,14 +58,6 @@ Parameters: ConstraintDescription: must be a valid EC2 instance type. Default: c5.4xlarge Type: String - IndexerApps: - Description: Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s) - Default: '' - Type: CommaDelimitedList - SearchHeadApps: - Description: Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s) - Default: '' - Type: CommaDelimitedList KeyName: ConstraintDescription: Must be the name of an existing EC2 KeyPair. Description: Name of an existing EC2 KeyPair to enable SSH access to the instance @@ -127,18 +119,18 @@ Parameters: MinValue: '4' Type: Number SplunkIndexerDiskSize: - ConstraintDescription: must be a valid number, 320-16000 - Default: '320' + ConstraintDescription: must be a valid number, 300-16000 + Default: '334' Description: The size of the attached EBS volume to the Splunk indexers. (in GB) MaxValue: '16000' - MinValue: '320' + MinValue: '300' Type: Number SplunkSearchHeadDiskSize: - ConstraintDescription: must be a valid number, 320-16000 - Default: '320' + ConstraintDescription: must be a valid number, 300-16000 + Default: '334' Description: The size of the attached EBS volume to the Splunk search head(s). (in GB) MaxValue: '16000' - MinValue: '320' + MinValue: '334' Type: Number SplunkLicenseBucket: Default: splk-quickstart-testing @@ -223,8 +215,6 @@ Metadata: - SplunkSearchFactor - SmartStoreBucketName - SHCEnabled - - IndexerApps - - SearchHeadApps - Label: default: AWS Quick Start Configuration Parameters: @@ -279,10 +269,6 @@ Metadata: default: Shared Security Key for Cluster Nodes SplunkIndexerDiscoverySecret: default: Shared Security Key for Forwarders using Indexer Discovery - IndexerApps: - default: Apps/Add-ons to pre-Install on Splunk Indexers - SearchHeadApps: - default: Apps/Add-ons to pre-Install on Splunk Search Heads VPCCIDR: default: VPC CIDR Conditions: @@ -309,7 +295,7 @@ Resources: SplunkStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: !Sub 'https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/splunk-enterprise-ss.yaml' + TemplateURL: !Sub 'https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/splunk-enterprise.yaml' Parameters: VPCID: !GetAtt 'VPCStack.Outputs.VPCID' VPCCIDR: !GetAtt 'VPCStack.Outputs.VPCCIDR' @@ -336,12 +322,6 @@ Resources: SplunkIndexerDiskSize: !Ref 'SplunkIndexerDiskSize' SmartStoreBucketName: !Ref 'SmartStoreBucketName' SplunkReplicationFactor: !Ref 'SplunkReplicationFactor' - IndexerApps: !Join - - ',' - - !Ref 'IndexerApps' - SearchHeadApps: !Join - - ',' - - !Ref 'SearchHeadApps' TimeoutInMinutes: 60 Outputs: SearchHeadURL: diff --git a/templates/splunk-enterprise-ss.template b/templates/splunk-enterprise-ss.template deleted file mode 100644 index e6a0e67..0000000 --- a/templates/splunk-enterprise-ss.template +++ /dev/null @@ -1,2158 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Splunk deployment with indexer, search head clustering and cluster master. QS(5030)", - "Parameters": { - "WebClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "HECClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "IndexerInstanceType": { - "AllowedValues": [ - "m5.4xlarge", - "m5.8xlarge", - "c5.4xlarge", - "c5.9xlarge", - "c5.18xlarge", - "i3.4xlarge", - "i3.8xlarge", - "i3en.3xlarge", - "i3en.6xlarge", - "i3en.12xlarge" - ], - "Description": "EC2 instance type for Splunk Indexers", - "ConstraintDescription": "must be a valid EC2 instance type.", - "Default": "c5.4xlarge", - "Type": "String" - }, - "SearchHeadInstanceType": { - "AllowedValues": [ - "r5.4xlarge", - "r5.8xlarge", - "r5.16xlarge", - "c5.4xlarge", - "c5.9xlarge", - "m5.2xlarge", - "m5.4xlarge", - "m5.8xlarge", - "m5.12xlarge" - ], - "Description": "EC2 instance type for Splunk Search Heads", - "ConstraintDescription": "must be a valid EC2 instance type.", - "Default": "c5.4xlarge", - "Type": "String" - }, - "IndexerApps": { - "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s)", - "Default": "", - "Type": "CommaDelimitedList" - }, - "SearchHeadApps": { - "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s)", - "Default": "", - "Type": "CommaDelimitedList" - }, - "KeyName": { - "ConstraintDescription": "Must be the name of an existing EC2 KeyPair.", - "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance", - "Type": "AWS::EC2::KeyPair::KeyName" - }, - "NumberOfAZs": { - "AllowedValues": [ - "2", - "3" - ], - "Default": "2", - "Description": "Number of Availability Zones to use in the VPC. This must match the number public subnet IDs entered as parameters", - "Type": "String" - }, - "PublicSubnet1ID": { - "Description": "ID of Splunk public subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)", - "Type": "AWS::EC2::Subnet::Id" - }, - "PublicSubnet2ID": { - "Description": "ID of Splunk public subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)", - "Type": "AWS::EC2::Subnet::Id" - }, - "PublicSubnet3ID": { - "Description": "ID of Splunk public subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)", - "Type": "AWS::EC2::Subnet::Id", - "Default": "" - }, - "QSS3BucketName": { - "Default": "splk-quickstart-testing", - "Description": "S3 bucket name for the Quick Start assets.", - "Type": "String" - }, - "QSS3KeyPrefix": { - "Default": "quickstart-splunk-enterprise/", - "Description": "S3 key prefix for the Quick Start assets.", - "Type": "String" - }, - "SHCEnabled": { - "AllowedValues": [ - "yes", - "no" - ], - "Default": "no", - "Description": "Do you want to build a Splunk search head cluster?", - "Type": "String" - }, - "SSHClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "SplunkAdminPassword": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "6", - "NoEcho": "true", - "Type": "String" - }, - "SplunkIndexerCount": { - "ConstraintDescription": "must be a valid number, 3-10", - "Default": "3", - "Description": "How many Splunk indexers to launch. [3-10]", - "MaxValue": "10", - "MinValue": "3", - "Type": "Number" - }, - "SplunkIndexerDiskSize": { - "ConstraintDescription": "must be a valid number, 320-16000", - "Default": "320", - "Description": "The size of the attached EBS volume to the Splunk indexers. (in GB)", - "MaxValue": "16000", - "MinValue": "320", - "Type": "Number" - }, - "SplunkSearchHeadDiskSize": { - "ConstraintDescription": "must be a valid number, 320-16000", - "Default": "320", - "Description": "The size of the attached EBS volume to the Splunk search head(s). (in GB)", - "MaxValue": "16000", - "MinValue": "320", - "Type": "Number" - }, - "SmartStoreBucketName": { - "Default": "", - "Description": "Name of S3 bucket to be created for SmartStore storage", - "Type": "String" - }, - "SplunkLicenseBucket": { - "Default": "", - "Description": "Name of private S3 bucket with licenses to be accessed via authenticated requests", - "Type": "String" - }, - "SplunkLicensePath": { - "Default": "", - "Description": "Path to license file in S3 Bucket (without leading '/')", - "Type": "String" - }, - "SplunkReplicationFactor": { - "ConstraintDescription": "must be a valid number, 2-4", - "Default": "2", - "Description": "How many copies of data should be stored in the Splunk Indexer Cluster", - "MaxValue": "4", - "MinValue": "2", - "Type": "Number" - }, - "SplunkSearchFactor": { - "ConstraintDescription": "must be a valid number, 2-4", - "Default": "2", - "Description": "How many copies of data should be searchable in the Splunk indexer clusters", - "MaxValue": "4", - "MinValue": "2", - "Type": "Number" - }, - "SplunkClusterSecret": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Shared cluster secret for Search Head and Indexer cluster nodes. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "8", - "NoEcho": "true", - "Type": "String" - }, - "SplunkIndexerDiscoverySecret": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "8", - "NoEcho": "true", - "Type": "String" - }, - "VPCCIDR": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Description": "VPC CIDR Block (x.x.x.x/x notation)", - "Type": "String" - }, - "VPCID": { - "Description": "VPC ID", - "Type": "AWS::EC2::VPC::Id" - } - }, - "Metadata": { - "AWSAMIRegionMap": { - "Filters": { - "SPLUNKENTHVM": { - "name": "splunk_marketplace_AMI_*", - "owner-alias": "aws-marketplace", - "product-code.type": "marketplace" - } - } - }, - "AWS::CloudFormation::Interface": { - "ParameterGroups": [ - { - "Label": { - "default": "AWS Instance and Network Settings" - }, - "Parameters": [ - "IndexerInstanceType", - "SearchHeadInstanceType", - "KeyName", - "WebClientLocation", - "HECClientLocation", - "SSHClientLocation", - "VPCID", - "VPCCIDR", - "PublicSubnet1ID", - "PublicSubnet2ID", - "PublicSubnet3ID", - "NumberOfAZs", - "SmartStoreBucketName" - ] - }, - { - "Label": { - "default": "Splunk Settings" - }, - "Parameters": [ - "SplunkAdminPassword", - "SplunkClusterSecret", - "SplunkIndexerDiscoverySecret", - "SplunkLicenseBucket", - "SplunkLicensePath", - "SplunkIndexerCount", - "SplunkIndexerDiskSize", - "SplunkSearchHeadDiskSize", - "SplunkReplicationFactor", - "SplunkSearchFactor", - "SmartStoreBucketName", - "SHCEnabled", - "IndexerApps", - "SearchHeadApps" - ] - } - ], - "ParameterLabels": { - "WebClientLocation": { - "default": "Permitted CIDR for Splunk web interface" - }, - "HECClientLocation": { - "default": "Permitted CIDR for Splunk HTTP event collector input" - }, - "IndexerInstanceType": { - "default": "EC2 instance type for Splunk indexer" - }, - "SearchHeadInstanceType": { - "default": "EC2 instance type for Splunk search head" - }, - "KeyName": { - "default": "Key Name" - }, - "PublicSubnet1ID": { - "default": "Public Subnet 1 ID" - }, - "PublicSubnet2ID": { - "default": "Public Subnet 2 ID" - }, - "PublicSubnet3ID": { - "default": "Public Subnet 3 ID" - }, - "NumberOfAZs": { - "default": "Number of Availability Zones" - }, - "SHCEnabled": { - "default": "Enable Search Head Cluster?" - }, - "SSHClientLocation": { - "default": "Permitted CIDR for ssh" - }, - "SplunkAdminPassword": { - "default": "Splunk Admin Password" - }, - "SplunkIndexerCount": { - "default": "No. of Splunk Indexers" - }, - "SmartStoreBucketName": { - "default": "Name of bucket to be created for Smartstore storage" - }, - "SplunkIndexerDiskSize": { - "default": "Indexer Disk Size" - }, - "SplunkSearchHeadDiskSize": { - "default": "Search Head(s) Disk Size" - }, - "SplunkLicenseBucket": { - "default": "Splunk License Bucket" - }, - "SplunkLicensePath": { - "default": "Splunk License S3 Bucket Path" - }, - "SplunkReplicationFactor": { - "default": "Index Cluster Replication Factor" - }, - "SplunkSearchFactor": { - "default": "Index Cluster Search Factor" - }, - "SplunkClusterSecret": { - "default": "Shared Security Key for Cluster Nodes" - }, - "SplunkIndexerDiscoverySecret": { - "default": "Shared Security Key for Forwarders using Indexer Discovery" - }, - "IndexerApps": { - "default": "Apps/Add-ons to pre-Install on Splunk Indexers" - }, - "SearchHeadApps": { - "default": "Apps/Add-ons to pre-Install on Splunk Search Heads" - }, - "VPCCIDR": { - "default": "VPC CIDR" - }, - "VPCID": { - "default": "VPC ID" - } - } - } - }, - "Conditions": { - "Create3AZ": { - "Fn::Equals": [ - { - "Ref": "NumberOfAZs" - }, - "3" - ] - }, - "CreateSingleSearchHead": { - "Fn::Equals": [ - { - "Ref": "SHCEnabled" - }, - "no" - ] - }, - "CreateSHC": { - "Fn::Equals": [ - { - "Ref": "SHCEnabled" - }, - "yes" - ] - }, - "InstallIndexerApps": { - "Fn::Not": [ - { - "Fn::Equals": [ - { - "Fn::Join": [ - "", - { - "Ref": "IndexerApps" - } - ] - }, - "" - ] - } - ] - }, - "InstallSearchHeadApps": { - "Fn::Not": [ - { - "Fn::Equals": [ - { - "Fn::Join": [ - "", - { - "Ref": "SearchHeadApps" - } - ] - }, - "" - ] - } - ] - }, - "ConfigureLicense": { - "Fn::And": [ - { - "Fn::Not": [ - { - "Fn::Equals": [ - "", - { - "Ref": "SplunkLicenseBucket" - } - ] - } - ] - }, - { - "Fn::Not": [ - { - "Fn::Equals": [ - "", - { - "Ref": "SplunkLicensePath" - } - ] - } - ] - } - ] - } - }, - "Mappings": { - "AWSAMIRegionMap": { - "AMI": { - "SPLUNKENTHVM": "splunk_marketplace_AMI_2018-10-16_22_07_36-7b65de6c-5006-4ca2-bd75-fdba95ae5d9d-ami-0d494b5a999e1c49f.4" - }, - "ap-northeast-1": { - "SPLUNKENTHVM": "ami-0db36f11d65f551fb" - }, - "ap-northeast-2": { - "SPLUNKENTHVM": "ami-09c7965888207979b" - }, - "ap-south-1": { - "SPLUNKENTHVM": "ami-07c20db6edfd45f98 " - }, - "ap-southeast-1": { - "SPLUNKENTHVM": "ami-0e7b7ca1bdcdd93a6" - }, - "ap-southeast-2": { - "SPLUNKENTHVM": "ami-0c8a4d5bdf83f0df8" - }, - "ca-central-1": { - "SPLUNKENTHVM": "ami-02f085f4514fa7145" - }, - "eu-central-1": { - "SPLUNKENTHVM": "ami-09ce965c3b1a9a1cb" - }, - "eu-west-1": { - "SPLUNKENTHVM": "ami-0fafe9e81915f154e" - }, - "eu-west-2": { - "SPLUNKENTHVM": "ami-060d9e50d310e0ebb" - }, - "sa-east-1": { - "SPLUNKENTHVM": "ami-0dacd4005280936e5" - }, - "us-east-1": { - "SPLUNKENTHVM": "ami-0db9d414307afccce" - }, - "us-east-2": { - "SPLUNKENTHVM": "ami-04b6874c649721f0a" - }, - "us-west-1": { - "SPLUNKENTHVM": "ami-0377011a3f771e353" - }, - "us-west-2": { - "SPLUNKENTHVM": "ami-098f3b1d228f57491" - } - }, - "SplunkConfig": { - "dedicated-instance-type": { - "clusterMaster": "c5.xlarge", - "shclusterDeployer": "c5.xlarge" - }, - "shcluster-replication-factor": { - "num": "3" - }, - "labels": { - "cluster": "IndexerCluster", - "shcluster": "SearchHeadCluster" - } - } - }, - "Resources": { - "SplunkSmartstoreBucket": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketName": { - "Ref": "SmartStoreBucketName" - }, - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "SSEAlgorithm": "AES256" - } - } - ] - } - }, - "DeletionPolicy": "Delete" - }, - "SmartStoreS3BucketRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "ec2.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] - }, - "Path": "/" - } - }, - "SmartStoreS3AccessInstanceProfile": { - "Type": "AWS::IAM::InstanceProfile", - "Properties": { - "Path": "/", - "Roles": [ - { - "Ref": "SmartStoreS3BucketRole" - } - ] - } - }, - "SmartStoreS3BucketPolicy": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyName": "SmartStoreS3BucketPolicy", - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:aws:s3:::", - { - "Ref": "SmartStoreBucketName" - } - ] - ] - } - ] - }, - { - "Action": [ - "s3:PutObject", - "s3:GetObject", - "s3:DeleteObject", - "s3:PutObjectAcl" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:aws:s3:::", - { - "Ref": "SmartStoreBucketName" - }, - "/*" - ] - ] - } - ] - } - ] - }, - "Roles": [ - { - "Ref": "SmartStoreS3BucketRole" - } - ] - } - }, - "SplunkSearchHeadSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "VpcId": { - "Ref": "VPCID" - }, - "GroupDescription": "Enable port 8000 for Splunk web interface, port 8090 for SHC replication, and port 8191 for KV store replication", - "SecurityGroupIngress": [ - { - "IpProtocol": "tcp", - "FromPort": 8000, - "ToPort": 8000, - "CidrIp": { - "Ref": "WebClientLocation" - } - }, - { - "IpProtocol": "tcp", - "FromPort": 8090, - "ToPort": 8090, - "CidrIp": { - "Ref": "VPCCIDR" - } - }, - { - "IpProtocol": "tcp", - "FromPort": 8191, - "ToPort": 8191, - "CidrIp": { - "Ref": "VPCCIDR" - } - } - ], - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Name", - "Value": "SplunkSearchHeadSecurityGroup" - } - ] - } - }, - "SplunkIndexerSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "VpcId": { - "Ref": "VPCID" - }, - "GroupDescription": "Enable port 9997 for splunktcp input, port 8088 for HEC input, port 514 for tcp/udp input, and port 9887 for data replication", - "SecurityGroupIngress": [ - { - "IpProtocol": "tcp", - "FromPort": 9997, - "ToPort": 9997, - "CidrIp": { - "Ref": "VPCCIDR" - } - }, - { - "IpProtocol": "tcp", - "FromPort": 8088, - "ToPort": 8088, - "SourceSecurityGroupId": { - "Ref": "SplunkHttpEventCollectorLoadBalancerSecurityGroup" - } - }, - { - "IpProtocol": "tcp", - "FromPort": 514, - "ToPort": 514, - "CidrIp": { - "Ref": "VPCCIDR" - } - }, - { - "IpProtocol": "udp", - "FromPort": 514, - "ToPort": 514, - "CidrIp": { - "Ref": "VPCCIDR" - } - }, - { - "IpProtocol": "tcp", - "FromPort": 9887, - "ToPort": 9887, - "CidrIp": { - "Ref": "VPCCIDR" - } - } - ], - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Name", - "Value": "SplunkIndexerSecurityGroup" - } - ] - } - }, - "SplunkSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "VpcId": { - "Ref": "VPCID" - }, - "GroupDescription": "Enable administrative ports like restricted SSH and management port", - "SecurityGroupIngress": [ - { - "IpProtocol": "tcp", - "FromPort": 22, - "ToPort": 22, - "CidrIp": { - "Ref": "SSHClientLocation" - } - }, - { - "IpProtocol": "tcp", - "FromPort": 8089, - "ToPort": 8089, - "CidrIp": { - "Ref": "VPCCIDR" - } - } - ], - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Name", - "Value": "SplunkSecurityGroup" - } - ] - } - }, - "SplunkHttpEventCollectorLoadBalancerSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "VpcId": { - "Ref": "VPCID" - }, - "GroupDescription": "Enable port 8088 on ELB for HEC input", - "SecurityGroupIngress": [ - { - "IpProtocol": "tcp", - "FromPort": 8088, - "ToPort": 8088, - "CidrIp": { - "Ref": "HECClientLocation" - } - } - ], - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Name", - "Value": "SplunkHttpEventCollectorLoadBalancerSecurityGroup" - } - ] - } - }, - "SplunkSearchHeadInstance": { - "Type": "AWS::EC2::Instance", - "Condition": "CreateSingleSearchHead", - "CreationPolicy": { - "ResourceSignal": { - "Timeout": "PT15M" - } - }, - "Properties": { - "ImageId": { - "Fn::FindInMap": [ - "AWSAMIRegionMap", - { - "Ref": "AWS::Region" - }, - "SPLUNKENTHVM" - ] - }, - "InstanceType": { - "Ref": "SearchHeadInstanceType" - }, - "KeyName": { - "Ref": "KeyName" - }, - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Role", - "Value": "splunk-search-head" - }, - { - "Key": "Name", - "Value": "search-head" - } - ], - "NetworkInterfaces": [ - { - "GroupSet": [ - { - "Ref": "SplunkSecurityGroup" - }, - { - "Ref": "SplunkSearchHeadSecurityGroup" - } - ], - "AssociatePublicIpAddress": true, - "DeviceIndex": "0", - "DeleteOnTermination": true, - "SubnetId": { - "Ref": "PublicSubnet1ID" - } - } - ], - "BlockDeviceMappings": [ - { - "DeviceName": "/dev/xvda", - "Ebs": { - "VolumeType": "gp2", - "VolumeSize": { - "Ref": "SplunkSearchHeadDiskSize" - } - } - } - ], - "UserData": { - "Fn::Base64": { - "Fn::Join": [ - "", - [ - "#!/bin/bash \n", - "export INSTALL_SH_APPS=0\n", - "export SYMMKEY=\"", {"Ref": "SplunkIndexerDiscoverySecret"}, "\" \n", - "export ADMIN_PASSWORD=\"", {"Ref": "SplunkAdminPassword"}, "\" \n", - "export STACK_NAME=\"", {"Ref": "AWS::StackName"}, "\" \n", - "export AWS_REGION=\"", {"Ref": "AWS::Region"}, "\" \n", - "export SPLUNK_CLUSTER_SECRET=\"", {"Ref": "SplunkClusterSecret"}, "\" \n", - "export CM_PRIVATEIP=\"", {"Fn::GetAtt": ["SplunkCM", "PrivateIp"] }, "\" \n", - - "export S3_USERDATA=\"", - { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - }, - "\"\n", - { - "Fn::If": [ - "InstallSearchHeadApps", - { - "Fn::Join": [ - "", - [ - "# Add user-provided apps on the search head\n", - "export INSTALL_SH_APPS=1\n", - "export USER_APPS=( ", - { - "Fn::Join": [ - " ", - {"Ref": "SearchHeadApps"} - ] - }, - " )\n" - ] - ] - }, - "" - ] - }, - "# download user_data script\n", - "wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh\n", - "/tmp/user_data.sh single_sh && rm -f /tmp/user_data.sh\n" - ] - ] - } - } - } - }, - "SplunkCM": { - "Type": "AWS::EC2::Instance", - "CreationPolicy": { - "ResourceSignal": { - "Timeout": "PT15M" - } - }, - "Metadata": { - "AWS::CloudFormation::Init": { - "Fn::If": [ - "ConfigureLicense", - { - "config": { - "files": { - "/opt/splunk/etc/licenses/enterprise/splunk.license": { - "source": { - "Fn::If": [ - "ConfigureLicense", - { - "Fn::Join": [ - "", - [ - "https://", - { - "Ref": "SplunkLicenseBucket" - }, - ".s3.amazonaws.com/", - { - "Ref": "SplunkLicensePath" - } - ] - ] - }, - { - "Ref": "AWS::NoValue" - } - ] - }, - "mode": "000600", - "owner": "splunk", - "group": "splunk", - "authentication": "S3AccessCreds" - } - } - } - }, - { - "Ref": "AWS::NoValue" - } - ] - }, - "AWS::CloudFormation::Authentication": { - "Fn::If": [ - "ConfigureLicense", - { - "S3AccessCreds": { - "type": "S3", - "accessKeyId": { - "Ref": "CfnKeys" - }, - "secretKey": { - "Fn::GetAtt": [ - "CfnKeys", - "SecretAccessKey" - ] - }, - "buckets": [ - { - "Ref": "SplunkLicenseBucket" - } - ] - } - }, - { - "Ref": "AWS::NoValue" - } - ] - } - }, - "Properties": { - "BlockDeviceMappings": [ - { - "DeviceName": "/dev/xvda", - "Ebs": { - "VolumeType": "gp2", - "VolumeSize": 50 - } - } - ], - "NetworkInterfaces": [ - { - "GroupSet": [ - { - "Ref": "SplunkSecurityGroup" - }, - { - "Ref": "SplunkSearchHeadSecurityGroup" - } - ], - "AssociatePublicIpAddress": true, - "DeviceIndex": "0", - "DeleteOnTermination": true, - "SubnetId": { - "Ref": "PublicSubnet1ID" - } - } - ], - "ImageId": { - "Fn::FindInMap": [ - "AWSAMIRegionMap", - { - "Ref": "AWS::Region" - }, - "SPLUNKENTHVM" - ] - }, - "InstanceType": { - "Fn::FindInMap": [ - "SplunkConfig", - "dedicated-instance-type", - "clusterMaster" - ] - }, - "KeyName": { - "Ref": "KeyName" - }, - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Role", - "Value": "cluster-master" - }, - { - "Key": "Name", - "Value": "cluster-master" - } - ], - "UserData": { - "Fn::Base64": { - "Fn::Join": [ - "", - [ - "#!/bin/bash -v\n", - - "export INSTALL_INDEXER_APPS=0\n", - "export INSTALL_LICENSE=0\n", - - "export SYMMKEY=\"", {"Ref": "SplunkIndexerDiscoverySecret"}, "\" \n", - "export ADMIN_PASSWORD=\"", {"Ref": "SplunkAdminPassword"}, "\" \n", - "export STACK_NAME=\"", {"Ref": "AWS::StackName"}, "\" \n", - "export AWS_REGION=\"", {"Ref": "AWS::Region"}, "\" \n", - "export SPLUNK_CLUSTER_SECRET=\"", {"Ref": "SplunkClusterSecret"}, "\" \n", - "export SMARTSTORE_BUCKET=\"", {"Ref": "SmartStoreBucketName"}, "\"\n", - "export SplunkCMWaitHandle=\"", {"Ref": "SplunkCMWaitHandle"}, "\"\n", - "export REPFACTOR=\"", {"Ref": "SplunkReplicationFactor"}, "\"\n", - "export SEARCHFACTOR=\"", {"Ref": "SplunkSearchFactor"}, "\"\n", - - "export S3_USERDATA=\"", - { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - }, - "\"\n", - - "export SITELIST=\"", - { - "Fn::If": [ - "Create3AZ", - "site1,site2,site3", - "site1,site2" - ] - }, - "\"\n", - - { - "Fn::If": [ - "ConfigureLicense", - { - "Fn::Join": [ - "", - ["export INSTALL_LICENSE=1\n"] - ] - }, - "" - ] - }, - { - "Fn::If": [ - "InstallIndexerApps", - { - "Fn::Join": [ - "", - [ - "export INSTALL_INDEXER_APPS=1\n", - "# Add user-provided apps for peer nodes\n", - "export USER_APPS=( ", - { - "Fn::Join": [ - " ", - { - "Ref": "IndexerApps" - } - ] - }, - " )\n" - ] - ] - }, - "" - ] - }, - "# download user_data script\n", - "wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh\n", - "/tmp/user_data.sh cm && rm -f /tmp/user_data.sh\n" - ] - ] - } - } - } - }, - "SplunkCMWaitHandle": { - "Type": "AWS::CloudFormation::WaitConditionHandle" - }, - "SplunkCMWaitCondition": { - "Type": "AWS::CloudFormation::WaitCondition", - "DependsOn": "SplunkCM", - "Properties": { - "Handle": { - "Ref": "SplunkCMWaitHandle" - }, - "Timeout": "900" - } - }, - "SplunkSHCDeployer": { - "Type": "AWS::EC2::Instance", - "Condition": "CreateSHC", - "CreationPolicy": { - "ResourceSignal": { - "Timeout": "PT20M" - } - }, - "Properties": { - "ImageId": { - "Fn::FindInMap": [ - "AWSAMIRegionMap", - { - "Ref": "AWS::Region" - }, - "SPLUNKENTHVM" - ] - }, - "InstanceType": { - "Fn::FindInMap": [ - "SplunkConfig", - "dedicated-instance-type", - "shclusterDeployer" - ] - }, - "KeyName": { - "Ref": "KeyName" - }, - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Role", - "Value": "splunk-deployer" - }, - { - "Key": "Name", - "Value": "deployer" - } - ], - "NetworkInterfaces": [ - { - "GroupSet": [ - { - "Ref": "SplunkSecurityGroup" - }, - { - "Ref": "SplunkSearchHeadSecurityGroup" - } - ], - "AssociatePublicIpAddress": true, - "DeviceIndex": "0", - "DeleteOnTermination": true, - "SubnetId": { - "Ref": "PublicSubnet1ID" - } - } - ], - "BlockDeviceMappings": [ - { - "DeviceName": "/dev/xvda", - "Ebs": { - "VolumeType": "gp2", - "VolumeSize": { - "Ref": "SplunkSearchHeadDiskSize" - } - } - } - ], - "UserData": { - "Fn::Base64": { - "Fn::Join": [ - "", - [ - "#!/bin/bash -v\n", - "export INSTALL_SH_APPS=0\n", - - "export S3_USERDATA=\"", - { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - }, - "\"\n", - - "export SYMMKEY=\"", {"Ref": "SplunkIndexerDiscoverySecret"}, "\" \n", - "export ADMIN_PASSWORD=\"", {"Ref": "SplunkAdminPassword"}, "\" \n", - "export STACK_NAME=\"", {"Ref": "AWS::StackName"}, "\" \n", - "export AWS_REGION=\"", {"Ref": "AWS::Region"}, "\" \n", - "export SPLUNK_CLUSTER_SECRET=\"", {"Ref": "SplunkClusterSecret"}, "\" \n", - - "export CM_PRIVATEIP=\"", {"Fn::GetAtt": ["SplunkCM", "PrivateIp"] }, "\" \n", - - { - "Fn::If": [ - "InstallSearchHeadApps", - { - "Fn::Join": [ - "", - [ - "# Add user-provided apps on the search head\n", - "export INSTALL_SH_APPS=1\n", - "export USER_APPS=( ", - { - "Fn::Join": [ - " ", - { - "Ref": "SearchHeadApps" - } - ] - }, - " )\n" - ] - ] - }, - "" - ] - }, - "# download user_data script\n", - "wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh\n", - "/tmp/user_data.sh deployer && rm -f user_data.sh\n" - ] - ] - } - } - } - }, - "SplunkSHCMember1": { - "Type": "AWS::EC2::Instance", - "Condition": "CreateSHC", - "CreationPolicy": { - "ResourceSignal": { - "Timeout": "PT20M" - } - }, - "Properties": { - "ImageId": { - "Fn::FindInMap": [ - "AWSAMIRegionMap", - { - "Ref": "AWS::Region" - }, - "SPLUNKENTHVM" - ] - }, - "InstanceType": { - "Ref": "SearchHeadInstanceType" - }, - "KeyName": { - "Ref": "KeyName" - }, - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Role", - "Value": "splunk-search-head" - }, - { - "Key": "Name", - "Value": "search-head-1" - } - ], - "NetworkInterfaces": [ - { - "GroupSet": [ - { - "Ref": "SplunkSecurityGroup" - }, - { - "Ref": "SplunkSearchHeadSecurityGroup" - } - ], - "AssociatePublicIpAddress": true, - "DeviceIndex": "0", - "DeleteOnTermination": true, - "SubnetId": { - "Ref": "PublicSubnet1ID" - } - } - ], - "BlockDeviceMappings": [ - { - "DeviceName": "/dev/xvda", - "Ebs": { - "VolumeType": "gp2", - "VolumeSize": { - "Ref": "SplunkSearchHeadDiskSize" - } - } - } - ], - "UserData": { - "Fn::Base64": { - "Fn::Join": [ - "", - [ - "#!/bin/bash -v\n", - - "export S3_USERDATA=\"", - { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - }, - "\"\n", - - "export SYMMKEY=\"", {"Ref": "SplunkIndexerDiscoverySecret"}, "\" \n", - "export ADMIN_PASSWORD=\"", {"Ref": "SplunkAdminPassword"}, "\" \n", - "export STACK_NAME=\"", {"Ref": "AWS::StackName"}, "\" \n", - "export AWS_REGION=\"", {"Ref": "AWS::Region"}, "\" \n", - "export SPLUNK_CLUSTER_SECRET=\"", {"Ref": "SplunkClusterSecret"}, "\" \n", - "export CM_PRIVATEIP=\"", {"Fn::GetAtt": ["SplunkCM", "PrivateIp"] }, "\" \n", - "export SH_REPLICATION_FACTOR=\"", - { - "Fn::FindInMap": [ - "SplunkConfig", - "shcluster-replication-factor", - "num" - ] - }, - "\" \n", - - "export THREEAZ=\"", - { - "Fn::If": ["Create3AZ", "1", "0"] - }, - "\"\n", - - "export SH_DEPLOYER_IP=\"", - { - "Fn::GetAtt": [ - "SplunkSHCDeployer", - "PrivateIp" - ] - }, - "\" \n", - "# download user_data script\n", - "wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh\n", - "/tmp/user_data.sh cluster_sh 1 && rm -f /tmp/user_data.sh\n" - ] - ] - } - } - } - }, - "SplunkSHCMember2": { - "Type": "AWS::EC2::Instance", - "Condition": "CreateSHC", - "CreationPolicy": { - "ResourceSignal": { - "Timeout": "PT20M" - } - }, - "Properties": { - "ImageId": { - "Fn::FindInMap": [ - "AWSAMIRegionMap", - { - "Ref": "AWS::Region" - }, - "SPLUNKENTHVM" - ] - }, - "InstanceType": { - "Ref": "SearchHeadInstanceType" - }, - "KeyName": { - "Ref": "KeyName" - }, - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Role", - "Value": "splunk-search-head" - }, - { - "Key": "Name", - "Value": "search-head-2" - } - ], - "NetworkInterfaces": [ - { - "GroupSet": [ - { - "Ref": "SplunkSecurityGroup" - }, - { - "Ref": "SplunkSearchHeadSecurityGroup" - } - ], - "AssociatePublicIpAddress": true, - "DeviceIndex": "0", - "DeleteOnTermination": true, - "SubnetId": { - "Ref": "PublicSubnet2ID" - } - } - ], - "BlockDeviceMappings": [ - { - "DeviceName": "/dev/xvda", - "Ebs": { - "VolumeType": "gp2", - "VolumeSize": { - "Ref": "SplunkSearchHeadDiskSize" - } - } - } - ], - "UserData": { - "Fn::Base64": { - "Fn::Join": [ - "", - [ - "#!/bin/bash -v\n", - - "export S3_USERDATA=\"", - { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - }, - "\"\n", - - "export SYMMKEY=\"", {"Ref": "SplunkIndexerDiscoverySecret"}, "\" \n", - "export ADMIN_PASSWORD=\"", {"Ref": "SplunkAdminPassword"}, "\" \n", - "export STACK_NAME=\"", {"Ref": "AWS::StackName"}, "\" \n", - "export AWS_REGION=\"", {"Ref": "AWS::Region"}, "\" \n", - "export SPLUNK_CLUSTER_SECRET=\"", {"Ref": "SplunkClusterSecret"}, "\" \n", - "export CM_PRIVATEIP=\"", {"Fn::GetAtt": ["SplunkCM", "PrivateIp"] }, "\" \n", - "export SH_REPLICATION_FACTOR=\"", - { - "Fn::FindInMap": [ - "SplunkConfig", - "shcluster-replication-factor", - "num" - ] - }, - "\" \n", - - "export THREEAZ=\"", - { - "Fn::If": ["Create3AZ", "1", "0"] - }, - "\"\n", - - "export SH_DEPLOYER_IP=\"", - { - "Fn::GetAtt": [ - "SplunkSHCDeployer", - "PrivateIp" - ] - }, - "\" \n", - "# download user_data script\n", - "wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh\n", - "/tmp/user_data.sh cluster_sh 2 && rm -f /tmp/user_data.sh\n" - ] - ] - } - } - } - }, - "SplunkSHCMember3": { - "Type": "AWS::EC2::Instance", - "Condition": "CreateSHC", - "CreationPolicy": { - "ResourceSignal": { - "Timeout": "PT20M" - } - }, - "Properties": { - "ImageId": { - "Fn::FindInMap": [ - "AWSAMIRegionMap", - { - "Ref": "AWS::Region" - }, - "SPLUNKENTHVM" - ] - }, - "InstanceType": { - "Ref": "SearchHeadInstanceType" - }, - "KeyName": { - "Ref": "KeyName" - }, - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Role", - "Value": "splunk-search-head" - }, - { - "Key": "Name", - "Value": "search-head-3" - } - ], - "NetworkInterfaces": [ - { - "GroupSet": [ - { - "Ref": "SplunkSecurityGroup" - }, - { - "Ref": "SplunkSearchHeadSecurityGroup" - } - ], - "AssociatePublicIpAddress": true, - "DeviceIndex": "0", - "DeleteOnTermination": true, - "SubnetId": { - "Fn::If": [ - "Create3AZ", - { - "Ref": "PublicSubnet3ID" - }, - { - "Ref": "PublicSubnet2ID" - } - ] - } - } - ], - "BlockDeviceMappings": [ - { - "DeviceName": "/dev/xvda", - "Ebs": { - "VolumeType": "gp2", - "VolumeSize": { - "Ref": "SplunkSearchHeadDiskSize" - } - } - } - ], - "UserData": { - "Fn::Base64": { - "Fn::Join": [ - "", - [ - "#!/bin/bash -v\n", - - "export S3_USERDATA=\"", - { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - }, - "\"\n", - - "export SYMMKEY=\"", {"Ref": "SplunkIndexerDiscoverySecret"}, "\" \n", - "export ADMIN_PASSWORD=\"", {"Ref": "SplunkAdminPassword"}, "\" \n", - "export STACK_NAME=\"", {"Ref": "AWS::StackName"}, "\" \n", - "export AWS_REGION=\"", {"Ref": "AWS::Region"}, "\" \n", - "export SPLUNK_CLUSTER_SECRET=\"", {"Ref": "SplunkClusterSecret"}, "\" \n", - "export CM_PRIVATEIP=\"", {"Fn::GetAtt": ["SplunkCM", "PrivateIp"] }, "\" \n", - "export SH_REPLICATION_FACTOR=\"", - { - "Fn::FindInMap": [ - "SplunkConfig", - "shcluster-replication-factor", - "num" - ] - }, - "\" \n", - - "export THREEAZ=\"", - { - "Fn::If": ["Create3AZ", "1", "0"] - }, - "\"\n", - - "export SH_DEPLOYER_IP=\"", - { - "Fn::GetAtt": [ - "SplunkSHCDeployer", - "PrivateIp" - ] - }, - "\" \n", - - "export SH1_IP=\"", - { - "Fn::GetAtt": [ - "SplunkSHCMember1", - "PrivateIp" - ] - }, - "\" \n", - - "export SH2_IP=\"", - { - "Fn::GetAtt": [ - "SplunkSHCMember2", - "PrivateIp" - ] - }, - "\" \n", - - "# download user_data script\n", - "wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh\n", - "/tmp/user_data.sh cluster_sh 3 && rm -f /tmp/user_data.sh\n" - ] - ] - } - } - } - }, - "CfnUser": { - "Type": "AWS::IAM::User", - "Condition": "ConfigureLicense", - "Properties": { - "Path": "/" - } - }, - "CfnKeys": { - "Type": "AWS::IAM::AccessKey", - "Condition": "ConfigureLicense", - "Properties": { - "UserName": { - "Ref": "CfnUser" - } - } - }, - "BucketPolicy": { - "Type": "AWS::S3::BucketPolicy", - "Condition": "ConfigureLicense", - "Properties": { - "PolicyDocument": { - "Version": "2012-10-17", - "Id": "MyPolicy", - "Statement": [ - { - "Sid": "ReadAccess", - "Action": [ - "s3:GetObject" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:aws:s3:::", - { - "Ref": "SplunkLicenseBucket" - }, - "/*" - ] - ] - }, - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CfnUser", - "Arn" - ] - } - } - } - ] - }, - "Bucket": { - "Ref": "SplunkLicenseBucket" - } - } - }, - "SplunkIndexerLaunchConfiguration": { - "Type": "AWS::AutoScaling::LaunchConfiguration", - "Properties": { - "AssociatePublicIpAddress": true, - "IamInstanceProfile": { - "Ref": "SmartStoreS3AccessInstanceProfile" - }, - "BlockDeviceMappings": [ - { - "DeviceName": "/dev/xvda", - "Ebs": { - "VolumeType": "gp2", - "VolumeSize": { - "Ref": "SplunkIndexerDiskSize" - } - } - } - ], - "SecurityGroups": [ - { - "Ref": "SplunkSecurityGroup" - }, - { - "Ref": "SplunkIndexerSecurityGroup" - } - ], - "ImageId": { - "Fn::FindInMap": [ - "AWSAMIRegionMap", - { - "Ref": "AWS::Region" - }, - "SPLUNKENTHVM" - ] - }, - "InstanceType": { - "Ref": "IndexerInstanceType" - }, - "KeyName": { - "Ref": "KeyName" - }, - "UserData": { - "Fn::Base64": { - "Fn::Join": [ - "", - [ - "#!/bin/bash -v\n", - "export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\n", - "export SPLUNK_USER=splunk\n", - "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", - "export SPLUNK_HOME=/opt/splunk\n", - - "export S3_USERDATA=\"", - { - "Fn::Sub": "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - }, - "\"\n", - - "export SMARTSTORE_BUCKET=\"", { "Ref": "SmartStoreBucketName" }, "\"\n", - "export SYMMKEY=\"", {"Ref": "SplunkIndexerDiscoverySecret"}, "\" \n", - "export ADMIN_PASSWORD=\"", {"Ref": "SplunkAdminPassword"}, "\" \n", - "export STACK_NAME=\"", {"Ref": "AWS::StackName"}, "\" \n", - "export AWS_REGION=\"", {"Ref": "AWS::Region"}, "\" \n", - "export SPLUNK_CLUSTER_SECRET=\"", {"Ref": "SplunkClusterSecret"}, "\" \n", - "export CM_PRIVATEIP=\"", {"Fn::GetAtt": ["SplunkCM", "PrivateIp"] }, "\" \n", - "export SUBNET1_ID=\"", {"Ref": "PublicSubnet1ID"},"\"\n", - "export SUBNET2_ID=\"", {"Ref": "PublicSubnet2ID"},"\"\n", - "export SUBNET3_ID=\"", {"Ref": "PublicSubnet3ID"},"\"\n", - - "# download user_data script\n", - "wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh\n", - "/tmp/user_data.sh indexer && rm -f /tmp/user_data.sh\n" - ] - ] - } - } - } - }, - "SplunkSHCLoadBalancer": { - "Type": "AWS::ElasticLoadBalancing::LoadBalancer", - "Condition": "CreateSHC", - "Properties": { - "ConnectionDrainingPolicy": { - "Enabled": true, - "Timeout": 300 - }, - "LBCookieStickinessPolicy": [ - { - "CookieExpirationPeriod": "86400", - "PolicyName": "SplunkWebCookiePolicy" - } - ], - "Instances": [ - { - "Ref": "SplunkSHCMember1" - }, - { - "Ref": "SplunkSHCMember2" - }, - { - "Ref": "SplunkSHCMember3" - } - ], - "Listeners": [ - { - "LoadBalancerPort": "8000", - "InstancePort": "8000", - "Protocol": "HTTP", - "PolicyNames": [ - "SplunkWebCookiePolicy" - ] - } - ], - "Scheme": "internet-facing", - "SecurityGroups": [ - { - "Ref": "SplunkSecurityGroup" - }, - { - "Ref": "SplunkSearchHeadSecurityGroup" - } - ], - "CrossZone": true, - "Subnets": { - "Fn::If": [ - "Create3AZ", - [ - { - "Ref": "PublicSubnet1ID" - }, - { - "Ref": "PublicSubnet2ID" - }, - { - "Ref": "PublicSubnet3ID" - } - ], - [ - { - "Ref": "PublicSubnet1ID" - }, - { - "Ref": "PublicSubnet2ID" - } - ] - ] - }, - "HealthCheck": { - "Target": "TCP:8089", - "HealthyThreshold": "2", - "UnhealthyThreshold": "3", - "Interval": "30", - "Timeout": "5" - } - } - }, - "SplunkHttpEventCollectorLoadBalancer": { - "Type": "AWS::ElasticLoadBalancing::LoadBalancer", - "Properties": { - "ConnectionDrainingPolicy": { - "Enabled": true, - "Timeout": 300 - }, - "Listeners": [ - { - "InstancePort": "8088", - "InstanceProtocol": "HTTPS", - "LoadBalancerPort": "8088", - "Protocol": "HTTP" - } - ], - "Scheme": "internet-facing", - "SecurityGroups": [ - { - "Ref": "SplunkHttpEventCollectorLoadBalancerSecurityGroup" - } - ], - "CrossZone": true, - "Subnets": { - "Fn::If": [ - "Create3AZ", - [ - { - "Ref": "PublicSubnet1ID" - }, - { - "Ref": "PublicSubnet2ID" - }, - { - "Ref": "PublicSubnet3ID" - } - ], - [ - { - "Ref": "PublicSubnet1ID" - }, - { - "Ref": "PublicSubnet2ID" - } - ] - ] - }, - "HealthCheck": { - "Target": "HTTPS:8088/services/collector/health", - "HealthyThreshold": "3", - "UnhealthyThreshold": "2", - "Interval": "20", - "Timeout": "5" - }, - "Policies": [ - { - "PolicyName": "EnableProxyProtocol", - "PolicyType": "ProxyProtocolPolicyType", - "Attributes": [ - { - "Name": "ProxyProtocol", - "Value": true - } - ], - "InstancePorts": [ - "8088" - ] - } - ] - } - }, - "SplunkIndexerNodesASG": { - "Type": "AWS::AutoScaling::AutoScalingGroup", - "DependsOn": "SplunkCM", - "Properties": { - "VPCZoneIdentifier": { - "Fn::If": [ - "Create3AZ", - [ - { - "Ref": "PublicSubnet1ID" - }, - { - "Ref": "PublicSubnet2ID" - }, - { - "Ref": "PublicSubnet3ID" - } - ], - [ - { - "Ref": "PublicSubnet1ID" - }, - { - "Ref": "PublicSubnet2ID" - } - ] - ] - }, - "LaunchConfigurationName": { - "Ref": "SplunkIndexerLaunchConfiguration" - }, - "MinSize": { - "Ref": "SplunkIndexerCount" - }, - "MaxSize": { - "Ref": "SplunkIndexerCount" - }, - "DesiredCapacity": { - "Ref": "SplunkIndexerCount" - }, - "LoadBalancerNames": [ - { - "Ref": "SplunkHttpEventCollectorLoadBalancer" - } - ], - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - }, - "PropagateAtLaunch": true - }, - { - "Key": "Role", - "Value": "splunk-indexer", - "PropagateAtLaunch": true - }, - { - "Key": "Name", - "Value": "indexer-N", - "PropagateAtLaunch": true - } - ] - }, - "CreationPolicy": { - "ResourceSignal": { - "Count": { - "Ref": "SplunkIndexerCount" - }, - "Timeout": "PT30M" - } - } - } - }, - "Outputs": { - "SearchHeadURL": { - "Description": "Splunk Enterprise - Search Head URL", - "Value": { - "Fn::Join": [ - "", - [ - "http://", - { - "Fn::If": [ - "CreateSHC", - { - "Fn::GetAtt": [ - "SplunkSHCLoadBalancer", - "DNSName" - ] - }, - { - "Fn::GetAtt": [ - "SplunkSearchHeadInstance", - "PublicIp" - ] - } - ] - }, - ":8000" - ] - ] - } - }, - "ClusterMasterURL": { - "Description": "Splunk Enterprise - Cluster Master URL", - "Value": { - "Fn::Join": [ - "", - [ - "http://", - { - "Fn::GetAtt": [ - "SplunkCM", - "PublicIp" - ] - }, - ":8000" - ] - ] - } - }, - "ClusterMasterManagementURL": { - "Description": "Splunk Enterprise - Cluster Master Management URL (required for Indexer Discovery)", - "Value": { - "Fn::Join": [ - "" , - [ - "https://", - { - "Fn::GetAtt": ["SplunkCM", "PrivateIp"] - }, - ":8089" - ] - ] - } - }, - "DeployerURL": { - "Description": "Splunk Enterprise - Search Head Cluster Deployer URL", - "Value": { - "Fn::If": [ - "CreateSHC", - { - "Fn::Join": [ - "", - [ - "http://", - { - "Fn::GetAtt": [ - "SplunkSHCDeployer", - "PublicIp" - ] - }, - ":8000" - ] - ] - }, - "Applicable when Search Head Cluster is selected" - ] - } - }, - "HttpEventCollectorURL": { - "Description": "HTTP Event Collector URL", - "Value": { - "Fn::Join": [ - "", - [ - "http://", - { - "Fn::GetAtt": [ - "SplunkHttpEventCollectorLoadBalancer", - "DNSName" - ] - }, - ":8088", - "/services/collector" - ] - ] - } - }, - "HttpEventCollectorToken": { - "Description": "HTTP Event Collector Token", - "Value": { - "Fn::Select": [ - "1", - { - "Fn::Split": [ - "\"", - { - "Fn::Select": [ - "1", - { - "Fn::Split": [ - ":", - { - "Fn::GetAtt": [ - "SplunkCMWaitCondition", - "Data" - ] - } - ] - } - ] - } - ] - } - ] - } - } - } -} diff --git a/templates/splunk-enterprise.template b/templates/splunk-enterprise.template deleted file mode 100644 index 8ca052b..0000000 --- a/templates/splunk-enterprise.template +++ /dev/null @@ -1,2704 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Splunk deployment with indexer, search head clustering and cluster master. QS(5030)", - "Parameters": { - "WebClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "HECClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "IndexerInstanceType": { - "AllowedValues": [ - "c4.2xlarge", - "c4.4xlarge", - "c4.8xlarge", - "m4.2xlarge", - "m4.4xlarge", - "m4.10xlarge", - "c5.2xlarge", - "c5.4xlarge", - "c5.9xlarge", - "c5.18xlarge", - "i3.2xlarge", - "i3.4xlarge", - "i3.8xlarge" - ], - "Description": "EC2 instance type for Splunk Indexers", - "ConstraintDescription": "must be a valid EC2 instance type.", - "Default": "c5.4xlarge", - "Type": "String" - }, - "SearchHeadInstanceType": { - "AllowedValues": [ - "c4.2xlarge", - "c4.4xlarge", - "c4.8xlarge", - "r4.4xlarge", - "r4.8xlarge", - "r4.16xlarge", - "c5.2xlarge", - "c5.4xlarge", - "c5.9xlarge", - "m5.2xlarge", - "m5.4xlarge", - "m5.12xlarge" - ], - "Description": "EC2 instance type for Splunk Search Heads", - "ConstraintDescription": "must be a valid EC2 instance type.", - "Default": "c5.4xlarge", - "Type": "String" - }, - "IndexerApps": { - "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s)", - "Default": "", - "Type": "CommaDelimitedList" - }, - "SearchHeadApps": { - "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s)", - "Default": "", - "Type": "CommaDelimitedList" - }, - "KeyName": { - "ConstraintDescription": "Must be the name of an existing EC2 KeyPair.", - "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance", - "Type": "AWS::EC2::KeyPair::KeyName" - }, - "NumberOfAZs": { - "AllowedValues": [ - "2", - "3" - ], - "Default": "2", - "Description": "Number of Availability Zones to use in the VPC. This must match the number public subnet IDs entered as parameters", - "Type": "String" - }, - "PublicSubnet1ID": { - "Description": "ID of Splunk public subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)", - "Type": "AWS::EC2::Subnet::Id" - }, - "PublicSubnet2ID": { - "Description": "ID of Splunk public subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)", - "Type": "AWS::EC2::Subnet::Id" - }, - "PublicSubnet3ID": { - "Description": "ID of Splunk public subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)", - "Type": "AWS::EC2::Subnet::Id", - "Default": "" - }, - "QSS3BucketName": { - "Default": "splk-quickstart-testing", - "Description": "S3 bucket name for the Quick Start assets.", - "Type": "String" - }, - "QSS3KeyPrefix": { - "Default": "quickstart-splunk-enterprise/", - "Description": "S3 key prefix for the Quick Start assets.", - "Type": "String" - }, - "SHCEnabled": { - "AllowedValues": [ - "yes", - "no" - ], - "Default": "no", - "Description": "Do you want to build a Splunk search head cluster?", - "Type": "String" - }, - "SSHClientLocation": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", - "Description": "The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", - "MaxLength": "19", - "MinLength": "9", - "Type": "String" - }, - "SplunkAdminPassword": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "6", - "NoEcho": "true", - "Type": "String" - }, - "SplunkIndexerCount": { - "ConstraintDescription": "must be a valid number, 3-10", - "Default": "3", - "Description": "How many Splunk indexers to launch. [3-10]", - "MaxValue": "10", - "MinValue": "3", - "Type": "Number" - }, - "SplunkIndexerDiskSize": { - "ConstraintDescription": "must be a valid number, 320-16000", - "Default": "320", - "Description": "The size of the attached EBS volume to the Splunk indexers. (in GB)", - "MaxValue": "16000", - "MinValue": "320", - "Type": "Number" - }, - - "SplunkSearchHeadDiskSize": { - "ConstraintDescription": "must be a valid number, 320-16000", - "Default": "320", - "Description": "The size of the attached EBS volume to the Splunk search head(s). (in GB)", - "MaxValue": "16000", - "MinValue": "320", - "Type": "Number" - }, - "SplunkLicenseBucket": { - "Default": "", - "Description": "Name of private S3 bucket with licenses to be accessed via authenticated requests", - "Type": "String" - }, - "SplunkLicensePath": { - "Default": "", - "Description": "Path to license file in S3 Bucket (without leading '/')", - "Type": "String" - }, - "SplunkReplicationFactor": { - "ConstraintDescription": "must be a valid number, 2-4", - "Default": "2", - "Description": "How many copies of data should be stored in the Splunk Indexer Cluster", - "MaxValue": "4", - "MinValue": "2", - "Type": "Number" - }, - "SplunkSearchFactor": { - "ConstraintDescription": "must be a valid number, 2-4", - "Default": "2", - "Description": "How many copies of data should be searchable in the Splunk indexer clusters", - "MaxValue": "4", - "MinValue": "2", - "Type": "Number" - }, - "SplunkClusterSecret": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Shared cluster secret for Search Head and Indexer cluster nodes. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "8", - "NoEcho": "true", - "Type": "String" - }, - "SplunkIndexerDiscoverySecret": { - "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", - "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", - "Description": "Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.", - "MaxLength": "32", - "MinLength": "8", - "NoEcho": "true", - "Type": "String" - }, - "VPCCIDR": { - "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", - "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", - "Description": "VPC CIDR Block (x.x.x.x/x notation)", - "Type": "String" - }, - "VPCID": { - "Description": "VPC ID", - "Type": "AWS::EC2::VPC::Id" - } - }, - "Metadata": { - "AWSAMIRegionMap":{ - "Filters":{ - "SPLUNKENTHVM":{ - "name":"splunk_marketplace_AMI_*", - "owner-alias":"aws-marketplace", - "product-code.type":"marketplace" - } - } - }, - "AWS::CloudFormation::Interface": { - "ParameterGroups": [ - { - "Label": { - "default": "AWS Instance and Network Settings" - }, - "Parameters": [ - "IndexerInstanceType", - "SearchHeadInstanceType", - "KeyName", - "WebClientLocation", - "HECClientLocation", - "SSHClientLocation", - "VPCID", - "VPCCIDR", - "PublicSubnet1ID", - "PublicSubnet2ID", - "PublicSubnet3ID", - "NumberOfAZs" - ] - }, - { - "Label": { - "default": "Splunk Settings" - }, - "Parameters": [ - "SplunkAdminPassword", - "SplunkClusterSecret", - "SplunkIndexerDiscoverySecret", - "SplunkLicenseBucket", - "SplunkLicensePath", - "SplunkIndexerCount", - "SplunkIndexerDiskSize", - "SplunkSearchHeadDiskSize", - "SplunkReplicationFactor", - "SplunkSearchFactor", - "SHCEnabled", - "IndexerApps", - "SearchHeadApps" - ] - } - ], - "ParameterLabels": { - "WebClientLocation": { - "default": "Permitted CIDR for Splunk web interface" - }, - "HECClientLocation": { - "default": "Permitted CIDR for Splunk HTTP event collector input" - }, - "IndexerInstanceType": { - "default": "EC2 instance type for Splunk indexer" - }, - "SearchHeadInstanceType": { - "default": "EC2 instance type for Splunk search head" - }, - "KeyName": { - "default": "Key Name" - }, - "PublicSubnet1ID": { - "default": "Public Subnet 1 ID" - }, - "PublicSubnet2ID": { - "default": "Public Subnet 2 ID" - }, - "PublicSubnet3ID": { - "default": "Public Subnet 3 ID" - }, - "NumberOfAZs": { - "default": "Number of Availability Zones" - }, - "SHCEnabled": { - "default": "Enable Search Head Cluster?" - }, - "SSHClientLocation": { - "default": "Permitted CIDR for ssh" - }, - "SplunkAdminPassword": { - "default": "Splunk Admin Password" - }, - "SplunkIndexerCount": { - "default": "No. of Splunk Indexers" - }, - "SplunkIndexerDiskSize": { - "default": "Indexer Disk Size" - }, - "SplunkSearchHeadDiskSize": { - "default": "Search Head(s) Disk Size" - }, - "SplunkLicenseBucket": { - "default": "Splunk License Bucket" - }, - "SplunkLicensePath": { - "default": "Splunk License S3 Bucket Path" - }, - "SplunkReplicationFactor": { - "default": "Index Cluster Replication Factor" - }, - "SplunkSearchFactor": { - "default": "Index Cluster Search Factor" - }, - "SplunkClusterSecret": { - "default": "Shared Security Key for Cluster Nodes" - }, - "SplunkIndexerDiscoverySecret": { - "default": "Shared Security Key for Forwarders using Indexer Discovery" - }, - "IndexerApps": { - "default": "Apps/Add-ons to pre-Install on Splunk Indexers" - }, - "SearchHeadApps": { - "default": "Apps/Add-ons to pre-Install on Splunk Search Heads" - }, - "VPCCIDR": { - "default": "VPC CIDR" - }, - "VPCID": { - "default": "VPC ID" - } - } - } - }, - "Conditions": { - "Create3AZ": { - "Fn::Equals": [ - { - "Ref": "NumberOfAZs" - }, - "3" - ] - }, - "CreateSingleSearchHead": { - "Fn::Equals": [ - { - "Ref": "SHCEnabled" - }, - "no" - ] - }, - "CreateSHC": { - "Fn::Equals": [ - { - "Ref": "SHCEnabled" - }, - "yes" - ] - }, - "InstallIndexerApps": { - "Fn::Not": [ - { - "Fn::Equals": [ - { - "Fn::Join": [ - "", - { - "Ref": "IndexerApps" - } - ] - }, - "" - ] - } - ] - }, - "InstallSearchHeadApps": { - "Fn::Not": [ - { - "Fn::Equals": [ - { - "Fn::Join": [ - "", - { - "Ref": "SearchHeadApps" - } - ] - }, - "" - ] - } - ] - }, - "ConfigureLicense": { - "Fn::And": [ - { - "Fn::Not": [ - { - "Fn::Equals": [ - "", - { - "Ref": "SplunkLicenseBucket" - } - ] - } - ] - }, - { - "Fn::Not": [ - { - "Fn::Equals": [ - "", - { - "Ref": "SplunkLicensePath" - } - ] - } - ] - } - ] - } - }, - "Mappings": { - "AWSAMIRegionMap": { - "AMI": { - "SPLUNKENTHVM": "splunk_marketplace_AMI_2018-10-16_22_07_36-7b65de6c-5006-4ca2-bd75-fdba95ae5d9d-ami-0d494b5a999e1c49f.4" - }, - "ap-northeast-1": { - "SPLUNKENTHVM": "ami-0db36f11d65f551fb" - }, - "ap-northeast-2": { - "SPLUNKENTHVM": "ami-09c7965888207979b" - }, - "ap-south-1": { - "SPLUNKENTHVM": "ami-07c20db6edfd45f98" - }, - "ap-southeast-1": { - "SPLUNKENTHVM": "ami-0e7b7ca1bdcdd93a6" - }, - "ap-southeast-2": { - "SPLUNKENTHVM": "ami-0c8a4d5bdf83f0df8" - }, - "ca-central-1": { - "SPLUNKENTHVM": "ami-02f085f4514fa7145" - }, - "eu-central-1": { - "SPLUNKENTHVM": "ami-09ce965c3b1a9a1cb" - }, - "eu-west-1": { - "SPLUNKENTHVM": "ami-0fafe9e81915f154e" - }, - "eu-west-2": { - "SPLUNKENTHVM": "ami-060d9e50d310e0ebb" - }, - "sa-east-1": { - "SPLUNKENTHVM": "ami-0dacd4005280936e5" - }, - "us-east-1": { - "SPLUNKENTHVM": "ami-0484972f36720ea7f" - }, - "us-east-2": { - "SPLUNKENTHVM": "ami-04b6874c649721f0a" - }, - "us-west-1": { - "SPLUNKENTHVM": "ami-0377011a3f771e353" - }, - "us-west-2": { - "SPLUNKENTHVM": "ami-0c3e33232b6c07537" - } - }, - "SplunkConfig": { - "dedicated-instance-type": { - "clusterMaster": "c5.xlarge", - "shclusterDeployer": "c5.xlarge" - }, - "shcluster-replication-factor": { - "num": "3" - }, - "labels": { - "cluster": "IndexerCluster", - "shcluster": "SearchHeadCluster" - } - } - }, - "Resources": { - "SplunkSearchHeadSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "VpcId": { - "Ref": "VPCID" - }, - "GroupDescription": "Enable port 8000 for Splunk web interface, port 8090 for SHC replication, and port 8191 for KV store replication", - "SecurityGroupIngress": [ - { - "IpProtocol": "tcp", - "FromPort": 8000, - "ToPort": 8000, - "CidrIp": { - "Ref": "WebClientLocation" - } - }, - { - "IpProtocol": "tcp", - "FromPort": 8090, - "ToPort": 8090, - "CidrIp": { - "Ref": "VPCCIDR" - } - }, - { - "IpProtocol": "tcp", - "FromPort": 8191, - "ToPort": 8191, - "CidrIp": { - "Ref": "VPCCIDR" - } - } - ], - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Name", - "Value": "SplunkSearchHeadSecurityGroup" - } - ] - } - }, - "SplunkIndexerSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "VpcId": { - "Ref": "VPCID" - }, - "GroupDescription": "Enable port 9997 for splunktcp input, port 8088 for HEC input, port 514 for tcp/udp input, and port 9887 for data replication", - "SecurityGroupIngress": [ - { - "IpProtocol": "tcp", - "FromPort": 9997, - "ToPort": 9997, - "CidrIp": { - "Ref": "VPCCIDR" - } - }, - { - "IpProtocol": "tcp", - "FromPort": 8088, - "ToPort": 8088, - "SourceSecurityGroupId": { - "Ref": "SplunkHttpEventCollectorLoadBalancerSecurityGroup" - } - }, - { - "IpProtocol": "tcp", - "FromPort": 514, - "ToPort": 514, - "CidrIp": { - "Ref": "VPCCIDR" - } - }, - { - "IpProtocol": "udp", - "FromPort": 514, - "ToPort": 514, - "CidrIp": { - "Ref": "VPCCIDR" - } - }, - { - "IpProtocol": "tcp", - "FromPort": 9887, - "ToPort": 9887, - "CidrIp": { - "Ref": "VPCCIDR" - } - } - ], - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Name", - "Value": "SplunkIndexerSecurityGroup" - } - ] - } - }, - "SplunkSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "VpcId": { - "Ref": "VPCID" - }, - "GroupDescription": "Enable administrative ports like restricted SSH and management port", - "SecurityGroupIngress": [ - { - "IpProtocol": "tcp", - "FromPort": 22, - "ToPort": 22, - "CidrIp": { - "Ref": "SSHClientLocation" - } - }, - { - "IpProtocol": "tcp", - "FromPort": 8089, - "ToPort": 8089, - "CidrIp": { - "Ref": "VPCCIDR" - } - } - ], - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Name", - "Value": "SplunkSecurityGroup" - } - ] - } - }, - "SplunkHttpEventCollectorLoadBalancerSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "VpcId": { - "Ref": "VPCID" - }, - "GroupDescription": "Enable port 8088 on ELB for HEC input", - "SecurityGroupIngress": [ - { - "IpProtocol": "tcp", - "FromPort": 8088, - "ToPort": 8088, - "CidrIp": { - "Ref": "HECClientLocation" - } - } - ], - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Name", - "Value": "SplunkHttpEventCollectorLoadBalancerSecurityGroup" - } - ] - } - }, - "SplunkSearchHeadInstance": { - "Type": "AWS::EC2::Instance", - "Condition": "CreateSingleSearchHead", - "CreationPolicy": { - "ResourceSignal": { - "Timeout": "PT60M" - } - }, - "Properties": { - "ImageId": { - "Fn::FindInMap": [ - "AWSAMIRegionMap", - { - "Ref": "AWS::Region" - }, - "SPLUNKENTHVM" - ] - }, - "InstanceType": { - "Ref": "SearchHeadInstanceType" - }, - "KeyName": { - "Ref": "KeyName" - }, - "Tags": [ - { - "Key": "Application", - "Value": { - "Ref": "AWS::StackId" - } - }, - { - "Key": "Role", - "Value": "splunk-search-head" - }, - { - "Key": "Name", - "Value": "search-head" - } - ], - "NetworkInterfaces": [ - { - "GroupSet": [ - { - "Ref": "SplunkSecurityGroup" - }, - { - "Ref": "SplunkSearchHeadSecurityGroup" - } - ], - "AssociatePublicIpAddress": true, - "DeviceIndex": "0", - "DeleteOnTermination": true, - "SubnetId": { - "Ref": "PublicSubnet1ID" - } - } - ], - "BlockDeviceMappings": [ - { - "DeviceName": "/dev/xvda", - "Ebs": { - "VolumeType": "gp2", - "VolumeSize": { - "Ref": "SplunkSearchHeadDiskSize" - } - } - } - ], - "UserData": { - "Fn::Base64": { - "Fn::Join": [ - "", - [ - "#!/bin/bash -v\n", - "# First make cloud-init output log readable by root only to protect sensitive parameter values\n", - "chmod 600 /var/log/cloud-init-output.log\n", - "yum update -y aws-cfn-bootstrap\n", - "export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)\n", - "export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\n", - "export SPLUNK_USER=splunk\n", - "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", - "export SPLUNK_HOME=/opt/splunk\n", - "printf '%s\t%s\n' \"$LOCALIP\" 'splunksearch' >> /etc/hosts\n", - "hostname splunksearch\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf </dev/null)\n", - "export SPLUNK_USER=splunk\n", - "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", - "export SPLUNK_HOME=/opt/splunk\n", - "# remove stale splunkd.log that ships with AMI.\n", - "rm -f $SPLUNK_HOME/var/log/splunk/splunkd.log\n", - "printf '%s\t%s\n' \"$LOCALIP\" 'splunklicense' >> /etc/hosts\n", - "hostname splunklicense\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/system/local/server.conf < /tmp/token\n", - "TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token\n", - "echo $TOKEN\n", - "mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", - "mv $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", - "# Peer config 2: Enable splunktcp input\n", - "cat >>$SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local/inputs.conf <> /etc/hosts\n", - "hostname splunk-shc-deployer\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local/outputs.conf <> /etc/hosts\n", - "hostname splunksearch\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", - "hostname splunksearch\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", - "hostname splunksearch\n", - "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", - "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf < Date: Thu, 25 Feb 2021 10:40:05 -0800 Subject: [PATCH 32/47] updating docs and associated images --- docs/images/cfn_outputs.png | Bin 0 -> 63723 bytes docs/images/cluster-master-sfrf-met.png | Bin 0 -> 36779 bytes docs/images/indexer-clustering-menu.png | Bin 0 -> 65683 bytes .../search-head-distributed-search-menu.png | Bin 0 -> 65425 bytes ...search-head-distributed-search-success.png | Bin 0 -> 46509 bytes docs/partner_editable/_settings.adoc | 2 +- docs/partner_editable/additional_info.adoc | 32 ++++++++++++++++++ docs/partner_editable/deploy_steps.adoc | 2 +- .../partner_editable/faq_troubleshooting.adoc | 7 ++++ docs/partner_editable/pre-reqs.adoc | 9 ++++- 10 files changed, 49 insertions(+), 3 deletions(-) create mode 100644 docs/images/cfn_outputs.png create mode 100644 docs/images/cluster-master-sfrf-met.png create mode 100644 docs/images/indexer-clustering-menu.png create mode 100644 docs/images/search-head-distributed-search-menu.png create mode 100644 docs/images/search-head-distributed-search-success.png diff --git a/docs/images/cfn_outputs.png b/docs/images/cfn_outputs.png new file mode 100644 index 0000000000000000000000000000000000000000..aefe01f9ada2e8cf91b01e7f2705d17ace6c68cf GIT binary patch literal 63723 zcmeFZ2UJwc)+de;6#-EJ$=D!DXmZX-keqXroKuriqau=DIzS& zCa99E`nRSeW{-)wIU0|2lN3mj%9c>5`>1zGRUIjhbtVW$COLfs&Tbx9^-krY?I3zd zgxe@W^-0c^vLHb${IV9gp`@TyHl@~$ke#@v)uX}Vs_;60kBL3DQ^ceE z?h2YqQQFt*GWp4B$7u?Be!CC8cJibAz>Pk3x1wE0sElO(*tHhEZ->2~=;oHay&)aLnm?x6D^E4(bHmWh;_ez$H0UC!r(M)BT3#l zPet&7o0(6|E4^W-|;vOsO94^a|>`;BrwVZv%@kV>eNIJR7K;*ld zQ0)>+4JB+VUIrZzQiRJL6*dw-aZEN`30&USEZYo4U7W{nGI|#@znS;z7soJqOibWS>Q zr`YIOVbom3SVT?=lYmUYmH7O9yy89|LoB1%FY}Ijd!9{-Nr{;3Im<-l;Z&A)E+{Ya z`^4=-&Bw7k6kF6E%)`|aE1Rugp2pdJvJ6AT+(q|Kt^Ks}c;;d4?= zqapcZ5tSY*LElkC0zuP?L-Dye3E5eO3NL;y@`KuM5&FZZwm)V-bNg!l(Ks z@5t8X*jSGDKxb#BT>`*U*73z2;q{0(PIR2>5|^cw{#`nNM09%Mf@xh6Tv5X5xE{LxRi;l)_@ z0>_O9Qg^qnty5hkyjgXCqeR53)f_JFgKy5Gq~y{8=ej}{gkK~%=P`@BvZN~=GF(J1 zjGOL()Bf_B8tW$A%}<%}($nJEQ(>;HYQpe6R9AOnkkQLPJ4Lf-MSI*2K^=H{F_H}l znhI}EHp3c1O00<`hCA=?N6xafKn33EpkZ=LbBIGSe zwZ!2R;$f@cNN>`MlpDQNnuuPd_Thwp;F^f+Ix;Ew5K(UpKH5b#9lGhu5}Pvm|k3aSxtH_GL5?3}+wjJ&Lx1h~ryxMK4^c%6_4GV~VBZ_HEZ<*6FU)H> z#44S&Qo{WVRMD?P4(l`Tx%)r6Re$aAn|B%Mg&{odVR>E$2cCqpS`(;KQa|bMCeIY8 z6U{3P@$7GP+iCNnd}gj?N#5Ax*?cKNNDZH>T-_o;6@IxSwq zsxw40$YiTGOmlkb-1d&@*4P6T4}A@h$Q+Xjd8fNl4EO!n#ab*r1QRnfSoBM>M1Dk< z2lzH@rnf$b&blEHcBSv*W7x@*?~f{-B6fj!8vhyLvk+U~*B74aeHbrZ+b|xrOTsuc zpORiVT7f=YkKQrU2qC{9I{LZMMI(CuSv%R&1F6`Xt&u0}{>sm#}K^*dlPn@#~K3z_q`>E;WXuBd5!ID z84XSBjZ7KcZ5=?2hk?N_>B#Exw$dAu`$}i z%$ZntczBqYS(#W_p`ZoS$-~as&>d>$M0HN$7Y#8}Cu5kUgR`Z*9pyPqLnC_^X8{NV zyr=w&ICyI;?hYRQHNg4(Px4OACQMS`h8?U2G+<(7X6A-6vqD*UnEu`$yp@yt)7#GJ zFD?RpGPxT%FtIQ)GuhhyQx7L+ao2y0_aF9fQU#$jld`Fky$j6PRNU3n&Y9}(gF4u_ zIQ@N07bny6M?dFnV`9bxCiQdVzxR0}C8zkO&p8{-Eo~is_Be0-_m(Ecf7&^?z-)fD zF)?N`wK25?6LA8RS^lZLv!&TT1oThqIe+utO#}@0hyFjc{>`tSbNR_vUNL)Pm-9iT z!~`Jc^W`F!EV9{W#?cwg&MK)a6(PEjCf3p*iAW&O}YL? zO3Kd3+0f3|^qdqR&S(kfup1h3valL+K-mmU*`e%)oXk)|E^Z?zvniJ`iy14knHekl z-$*FHEP*8$+WdW1=cG&kDOOHa6C)#IRwyT@5et;v$jAiBZNy~)WjE$zH8x~tG2-Ab z{7LFu4!k0YQUVZGM&^G!QM561HnWG>0`s!8GqHDb`o}9(OIuSFXTx*0v2e1mv2bv) zu(EM8v+!`R{-cq)Da;9|`8ib+uBpl+77hUTVB4tC~0yPOM#7c2*` z*6`dq0Og<0!D@I#VWx)8_Apg@dm91B`D`iAN&Yk{O8&phg;&z&VSVS4<%)Q zc23SP52^pbqW+t9{J#`d67;o)dHijB6;sDwcfTOX#_}htC@Fu!0I#9(FZMebx|*8& z6anDluUEzvhIZzr0B`>?w%^Y!{{uy4HDzXJW@R^l8XKCJLfKh3IiN;tCLBNy**Of2 zICr_X3lPgFjEn8paVe8z_@FEEc``?@W>Md&T-~p`I!db!1?mr#=KWO-if~=*nshyMke>U~MH~Gbuzd0f> z=U>l&g9HAO>5s$wOH0lT>A&#$OZ)x{M*yV%J;=Yr-+!~~-|YIAIPfnu{SnDa+j9+(<)N;bW!1;Rq--Tv-qzQP4=`1BD zjyZqv=AE0DB4fJ;Ffb@Fq{Kv2-A7i(J-qLVPaJIK(L81il9Hs1xO5Tr^6BGi0c{WV zAH2|=p(77@L>>aEWDHKGWTdZzWb;2d5hlP_wc9nEuf?N|z_|YM^2NDV5r_`imiT~4 ziZok3HlnCol0EQ=ylQt2f${$SegOfM-Gt1_wBlk_FqvQ1>lO9j-@h^LkxbwEee=}e zrReY9&%WT{T=;!+^$GXo-@osX{=eLzLisWWeccC##>`y^D{N@$!!sKEv370cLRi12 zb?e&+fy!59SZViubH-st!e4Z6?QHYpurIaOyw7*E*v`egDj$iIlpbrs)p4Uq;2HhY zPqtSO@j4r;dG=0JcUqvN;?p|@6iIv2hS=WK;tk`SQ05PDzyC z``MPNFSp4`=^90+jsrjA#A(_o`bZW&%``}Kw?LD@(sBthGd+z*O6uGzO~=K>^zh*m zF=9@eMHEU0YPmpom;7}YUgQ_F*UDg47e({Tonj6t^RD2Qk&V;sy!}ZfYtQ}FO0P4K zkj6^ujpz3-9XZfn`fFsxM5{!;xn6OZCI$BaLk2OiQrk%$n}&Bj$G+8xqN!*`oSX|?h#;)4CfUIm1b!zV+! z1$jIVe0TXiTgTbw!UtAq-%Bd@(5z`iCm?x zuVP`aQk(J3;lg<zQK(Q{%T37dQQxGGcm`-P#Dp(EznvcM zw#|17ZmWi`k3SY2-C3MiOCYj`*T5?FmQTXZ(%Udu5zx0If&v0mTwEJR3P9jU2;u<^ zjoJ?f$A|Esm13*mpNm(j5qNcTF{SZw+nu}L#C8dJ;E?A!ME{Vk&PK$$p_Gw(T40qU zDPCL%Y)|Kny}5&jsuYp7qi#)2_lAO^uhZ8Z zN#yW*9|V@pHl#OUVq&h1p3TPO@QJ0Ghv$-|B*#F{j3!PDAnfSlU84OK(Mw1By;~^? z25Y%7C1S<9fW->(f@NlFo+VqO8>bp8v|C-Tx%%q|Y)3V+Ps~R5610z)YtfjTj&y4&`N5G= z{Tq*M!s6-_|7ZtE3A32M%a~UeH8Sr>^?tx`<0=cjTXiE%lVJdu;Zgqik@?T-o2m{s zwczQ?((K*hd_3Y2ZJn-;N{87l=_`*DNzcT<3=5uwTTh1)($vB1yUF43+J5(JAOk1? ztJzMA{{G&r$hjg^PcPg14J6IA>o-pHZc;JT35&hBcuA~5TRAGyW7>I(2hVc6&>vpu z5?Wf-uU-Go?D>8qyR$KvUTrH&6J46k>!8}k$2Q?@-h{C4bl33b0<(C@ss2{LwsbF& z>ec@0ceR!20?*D$^CXW<F6joBk{oeEVfXIhMfSF$+Ptp+#fxV`V$SofLV=peo zkB#$4i$!(4FNrzflndlsB=}A5kwS^T=*Tj!XhRdZQ@Nb1O?D}1|Hm4`8z6&eF)_AZ zH<`bX)*4;>HVLXDxU#YFwoJyuPxlJu)j-Luio3_LkdYEKETXu&&c}J!m8LK^l-qALW>FMaU@|Y9^3ATF? zy`M5UtOs%xWMyIH1)ME!<@Ry#X_W3{jy|HT*lMp`$GO^Kbo&o0+Ei?(BY@X|_T-zb z9Vrk(fp-|mA_$qU*+*GzyYlm#22D*-9*aeFCuSYsm0WA)0AOVqus)WN;+NXfLkAxV zAuLL$UPhsg4~)ZAsS`MJ)^9~tpIk(@4Y(EG!V78iTx?N7tc52@-olG+6?imN*3!H* zXCU3tU3S5Z?KcN;)KIF+zCIo>Zh(>}BjK{^ z%eGX(JA}{Tj_6~Pa5ChTzqp8?PT)Z}FJ!|_-K!Mqt_oHhURkLjbqmZokdeK7}<7=E))KylQFF6G(Szz&R$_e)<;c9bZ<*%{q<17T`dKm%|oD zjsTERFln0=XwDCkQ>$ljK&fQJ;;&wj^)##I{1y{f%{fa!5K_`zGY*{IyQ<$V2P42P zXJYP!pI@zJttx_FG|xxuz^lkSN2{bB{w{k{f!~ZRtr_SZyuf?uhoR_NZ%}ZsZt0E+ zKErqAy&pgFhgZRrj`mklCYxvoAP@>4?q-^VaFlPk!xw&ZSiBNdKpmG?3_NrsTTfFb zU^~*A|4j5@!7aS&_Jmff6(N#ittv;mA{XTJ-OZ|RyhN^3(GkEDV#7EKA`YU1=&WEG z={RF;zxn+pJ>Dx|5h$u&TWf_gZMss*t59OjzDh0b;R&OHc-eJ1#8rgsC+km1iHU}s z2$G+HPu9R9pA|BU%!&k$c4LtsW;xR#R5ud!+%|-eH1cH|(;t&q$MxYNALHdrT0Yl~ zHUC~Awhq7A`2UFW^P5$d|Gb&H7V!Hwh94E_A1k;S=5X!z3uf;6`@esG{&$D}!@1N| zqOIIo=}dbnTR3d=Q5bAua-#!U?@nZz3a3ciz4B9#{b`={_czU>QtC&PEio}L%HdkE zjEyw!XAta^V6_V zhC!Xau<;q+*T-mY5(mTInkej&(dy9Rb~apSJ2-K6x^Iryb#n>xoT`0Zi|t*`|GU}L zQNJwr9IU|Odm&SFccR<3GPjCXZw86c8t!f;;HcLtM&IM(dHq+{+HSJl72LN)&BgoyG*3$lL*)!m3q%Fe=TUv)1}ob zGMt@5(Wo8@Z>B3eOi-Yur&l?XYwdW=6Zfr3hR}dw1L56f79uWYXU0IC_aVPUS9k46 zM@KC+l;mLm{kIJ8jcc&T-s_CWJvczZJLJQMSJ=ewdENF3hkJ@t9+nuJ?WOh7()!0To$0DCtSu4Y z6D+LECTM6kSLZVwfp>P`(tKXMtJ6=rR6Z& zR68*-Tu~8(>dJ^^7>Lpfz)3SPt1K^ndHE{%zX@uACXp{szq7TQiH?y|C#Nbog^ke+ zk)w{U6e#55=_@O1CnAFO+>K}7sZ!R?ECsCyA|XW{8qPc2LTB0f(vpG*4aG%fB%FD|GTh_>F@LK5~@w=~T8ag^gzk+`WC8??` zM{2DAT>5z-)$Ck1B93-fGOiR2&!9#>x5lVj2f>fqtOhepJ6d0YxeyT+`4JzFIyWk^ zg&Z6oW=t1t-MCRk!EaHcoUA|YvKTRJg>CH-FtXw;A>pj+eTj)_H`8iUC^qu@Cy&6G z)x*~}In-JOA|pBVlo=6Fh*7ELdeCdt$RG-1W56rIxDYZ|{b8@Uz|%!KdlV~c@`!(s zq^n)x3A`b5n}}%3+B?}pQE~gjhtA_YLVUu>!4>^un^ZHijMh2mKvZaz+Zn+V$M|gC zon<*h4Zna|`mK3cD=RH6Efb4J0)Nn{WVjP2004*vR#190f&=Q7yitTw$$9Vqa(gIM zsvoD1{}FP+c6TN!DmXYKBsiq|Q<@tN?%)E3kjuI*5MXhJSf3abwhwV&%g0$qv#b)e zA~S8IsQ(RbyE;9zMkrBQBj=mhASp&h#yt?p(b6&I8szD3RIT?&%)lT^V~5EzM!rHq zYm2pl6Z(mX+Jo2}w_@`4?R~7butMhcBVU8}$8n>!g@!PI%?ty#@uYz5 zNLyO=(#VO;c}q0yUBXmhWkaJ+R0#uiLJ0MAbya<@%@+2h zs$*nUDDlzwIL|U~_z?di3&rqtV0EUZra-~x2EXSPGU{oUxgg>NQ)R@;muaKod@=xT zb)($2Rcn_)xktWnI6n7M`|@oMtY2pphG>mpUhHnbDqi z=lQ!Fb;P@ua@1d^@k*A)N;m)(z3owkW?0i?B~vBVg%=(ix$m#{G`9D$@o~9nI2T99 zfv*LAT}Y8!uCoZ-F|HpbkCh9Cy}9=e(#EPm-tft*va0zQ9kIF9!@dNsJ&G^^MhK*A z?0dDA3)zkJ`ea2b&=A`h<(wAc=O zL??n!e4Z?kvbDe6KY-M~yXU7x3pl}P&055yM+@EE-HS1Jk_|id*|UKV?LFyJ=lpRB z9krTp_cfTjalVK>0c~%eYRuh5H~{$tlgB-WcM&}QSOc~dCF#uQXY=}5T;HQ%lt%8G zPpO}nj#gy|2?_1OCrIW<@bwJza5X zYUah0+(3PIYUK`=of5 zB`vW<#N^4t?K)qDrbl%JN&;)whd8yKJi8)>ZzF ztZzuD+QnJ{7Z(5kC!(6`asuu`7_uz(g<-)&t;?)AIHN zqiQGN?R(!e8z0k=;BB(U!5QggT03N0J5;T8b#;MlZ&*=$JSCZ^bg>gLbhTSQeRr>< zX>e4BV+Hew3ut6}SEoSCyTzHA9)RreK6(fxU7_&6PXM0HTwR+QSB-;$tU~LOl1_NP z2kvk9T|N{SHyZR3y#oj;IXZ#{i{Q-r)718MY~rXl~3}?RTnK(=OG^K1A92lE!E{5P7siwr2;-qF~e!#|d|1dl7 zGRGcaWV>0BdOcldVgm1G*zZkP-{bRCguX8wN$G~W!;cSE-D5FiRcau=C4obtn;{4R zI@c#gIb+d;g}!=P3qO*-JtDKWlF&~7h=G-mPd2}>IF)okS8jLu#{)F2#rH4}ZiPRf zd3E{fRW3{Aqsbo6vi@HE%0v_K1|z7FfP9dz@a~ zTjPKYJ;hu4cG|U)q=F7_J^Z2jyUD#o>$UFW;1{>BGFXq7#(sPC15wAEI~CLfFaZhd zMTPsnTc5VrrTy7`JS+HLc6Oz^`%;u&_EWY@>?1i0jAtvcE=y4Xtzv(1Ak+@T(>XEH zUMF!TMU9W21M%oS#Eqt{R%?GI5&Gy?nmJPj(D*%13@hlupGXEQpg3hc~lycwWc7pp|y~D*W zC=|U$NK1CvCw-@%$89bz)TtCn2Z-$o?_3Y^_4Ta{tllhZb$jJM5S5C7A-txVFdYHE z6p-n^^QPD8i%~(x(XkiEN)tw|>2NBK39oUX6L=sqYiql$)%&Ca*p<%9%%(kJH_oMg zV60AHvr}6(nt%V26&+(#OkxH>7`c$r=Dk-Xsnl#M$$^)zvb(xDRVAK}L^k6os*<#~ za1$Tv&~qN<6N~qGNIgg2?GX0;<-;>w6l{HVmW*J8_x`4{p`j8;xBE1QffLvM$KC60 zPC)=2o>|k;F@~MF+`96xUUbym!*gJ~cdP`}JY>A-n{c8Vx`S1hF4Nq%a}#fAG|Q`T zzpbMZ`Izr$eN{~c%(m}io-!Bn&yyrNg00OHT#%h@+Wkt=5S4b8xY;!+KDVsqVO5{B zqI>GKyBZ(it}PbUoX|IDjzh|uOmL8JuGWfp2-h|F_O{9ev*8LJs;fBJI_agb;m3Hi zj~X;Z9j!-8G3$-b!U+i0baaBD)%53&R8#@DO6^*NjGxR+ zf+aV+sxpYXf?hVDF;lv!lQdTR{4O5vEepB}Cv8P_Ryu61a7+eE0-n2t1v{5Zs3AG+ zCTcf6f2^;E*xTok>unJ4e)i$2lRr-h>DGDf+Oh3jKRR#^Cl#Diwp-5?5F#KT5U1er zwBPsYlNpGL8u!9o9jY=LJ_)3u*~;6~)}$-rQ8rBM%cObvsiy zKe?7vHF2+-5YQ>TrbI7p(v}+Z@b>L8o5}HNt=`D50Ye(}g4+3-Xs(A36-+;mj;=ia z=vO?__9=%iC7e{PoxV;BwX~$9ue>Za;B!o&CaUx>c`KzmGm!tdZ+7I+)5{BcbyOxx z_5#MUk!`i*S1(14jKf2deq;xpAD@5|x3&c}+sjbXiIXdQuB%5zhdm&rAAn22Lr$0! zAD`(j>bgF%4GyOvtcU)nic5;eavt;c{^H_R75PYuHiPus)1!7?jkF~n`!cXb+3psG zM~_rpqQD_sU)K1>QZhlQ&18<+eKBeQDwWOzeSNWW-#Z%MU&?4NCn7Sv!gl&GlL(@$ zsafpUTUvxt{#3{5uY&~`?IJ&EH{Mgks7njQkF-nRy~=g{VC{I@Kbs=FAy5*;Y)7tH zqje`MgH`D_Y)FFya{Wb5c{c9!FX<{>vO*g-tq2NE00me^QA%~UfO%D;a^*9Z3uX{5 zBwV(=8$%4-NYjvr_wV`Dd^D?9Wn9X)GVzz|fIOD136k=36A-aN>mQXM$ySWPg3)_Y zS~Al5aNAcgVQt+&;8spK))j4)5jhuymL0MNeJ6`8KM<$@gDsiM>chSsP|f1=D)2Rt zz*b3Jjm>sXEm|m3vt^%TKulbGVPQdFui@pa_dHt$@|6fE-ExPZ60 zx7Q=lwtTlAe(+5M)F`O>EF|m;(lIbdOY*O!`n7P_j#cZq+)(PL=J4=(JhKEq@%1;L z%g=b5+k1GDC6o}RCW6|FlK@pR#Rup`65++ba_3mPDcyh1lp2bJ7N9@aokhzCkBGCOt_J!4Bd zYsNP$haqCDJ|HmPamFh4Mt4~)xq@g~?Qg~dRg0=Jbvi?g52;qTKFE-OdO2PE#=9@v05f?e@9-7KbRyUSYBTkC=_oQ z`u??;Dp(RYNq8-GU;Ky9&tjmDiUrqFC#ODa`@b4&zn)O#4$pRb>lH7?*0T2mv(8?!Z&uy7& zwCHSV#?$~_{B$$ee!x_(rMAnD;O^Z_|89+3xXH=(a`^GN<8>LIny6VG%z6l6+1#{@ z(*pm%4~TM|e$AH}FQTc-K>w`1^!AEEks~5tj1fXFv~bnF^U~tlT3YR4-O0#n{K@Rz z<%{M~-C0*`$??4G-X>|~KM(KT?NbDNv!+L%z=KlW3p&MkkpR=!2UvMCh6C2{1Jpt+ zbQ=5s82J2x+)i%*a)Nw~svhL6gRU6L&t9fiQTTN!_ zQ#g;&%vxnb41JCFiz+93#Y1CVAop2VXtl(E07}-02cm8x3ZCT|*qt(=Tfw8`j}#~ok|B|sEV41My+QbGa`L*qv3>^Pi3xqqgcd&W5<)x*iVfcmcc0mX zHGpX<+gH~492Rp1KV4?G%$BQDBC+7OE0CiDw&KVTgEU=xMaCrGy``O<*BsV^b$nj( z?(S9OsqwKse3OVnVCo4L!HVw> zwJX|$2embo2Hlsb!ODbfdubv3JP#f~>1D82DJ6(#WQGgTv9E%{$RK@>W97+`!%1y> zm&0hIX?VvPo14AHL{lUL946OmFa-@ND)aLfk10y!NzafYN@9JK+Wl|8o)`pdamI~h zDT;o-dg0EvaIKu*rHXIWa$EjXW#iwt*lF?^KLS{ z-~nWRtY67X3W1-m7P7F%aarJ)aZWoa%DZaGzy7gKNJ|+Bm$_a!GN(A^jYZAIc_7Ct zO@ca?rTSLIn>i<1;NnXr#jjvqaXl^B%BA567liEqd`0V99njj|q64)(UoIUXwVw^! ze0RMY=`wlxBN$OlcCtqLNp4+Qoo0tuY9u+yjHdTCyenoJE%ICVF z!8E>kOa%6J!U+d-^PaPX_ee>1_O;kvh2EorsOZO49`s)M@|L6p9?sjvz?YZ zRxR0meSM%V3C@4^6~ts&WXC(T`=EfO&wDkT|Kt`SNy*rJdn~qxK3Kd|C+VZQn@@K~ zS6^V09A)|spPiK3=dFXW%a;0cvF&#c+xo8urKiirFAh${PJ4n_1wD$`&}U>+S0bo+ zLQc#9Vr+kZ@w{q573{dT&I>k%hTlO1Uz%EY&aFyWp)S7*uUg|zyGYT#H8nM#WId0{ zu7*7KDP0}X)6`_&HwfvA(9$9->}6x6@SXbtxJCLp><}C;<$oJUOe6=0y6Z*D5f)QA z+axzy+!i>JRmcOP0B?BP$`MD+#@Z)2spNi(g;VRuKL?KoXKkd-d_P@R{TF|TBD zH={+5Rt%O&@p+sb&O#BTY33&IT9^xvsdkA??gH`mJv9;wYj5xB^OXWvROg7E`tTVz zQiJ_9-<>-V#Wr|bO_MZC1_itz%0dT8Iw*cU3sfZ%hAEC1-VTy zQYn*;Q{(B{AAkvt=qEgF+Xk&`Lj_^Q`T3IKcdKh^RBt64iW=D4Gx>;5eTn?Kz6KBP z3>(SPUQ8||+TPju)fw zq_!N>)6+xT>htTAKG5CWeMkZMqq|}o)oH*Cs?9u{CQ;ItaPW0&SDlX6IO3kas2@AI z7+r;^oefL`dM@3HzecEuKP=u_>G0hMiiZbETaLzoieU7e#=q#?_r)v7yGVV;d%^3e zu<>ys0dOrH*&)e@&nYwHL}%3}Bh#X3vp;TWbH1;(G7$YZ$_qS6ytN$JP<;=2~?COI!OLcj}OG-(toO> zFpU4FPUipH1jTp0%jZL!U;kHCJy#Iu*2bl zg#v=e*FUUK9yQ2W^=nFlMGl@F*R_#-Ts=F@gN??jZQZoX7+WZ-s8r46&r@diLv8EAULe8SmRDD zP<92H$|}8L4PU>eSoS`(yQ;dOGdn=y*q+Gy7Kyf88O$C1#+_dQm$UuAYFVK9{=E#S zSy*dzu(M0tW=Km*P-!#Ih!_pA7dy;GKU*l$939CE?5v&#&K1Ag_Y78 z9%F|1Ol#~VgHq<}3PSsh!Fkr41ck2SuR3)~)xF}ol5T^taViOczO0Q8`aYO0wN+0_ z>h|py0=hcAark&jNF2$mBU(+C``x}xo^6V}RdL9fX#cS>Z_xFgL#K|l(5E3rZgMiv z{%Qa1`>XwK5rNeLJ|o-Ra>c%C30*38n$CO%MhDLvU6y*%R&bZsM`}=qQcOWDt>yQ? zM(sES`LJ=F3^7`YJ>Q!(vmZ`3EJD2=hk`*t z?%vsI!*%Vd=uSp_k8}z?^8JZbEe=hwbomFF+m)@@M)Y<1F01Zi^;fpnZ3tbdCXQcO zPO6k4JKG9y!^n@Pkck47g9k3vj$q$3nJ8$xkUbn8daTl)2m@u%pdM4jAgR`BcjN;4 z7}POWi*GN`L?449ZbBxr$v`%yjYw4vHuFxn#p*qTLgd&OKLYn)<*YojNg>5vJ*NP7 z+PlaKo5GUo?DQPcF^pA&)JiRrc^z3lGKS4;^}XCAOM&cKpP)(9y!Yd66<5YrCSud8 zxjz_8##dt7nYDLgLzi<#U027;3??m*4BFMjl{iXk*dm-3gqdn?v8P{Pn?`#bT16=- zxb~X+a`@y?1R>j|w9T_wqVo_qn4+hF+gH*uazyGsUp5JsPE$sY-UC*2Q2 z)Dm}5NY?^|H2?{jTfu2I``{Q zN@C{Da9@iJ@s0O`8*SEB`5Dpb?=xTNFcA2>RUv^1&@3zh#EW6j`^0J%t@g0Q%Y{I@ zaQRJt0nBMz)o0ic%g=}Jm39VGF__#U{p!)(_a+%JWhdNB%hsINhVGV#+AAcLx{Tr= z2CnW#p8y=la~F+hH2SX1uMZ|y>HD7RGLI#-W6v#*)AUjQXU@ zb+DS{{g}+MK-IaJAU!=9Q==+%&!c119@^#^6NHF+4OrTsT{daJ9;vy&^=%d{Xci|=* zPA08N29~8_xT#T(Eb5SFFeL8C)k_@Rx|Px1}WBi8)YcS_ZzZQ(xFOo!ldtGH1s);cSx3Y5@Gvj;phno)O>x7Z<-WDR{7C+b$kq zPu3jt80~b(L03s zBu~3$uQB#ClQBB_7*tsTpQl)r&y05nI3Q26sqRt$JTpGN9^85CE5t}etLWphALmJ2B3Z6Ajetw#qUVNHd9Frn}TKeBU9}O-6Q6yd0HmB@zU8%A)y?)@0$yB*E?*a5tY1$K8v#H3uValfleK@;oz1G5KwIKvd{p)GKNNvVT zMN6pF^Y2TFot}o{nsvpG1APVhhh~kP#WfdR&iV_t{El>QyMzvb+5eLWG*NU^- zkzfz)%WUonho5do>-TUy(cjivsJ@&#%$VAw=>>dze(6U*WqWJO6W$}EJ)2!AMZ=FC z3t>W+AQua*u6Tkb;1iu>a+*t+JNx_g>_C@&na&DlHn<;}&&{o8O31I*SRZYE7QwrI z-O_B^qOgMH{iF=wZ~_y&}P=ly3X+KnEhj^r9L*$4FD+}&Lokz1_pFSEk+o)2AO>vvQ$ zPZ<0pHy9hfty7?|;T6lEx3|8^Lzgr{N}ky(AwD7lz_?6fQUtiKQXZsJX7A`&`04x) z-kAM9H7(^UnyRX)0~Sos6O&EgRF##L&y}5;+5|YSbDQy}AMy9kz|0fG<#SupDs+w` z4(vI+^LaY1)B>*%C`Uro-eRwAiRbva{p^dk$3VsA#tygDJi_&IaKItnKJGQGB3Cp= znUo}V+9@K!p-qU=WCX#sGb-!l^vYK_Q2R8=Kjh@nV;Bs!77Z)kNUS-w*~&lJ#vj4! zXPhM`@tu>*hBKW#yX7M0!i{cf7c%(B`HiB*hI7Sjkm9lF)9wi$90h}fc-JG1^FqSb z5~-7xNKG^?QZL50_OZb=ZKcsw!L?4JOIOE}qNA-C==WpoGx`h)cI)0A(X$(5^i8ID%cPxdF~+JcGoh6o(@uNn4r4V`XXZBOfXP}t zP_tCV&y_=z4Gj+T%N%LXd2RS2^JrGGPUidTZRo5AvnMSr<2%iEl|4#eYk|EJ?+d`U zc54cCH9nns{am|o#d-Jji(EG-Zm~Z7hDLDOe+~H7{6Mrh(uc?5O77(M(}nDobM?){EIjR%!!J1%F+5vDmg}UIDknJf=i$;3@S&x| zJohU#beuF|NM1`nR{?}2xm4gJ-YuH_!yZOM&K2CW!8G2OO6@!cyWojKi3B5 z=o>onc7Mb3m8@M?kigj3SXW&{mp*<)jXk{T911fw{XxJb{r@rd)=^Qm-@h<6iXeiB z0U{_}N{5Jof{1{03}Mh+Lx%x^BGMo&(hNgNmkLTZL#HsrP|`Wf*`wb)>pg$G|NPEz zJ?mM@z;NH!y|2CZC-yZJ{vQw}i&}-|_c7&}5whOTb=UM<LL_pAhpHREutgQN+l7d8I@W%P$!H=-QPF#E#MGvU(3r-dA6_6Uz}EgzC|dUcS7KeV6<5 zJ-zTJ@3HzTo~0&1OKp-ZJv;NVu3hDuYCe|`i-2R1@89VbI1T^=Y!V+H_1r5g;eGb<9Tgb2UTPy)1IC zTedf@@yjDF;w}0{vdY@X{`liFVv4P#0aJV88YPzpt4sj5K}}HfXQn1A1fp28yCAd_oxq-4yv z(1cYnW7K$fb$BY0!QI={`dM!E>)z~<->_H-F*m9!%_f>HNco~4F|l}pbs1!L-y;#4hx;sPsY0IDPcjY3&az5Akdw#IKFDwY8DFrC4AYv}-0R z>IwUfhI{^VHq}n8HbO!{AhEfPVp1KB1&J8`{tCaKUCFJnQMLgvSQ~!U00I)dbS8Fw z3)a8>wum_fhlCbk6IO`0P>^>-Bu%x39((qCK=;iZBb>Xf$xQQISzOHHr`2e|1~hLH zpS%rdE@Usz9t-%v2R$1{Pp)@1;oz)CAf^0+2mS};j_==P52o87^=3KzEg9~%{%IrC ztUT8<&PpFY6SuvPqK@i2z?Qwm3LYApjV#r{x|wfX@>5W5%lb(#9tUS`8e?L}0eL{8 z0Z!sza(US_Fps7s^isKA%`|MYg0Yqh+>%0r5LOTtngmJrEe6^jNZtd&R9{JJ=x-M` zDRU~uGOHuzFa2W}elnbVW%}yuF}ZWz%HbI|byFv(Zid^xz5eq!`^^g{5mXT$Ke3rx zh8rB*X+3l9e%329YoDSyR;EpTrg^K_-eravW3l)VdZ#G8x{VEwsgM(GZEXpn4#v}Q zThR_I64Io~!2}D`{OpNW(=7=*9SsxWPK#}Ajje5s@rmK3&s<}?8l9g8*Cmubc5sky z>Z0|fycXZejHjb?s`CXtMzG?R;Ix@H;cnml`}vc+x!$7Ys?QT5^PlXbcp|LWqjGKR zPWCzaHAH1$dKTO#c6@oVmoA)s({FY&zx&yxONy1@As1;Ae`6RF=WV>Z>P{-MetmLd zpGgq=WF#d2xs3M61L@kgm4e4In^n5HRj^b$pSd^0p36uI8LvMlto$nI^R8mymY6h= z_M6?(CAuXf<_2Q~>|QNo7I1i@m6~v> z7OhbgbIr#;Kq=4Rg}?ZE9+Fpdy;`@iKArIEe&gD7Tb8(^OIzhJz^JM}=li3tUv!ys z5^VS1*9!HN+!~hXFwaepczM;Rr^n9-QRrZQgkjsv=D6JYq?D9@NiU5cT+bN|+l-HM zGcV%plDzP{Ww&^yLirW_a&vR@R@Cx6-i`H+2f_LcaXO`?n%r91)|xr)@AKv;XNa)p zu2E*cRskO?iZ;hwPJ2sb9NhTjRX5ziwu?a*~{! zb&$813}Z{3iT`y!+E39i#A1~G*JQUOCx7yaVRx)emDP;T+tBHPXBG=mTK%u>f8InD zCdfUne@`XVLoYTQM*lX3vW$;a{v_U_p#(F;-#GH=?iNd1Jh!8PEwB4Sl)1UPmW@_) zSP>s`#LtR{r zW4&zZ&QMmr6~{=n9Bz*x{A9of>##Ww*?Q)U&<`KvBWdu)6*FguW~~?V0U(f`d5dBQ z=@r0X*H;S8ngr}738Y_seEju{n2YvcI&}s23jhq2BwMi zI)z=)4lCUU=jRHzv5_{VWh^Ff(#Q0dVps+XO9~#!lpw43>}AR+e{C4#+AXDHua)hN zG>$|vyD}>$a%uE^SzC8p3J;excmJV?=<^V7^i(!^06TxOk!2<)^23teV)c>Yf{dZh zr6mO%V4s>8+^1>omXdyD(9{qgHqP9Wj4ZN}1B*>KRL&!n{QP^=ztvXn z;@`0p4(O^D@(Ntnn!6hET9gBoWwAw1N`CUn6`|}I%@-3-YvH{l@e6A~PRpIAh0jXq zmUi&?l+N=Qu-Z2oEmK4bJNHIUN5WPW6x@Rp5t-~$Uf!}H8#V zd{c3_tfb)0uVXdv6$y6~<_K+5iTbdeU)1Tk*j7!U2x|>{?ahwfJ_hbF4Mv{}VurSl zAAgEVw}d@~(!@4tj(u#^^zz1i>5k8jd_!@O%ctM_lj4CLZasSAz6@4XH01OC15)MH zQ5kFJaT+_+Dt$ClUNtMrg7toVgZN9Mv242H=;~YiUb_NghmQDA zqOGi=c%4N@2m@T{yKf^d zo^*iim&tH1v^zYL;S({vyqH&WaA^M7b>{mU-%;-|&*Qa=@Wu>_qpIq9vE^L%M<_Xm zRF)POB|sb|@g}s-2f=T-C*xzGQ+ipbngG?|?%kIKJC&J^Ywd3+LWaONRoKnGzA|Uy zVWQXd>i)=wv-uwJrP8gx8~lG~;ReYsk8Q2;HSlhxAQLNX8+$&c`%zpR9_-ze(SJ$# zY`Sn|a~U~N{&{>n=^>)RQoii{nR52=j@S?el=cW&2!r3@yDZ&1P)3>#XCGAxKagy` z6DPYZ%3ziL#wU2f7grMbcGycsx2HxMkNQd8Y~u@94|pb9pDMh1>Q{Pw)3sF{ z>$a5HkCpqv*c-H(dZ%;{2qPEO(GkObCkyRNwEX8bbxoGJv8bwy;Rqi}Wojm)+YNF% z5RaB{=dL!-CmYkg7wzDU!!;4q%td`I)@XUPIW+r!FNwpt9e@38yREz=;JtmDEEW-yBp`A2 z+_{X(Yx1MYULi3|-MnaCK91S}*wYx_<>>9wYl$8l?ZF+vPqa%lxs)nqmR`cL+n4Rn z77f$UUI~YlYjVXF$#vf36P`*PKHzS+8)bj|5#v1#<2NmbjC}L*PMqmk8p*eCHkm0I z9d$OY-tY1yTf`k<-E#B{xyf^TB2lo|TjD9*NamF*rYNi|=}nW(N4&hXyG+Sq__Z)9 z)u`$xJHfuj6xCn9p17nWIR*NPDcX4Jk@f_^$-v6P7v=ollM=R*Px*b{HHks=oc##j&wH!p z@xkJU7t%H|UfIS--g{njm_1 zlCv71zRLS1#+UEA`{(?|-UUH|^L-4rJUmlG^Fs%HSA{ENJEN8g4;~ZNzpTZ4@_v}3 zmB5l)UeJ)rBR>ES9~b(>gfaYt)PSmM(ZUX$?&iYCDosteU1vw|xb{hY0qqpkb8D+( zmbV5BJxtEhXhi0GT5yK?b+{t)VNp#@U#sCU^o zo28{+k@ZbmxLHprlaooVEN72%T%~g67R@M-% z;>}{j#CVEIO2{trRtU$o+P_Z$P>nfahTIi0imk4$ZZmp!yUY`DS@Vsx_Q*BS@ds-^ ztep$}rZ(LR>|F0uNW^r#30zK3HPOK$_#L-Z#IES4r<^>7-qHCbbAyw=tco1x=zi%}s5H*k z&ZQl9=hLm>%H-v3QXg#V?pCK|+A(Vns<6N6Hj~}CpVJn!nZmZYn))-lWv)0{aAroz|8q&7 zm~%*3MBII)1$6fAYIE+CPm+}XB8@n-4-h2|?MH~!jpVmwo$v77HsxOXO|rs)M~c5> zx;yPMi;5Oe4l`X{{IHtlyHYp`dJ0lf|9G(bGDAymns3FK!Y_Szi-RaoM8B zH6?D! zLd9}2hZ)U1E%wzj0<;~A_&NCRMG|d!+oXIqi%oDBngQoBhS&V>Zgyt z-rLo%Ve$U^3!y-pB>&qR<03Lj|1UquExP1?4LiN?`>*dR{~vy#q6pu`Z2!+oCUMD& z&C#!V$n)nB5dU}Pr=j*g|M9i9^FQxlgz^993&Uu`L$C}fG}Q+5Xt;| zxlbfz{Qh|bBxhv*eXz!FTgU&KFO-yf1Q-{Vp<7e-`PtYWA1GI&pRI(Zo-p6ykl%eZ zJ$;_h2lCtNZ%-@?fG9mqUS1M(y)=1J#ofIE09%lfH)`**VeWqVcYEI5@zFo`x?3lAyHr2OhzORdXQ5g7Ctm{Qz6wqqC*1P&Hk({3D z{N{L(!cXM6oz5H4ZO%xfb|8w)SGP*lGZ1gbSeA~X;d0IjTIM1tjpMA4ZZTe~Shi|v zYgFew4ZZDfVKcqpji?^YpT4pu84LLM&+|Sk-d9^{+fS(j=)zN`H-K}_A3Hd50$K>2 zQXxqvo%a||W%HM-i80StbnQb|e-sOKm;PppTA(LBq_2h1k7lBBw*ma4-6q~Rj{%-@ zty*|x`53|DoT0}h-O|V5vA>eg^kw}$)X%;w@f6`}lGaT)=ttl#p#@dA>}9cIHj-2e zcv6Z+&n^aa_^w7kz69}BVvul!)2;ET*X7n|NPfHU%v0QqZJlf8ZwBZf?aTdsGxzP+u{ljXKzckU?E0EgGhJBwLc3?Xc~vAO$IRnOA1ceF?O z{w#lo*(xiyR*y?TrmfXM2jgq(cX$@1LTy9hkcQrnld1ErtgRIh=K1P8(BJEWf-Xb< z&1~f(-_g$A%8z4T(YAlJlT=L6p7?7p?2A?<2tY5_1Lx#L{B@^c|>Skep6 znhI6ri(lSP0`=X# zS%Csg7;z@pn&NBllUdU9&Q5qt(uTL~5VtjV`xaqVQPCWdn11)LNAZfGDwOhaQP+6I zJZd4X^) z_EgmAM@ny&rHS98NCAMDAnY6&Z*ViZtwzuAw8wb5gK@jsdF%ddujT>X@Y}dIZ>X_D z&gU-6L#tUIN{olyNcyunHh1>)d{J9~TR~kdl%TN~x+Kb-^Nlsy>u4XsiD1 zYRYGA3(;`T3_DYWFC}+F#B$?MLQr_zN6~*`eq2LunuoED-g!8wunp=vTyXV~;|qXn z(~J`n6LZVetuvQ8CWwfZ+pX*@^3xq_2k7T2yi3v#X7d5^uXI08GzhokJjy$CAVoU! zxvJpe723sE$Z{jGklP2mkXWAME{0v2;;??4NtA+yrcTX8(d78)EaE)&n zBCRA=8`A+$AY?9ZO8`_a2C*q2x3ldpKDWR+{IDV`-MwHsatMZ-vh%&6`n1M3h5qi)G% zCc5YA_LTVG5sH9k0YLTk_5u!SXJ$n@c_GwQIekR5oTpl9s;}!Rm*$uPrkC=E*WrDy zi?a%Qx~A>UjPmfcJ@^{l%kXE2;^?dFGbmmKC?oWW? zSeZ<0K&S?Pc@i>Ud44R2J|}ZPnDeR3#Gr@GvbeDIAeWCw-{7Ea<;r(oCsafY;1>mj z8gCv^GmY=>V`4nz$j&1jbye)2tIkbB7(y~~wKyfB$4G4F3A{P zT**>EAhQvon3-3X&t&wlQ54pu^}$E?v@#*1^?X9SC7)xV1d*Z`UM&JKHFM(Sy;@c%wE8Lv6sF2U^2*n z@Rsb-i_6g#GJXy6`$}H>Haw5CfrOIsAIsh;@<{dT(yIX`vaBrCQhui)i75#Rr@GYH+#Vts2MMez~9_|om88$c+)hUjdX-OzEN9vEpyxN}Ywv6f+KJyaLDjJ9j)RfK><4_aC>g- z2C~NX@VW=151^_5G1+7gmE?gG`JT}0Dc?L`kdk(;s!D@i#q`#I<9eZV!Hh9v9bh-& z0NWb_ZAX{9W594`L_eROk7;;Sf^zeEqcT*T{0PkEJtBHghn@7}2dhVAIv>>N0ZV-Y z!}p0-#Gw|sZ)%`4yH6g4c;*m_G&Md$Ep_zm9Tf2a1N=KDrDnPJ*xCUY_AP?pgPl$K zCPpW#s}H1qRzP0P9b<1J`Q&H4RLCCo+7{b=VpC+b(L~C>zCKVr@|J*oDdn%8IdAKy z<}KZko{U}mD|ShY-|SyB0AB?^J^2i+c2>Yym6!MRDz*M`UdDT>-R$Dj9_#%#8SCmY zNR8e;icK>XGTCfN7(T3NXxvO-c@$Ua(%7{)4A8~?h)JC@}l;%g-ljfYmN~hkFPS^y2!tK6CbM$w8*bLxtwZ) zE;B+qggP+?K_3aMD(rILZjfohRe;D)%?ntg?b;|pY7U}KDG0}aCy;a|y1Q)&>AVk!a6#~8a-o*t>T=zEI`RE>odb|yA zlgq6#sffBJ8JS=Zev9XpxrOVGw60cQYpepJ^JqxG8?>bcHCfbT^c7GO zz%b#8jiDb=!?#1+xtdOqihJ8Zyu#wb1PwVf8X)Unkkt&h%bW&2n8CrUgZ0+2%CnN5 zIs=hbW^)(eKe!yHy*AXhyDyzbu<1FGBS57pn&_B5$TNORr*1A3i_mH7?OBK=thp{- zu!i9`IPUN6_V#*E{CR$}Up`a5M0$F@vVZ^0yYliBB(F62CK;LgZ%5TyXxAW^LUYf1 zBeC8b5*M9V$r~3=*E~=V)p9mm_^7NQ z+|^;rWTWuX?Y*x@XQUhbPFgU*#clwKPgrEaN@0@px(z=JYz0eiF=`WLaa|O(;m@DT z4rUwzQ4Su#y8tD&gT;!|lz&>~^~!HoC@DYHe3-sZyHtq7&@tZA^>`J3O77ERkZcK`jBi}<+GwVM0ENau;xw7ax3br&!NP>IzsMTln3(pQH{pO!6*FoLou);%0rlJ+Uh*q|l6(f*dPW>ne1 z?9GkRO8N??5`#(+r~>wK1Cgt<=`6>$_uwm~CN@QG?^;%^Xq<;9fR*RDVw1Iuyzyy7J>!@QPqXr0>V3_>v{4iPDKp{z2eE9%5`|B6JHl^H>^ z2Pty7X8HE(iOt^PVi2D)vvL&lB0pQ(MOm?LZEiyGQv;%CW}_a6B&KWM1-XYo-0(J? z`u*wCodJ(gwelShha0S{hrbNWo!i}B7p^YkG5hw}y53)_T2Z&=V$Ru%XZ6+fDxOa6 z>FXcgxj&<`rLy{+8N~7{pgmb2hAz88lN#OrbEu}zcmCb0*M7Sc7q0r4T3LW3!{e^% z7MgOKY9~JiQ$@LB$3|($7Y}2jpSZqC`2#lb$s)A#QC{~6&P6L2BwUpAjIkf*F<2^) zr05PSeGC;3s4}3e1w@T6(zsWvA;scYy9M(w7z))?b z9kx(UD(`HNliKRy$d(ZMncHgWePEP1^$$Xf0~lX48Xc1v2bxb{06yyH^ZoVyuP3~+ z1j1%mnRy;5s$9y-S55EfV^EN92Mo_ULmPVc1$6HP_=IwSRMxk2Am*jYPTg75N7xAD z#|4{vseH!A6O}q1UDK!#KiGh)0c}M~zLbR~tuEJc@5oR=YycVmJt^-Xdip%_sIiyI zFS2&taBuPW>-5AH>(2x1oE4%}(^f|-w!j8xdVfvh$lX-}G|jNiO(h^Kh=+5e6P5ZX z{w@Gb284|m_1tMTPE^S?`iv2IV6B22yTP`pSFH?UtEOfY<@Yh~-~-=(FhZ5zw7j4Q zVK2x*HbK!4>7!;|j-mC94P<>0!g{RtXGEqldPy17YDS;wfRUv%?k1ZuGo^{AErdPc z|D6`dkNTmv)9g%v_8#K?pm5xD`x`fq0E7dNA4wZ~V>{A7dt)PGf$FYU{zGl=`8}s4 zwB^(QUw6j3;s+YLbHFgtCQYDN5k|A&~v|08W#QfyFu?>|Uc zCt}1j{y9?k&pm&GdnW#c_{T-$f0{%7A1AP(G5pvH2cMkZ@V0(vy;J2NBYk_Qp-hCOJO$58ZvFv^L)a-09`Y@ZN-%!kEgJW<{PTgP#Bez&2g$WZcl2^>1 zpY=j}w?ZT-miRZ9sE6C2Oie{5OrQ7Cmpu0?HXBeZ$?n^*tJ2LZjClcUK*8zKqIaX* zvKHgTgXhFrgGZIJFjrL=vUP@<^s$m#_se&6n&nvw(%&+e7c}4wAuS%!yl_Ox7kBj< zU!uK|s(nFHLda|P3sl^-JgzYJ-PXPtf#xj+kx~FgQ2oIj74B``8x2;k8=__%pWM-2 z$7WUEdGA>R4*g4@4v|T2{flFL`t(fbj)YlUwg(akrjDu`NbQGiI_6_am6Z_yTXdtt zQg>z-nV#q8L(&|DQg5ME6V+(zJQ~wF4b9VEu3GVCs`@ws9Uh~#Tg76rG#N^=%Y zXX88hay7Lea#lccm3%`>b4C1Hk^nT%0qXs~)G%@atN(rq6g0Kr^l)4vZUxC;Ol4)CqQv;_|K z^YcL(fN;yY4ta(RShj($=@ON$y510k4;c~2mog8^QE(h!;PAFQ!% zkQD+cuDAM^FHUns|BC3#Q|TKXrlL)R-(Ojj-Q)a~gwbcf1G|;3=-{-j3!VxfhXL+j zQ1;6;l3(HFi&_r#Hf2R5pm4>LczX|Mn2U^lj1NQPKaX08N8ajB`6shn((;+eD(i^d zfe)v4_6HX8eRLB+a$~B_+hFqm3q zr3|b0RdhY1fTO9hJq46+4Uf!?^%WuW{QT>DOuF%5!VB2GqDY|i!Mp&y1&%SOukQw# z;!P+J)UB;1(0v;j8D}6$`^?n43*r@1+pZ+`F@y!y&6hkJHbIPmVE{NU&8nE>bzc2+ zR?QbRHIH0@>xEDTR|}7R!TKW8wFxg@F_}x^+-XHcMg3Zz6CNCYQ89w6R)EU^NSp~g zSbfe24kjsU-)6-O0s@lq2afOKj%B5Nn+=hs{RJ(Hmsarx08RbUjvVc8GDX=&@H0)v zuhsiC@8!q!Uk77ATeO5~)xoF%lfCPgC=;}@}x~N?C90SD>d^JHA@mdgn@8~OfUJEaZsz-Fs=vvGtRAE5A0NMgn zf#hynumP}nNj>ORV+Ys)C+0txUgD;wkD6lFHt<%vjb;!>zDqlAO?1K#`B}YzNP85g zDdajdmIi!L;EwE*Glw4}GB?!hQSSl0%uQNaTMuaMzI1!5y9jsK*xUo~#tw+x{VzzG z&^{Ef&R}&N#aBo?Tm?{WS!C~lZ6cgvgi}G&y=@iJ)+*oxgb=0M=&T%!;Rml#oGuNP z!pX^t)29?H9WjTKYxWciBWxZvnps)F_Y}F^0UKR-Wr?!r@JO+eq5gm*eiD>+i=|7E z%)0EK`S4-MiQpn4K%RLs8Td!p#WFO>I8wxM`EfcF#Ka=Zx9IbBT|y*I=D7t~n2IP@ zd&)vQfsM>F45JjPE=EIwT-mEB{?@||DQfAjNbExiP7N&GH=JIFsPhyBkN}w}fn?$& zBoduQOH@+BcJ=gP^9|*wmr=IS*EW*}B5Fn$qYLFH6f%7L!80f8YK za@ws#_B?w?SRig2ke=vBV0LsySe7a##Qo+i%a6m^!$x}ubsVmQ^83NVc(27~#2kuR8q#ZfRA4VWD87=sF zErn|KM$;fB!Y%s>gBf3aJDvrCEcjvQQ0b6z1ob{5Jwn~0Py%= z!>B0tr#@UYV_agbr_Zp~doF`lEbR01m>4gDu6-B81*jL0wNyq$dLW1aCzxDsk?0=g zW8`DH@%trUSR74uZz4#3;Jm#odGHqYQ3lZC>|!#v`)`|eR6z$0lnGAQNKhb-O(=4B z$CEzCRns6`}_=Cb^MGV^mgSRlTgn&@_KL#GR%^JK_b zDStqoLJ5{)y|%hlQYGnGw>*j21U!eX?qksr(VboPPQZB;@I9^a{391Ax1B8m0HB7)98rX;W`Jfy7Z+06K-uh8DZMue}5 z@m>zEiHJxXd8Uljx zR8o)@nhvIl!2Iga*Af03uspC~8=IRvy0Mase7}H(pIh5ahO~3(gD{5?(0&8L=sQ@Dh3K$T~IJ{2!;U|3YQP`})LRFp+ zNyogUhKrY%sd^-x!6DsTTMj&YC5u)o9A5e)9fn)T7{R64TQ<^MK41Dfqpi)xgt>)M z%GA0elH3r9zc=7dwe9rfwxv)k5g&mM1~}lEUk3%L)clLlfw4kkfE?ig0>1&!HCX)@ zFbv!bT6SNuKptTqD&TgV2o+sB&sJe+f_kWmFRoEZPrT0BFe5GxEW=u_9sZII6fwB^ zYqF<#bz{eJ4QimIM&#!78bZQffF1!tzu-cD7V|^MGO#C#(k(>>nR+v4t-0{yj~tpM zoX>E<;(6^;uV%1I0v-b?CM-Ve@`dfMu&LtX$3D2Yd}*@*B0VcB2YAQg8d}-NLmOtF z1@43kfQwO0wa^9_S!mM0=mxZcb`6R15LXe`SErauYhNg(*duq*Hmpo1?Ozv6Cq_gw z#>RnmjXhgNICuez0fuUf0o*3KUyF)zd~7klScgS#o~Wkmk#!8^lz)%rZ}mEIgirq< z0xNs6kQ#sdxFZs&SLL?x>jy=vdHo0at;-kkiaaXzO@21ltX{s*(QB-t(O+27W%J}K z!gn4kSrTaj-(oxcsBk}h_=%y~m*E2d7!~E^Ov#_&-E=Gaf%nQ=3NH8th?Y~*4*t5^ zm#bg3JNib&XwN>K%9!npB| z$aJ&>agXb}jJVfG@^@}9%R&bYfx$1&k+BRHdbUUu!H4~=}G$GjDVG0Are znlidumZw|ghLn4lh3VEUOJgUzfB!DBkB(U#ZueU9XRG*0zM`hwc>`ZV6>4Kvj_9-$ zg?JqW>xT7vGWTmrlGHrk_cW>+@MGpW+Yu2hAVvl&I5d6NU>* zRN_UQinFpcYAVn@$k^*M4Fb*F4B6r-nJ(gL@+Fo|je&pev=nLn_Cs;RRN5$qZmyX{ z!=+rYTsm_BGaXxd3*4h%auvKxFj@(%fku1X_q1<3@^t=Q9@p1R0eNn+y!b$tvXw2N z@WJlgV%E?nMWVTim0};SzV^X6+)KFBq%_N5fimh!n2yC{7h@i%9VQiHlqKPDEUc(N z96o$_s<2$jKe_$`*u`b;vn4hiGL0EE+mNQS_jpV9+*Hom7W7Y}qlus(oJnd30uzG< zX+F@6s}WEiiJD4caF9zgGR04Zf>tU{%u{A0Xe2BXW`7rSL!zsg`1gFh2|t3z^T3M? zt>zyZ?gqdh6kVPVc&LZ8j4yNh}Y5P_;E=<`{yIMQRf1o8g4zRK@ zXY0Tv9T^n@O*2vq^lJ^6QgQRogoNDSZ@W<|V!xSUY|)<5TotSo0OmYsU-3Y0k#-Jy zXt;inrFi|AEjQ-edDZzr2bxo)q`z0@a^+&Vp-Hjk@lSSC1a$TX)6{iK$vWyAxG$e3^iQ?KxuES^%?K!)t4*?VG0H9MS7S4sjyAb zoB1ZzI%&3hLNO-(cQ$^DR-F1OYn_Pa^m_-nuHjrObrKL-?XOniyF=!p4((*Rz2bWP z?J6f6hxgSCdS{BBCH3QvPM@UU)YVLJrIG~gUavXSW?v&H$B8Ga1LEyABUB{awE|%j z)HhsKn%J|enX$(UJ|wj#Xx0Bi5bKSuuu`8p!EC9HTR2@KVs50^+gm_X;Gm8|%KT{7 zo^j$SgdVMwi@Q5Qr~>G`Ou8j&i?5!w%r=z@^vBzIC8aGYB`apIOU+pq9NtV%L zabH3s@AD~&ShTg*`^o|^yga5|k3Tl6P*T2kVk(7U^&#t6^dG6qs`fmr$BA1ycs1+a zz~yGpHhDJ%d3fxm^T;=X_+P$$3_=D7`|$o$N-0H$MDPi$>KU!4HWz(~qmiP+FHm|i z&Q8Lx5wMU=b4Dr9M8jP}Y-bw0ndrzghp0lW7=~dk6$0B}4}%0bJcUtFNhs7_QU|ff z45?UKR9Ar93@p9m2D8j?uRD3ays92iYu)H0j_yV zKf9qtLsPDzwFG8X_Ri3SyF*K?KQb!fX7Fox0GdFVTesXmZ7OkC9&{KV4u1jiU}>hK z1E@1`g6^PdPHE4XhOTpx*jp4xEQC79dR;oVP7>t^b4;9UY&SrvI%uC+l(e-4JBT>z z78J$U8rRy*-7{<@#w7)R)YVdM^sbW!+2@A&|HwJw4+cDPL=gxm9NGF^_JZ3d(Y;JrQO3h2EEgRWW9n0281M6;<2H5qI2% zu5n=akHl%F_fshd*;qjpfByXD6M$P#$02(dGq<>a*=4uWqvUw~Ag}&8DUiyLpEst_9L7_E>+#7W?jS)MEq@Xp)ZY9nIP$u=FBWlge^)6ogN%A3?FEv>p}SXLvopV%pg4V9|~l; zvo^JJEL8PuYg5DWuW^Cc; zrdp4o6~YgELAxrHLR^lZoF5##=IR69dKB23-Q;@MU<0;ra?&=d4<*c8!Sqr)sD*&} z*wr~tn4@^APO+=s8F;K+B*tr_@D0@52o{4ocU~BqM36;MySj5*>SQ7kiz52ncQ_xbfo9^(}7-C(W&`U1|SCP;;~{U+B{D}s{8+vUsbG= zKd>}*p1O0UoqiBL`>gaWgf9%5!9IVWUz!3_AZ^Vkn~b4+`7E&yZw@v%kxu^>LE(c} z0a66eGAn)XvWL_OqDIe43WT5lH29UaZ#@u2`wwml4GPbxIU131dbwra(u(Z#@T2$) z%#*D&>A}C1+yb*2H+AchZ*0y2^1hS?o*0e;K@DT?`JuMrSfe+nsD?Qvu*>UIvXz0& z5-{~fcOs9CiJ2+WXDQN+V}<=%UEpzJb?73oedP|S;e3?f+Rs}s7)TM18>!w~@0sJr zm1|lcV$YFA}i^${+{umL)iv8SmNt?trL=T@GMQK=YQnh#QT)KUU!J%QO2uxHhq< zlD=THhr5NIGR%2xnBHpso>^u$8^#-WOUwCQjcmtTkymu};34}Bkw@eJ)(lhIUOG4* zK7CvoASXOLNQ?SS4etY#wsB|DXOiYdM3YaJToRu-=J)sc(f_*CY=aPk#mvq?OI z(eJGPYeq8^FiK3OC$WG}jvy%#-}9AKE@i!+bj9~sfJO(V9DlE;wyK3+3bJ%aiB6jt zow3b(R9yVJ-Bss6&4=zD-fuHtQOY0E+U$3yNZ3Y{-|dZ$iTcL3U31HnH-P1v!qVQj zb9C0o+QZqu(ed_7M4t~OkQL$bhV}O93g`n`j6+aUlPY+8P!>((=7-~fpJ8K=16hw} zNTs@@APX|S8yvCwT;?Pruwzc9H8K*r{*=EaB_d+tTmSHf+1*L_e@^5j^(VE5>V2eU zx@PFBwZjY3UyOA*L0&T*nOT{X4XT*76OX3SxRjK3n3!6_>w0;vY4*%z=Sp6>L}iJx zkA?{@r_KIodHd?@Ut`s%9ymVu3YX6|I6r>t#_))QBTb6rU4k{;?Qg-$*0m(57!8td6vT z=VDaMA==Owt zjbCgU{tT9xTq>b^QsS#Y~1y8S{NMhTKNUFu8|zP8I@JbaWFBq zqYTg*v_>&Xma!AeiEbLsZ-`W(=>y^hBo44GzvTnR@j;In{t#VzT|JoRih$6U^w==~ zk7K{{*B4;TgW*)J<)>m#>)>(!F|-Z?Z<57uv)IF0FO2a{ZV3O+Cfl09-+51^NJT4q z4paqU!g&?j{Oy}`)oFbI?a;jdfQ|{XsQtMG)49V1$$#zS+9({Rmi1oxj9uWZ3rb;|fd;F4FQwS`84{dy2`&Ai2Wa z<;r$xK3L+gHq3vA_O!)qYFzR&=fd4g1ZkR}fC0pY04!i)PMmFQYeYJxaX}D^>2Gft z!0{ye2YW|6PMkKaaakd9n2sD#;WMFO=Xteb{?1MAs8swV-k+ua=#MVZaK2mZ_4vws zZd<%NxPD3~UU#<(yBhTW#~`7!!}ioEV!lBY!w9NF>pV4gRr#tUudb;3KDL{o>qRRHFuV6+{H)`GX zV|9)cKRbR&Q*WXr+PLQBAshiXiE8!IY8b=NE<~Z`(cd?4fS0IwDcZEH;I0z=WdT)nw_8NRtV(x#8g#)7|*K|OsR zh!vxBu9{~Xh!EvYVB@p;26U=NR_FEf^xzBdAD_vTSR{en{lt12yzdnIlMPi@D*9}3 z!}d%Lr9@y+Q0?bh%Ul=w?RJo^Ff=xAK zcCY=SrMg+x*rq0~9PKIkuxhfHiBU{YK!JH5o^L@$zgYN4FIBt+r?!`Q(Z$cIotSXj zf$+x+ED9*xlMzOR%wlt(mRi}*U!>u_JRYe&{~GDngR9!PX}BKIWxdWyOedR;qnB)80T{nM1s=PY<)y8hxctBa zUc;*->3XqClk$T(hW6r&1VfnBgDAOCr7_v8XhzCL&BG~?o$a_ zdPqXaBTC7+)|wkAAF~@T9tB=<*VY>^E=T$~ z`-R(#F^;tsxvBFw7!f@b@JIO7=H@2I1yKF{fBQDd8IqE8_OUeEp9q_~HS&+owfsu{ z17^3&R%Hz0j6=pisAA%N*gmg$BKWY^Y~ zy$KcYU5?!f*4&aG(q@W>tQ~&4;D4ZpXus$0m%&)?u$zbX?310p)0?)3|8LG>mLl{D zXkbV78n3RdUIK?&t1L_&LD_**c)-|z&5WwC*hq$^uR6HKehWJW=>wXq#rIr)rmN7{}nKK|Fnb@@b=uN z%d!!T*`X5r^Kt3FFBBXy9q1kP9v=tSq0v4419V{sj5V?*A1&4het8TvM6|TP=|$*j za>Qcys9E$NLpSKAi0M1Hg7Eb(Jr-X6=rh_j%lb-OYgJ&EpmI*19D;8Og`HGi@ z^=|Mnc>tTzcYV*0rnSIH9qhiqdJ+92ll79-l7G(?A)_7KYv5-u-p!%=H9wCi6*AaK z&(6w<+TPu@e??r(uYu2JgTFmQ{f@QaF`Svw5$b1^xeqi`gtsuA4VO?P(di$#y@M}g z%+!ZZbs%v5If`KhPHJ$}>BR||*%Uuod~XJIX*KS^#Hq&#$ z2p9w4x1q(aSXxzWI?YN!@~LkacW952lCmTH3iIr2>A62f5la}v=R17ufy&x4Qp4bm45Uv0|TogOO2SVVjTdLBD2JO(VqBV~*&ucl|q*!d3EVcG9W~%jq=$ zQ!a2mg&Xbn?^o6rRFZD90S5A=oKSlIobM#bSHVuy2qRDe)nd+yA5Q9pM05L)!pI&N z42S~|&UN5M#WKJ#2E;kmzr$>B7{s27687K-5{}#fZ{|-U`>dHmLjD(X zZyiMfHcyL(v3(jO1eQ}2`pksEMSr6 z#^1Z&y}vQ`{>J#u8Rv|%{y>DqdY(C-Iq$gc>$>NB6Mz$4H-I6c@8b34aJeo@^%Nth zdI;@%Xr&)`9n>TyjFOr8eJIHIu3u_DQf^8@-k83nBmnaOK8 zH&X@@=S}a84|Xkmye#ObuSMq6d2$3eB>yI^PV`K>`sIL*t~?RW&>eq!G21 zmy*I*l}nInUK22bBF245d=n$%!;KXY2%FSaM>DA8`dRp?)eWES*>_0k>iz~QgN6By z6_jD*RdR#BLvq1XV-AGSL6VL3u<1sWRx4>$BtEqrY_nfSJuvc)NzXI(Y) zttPBCbPPRlvg`oL-IJq7xSc0*1lA|i1O<@m+5S1SV?Oden3$QYZm5`?8{IgXC8T^b z1D1h;^B)GsDF(#l4O<#YKM-}HNL~YD0)&w;@xT*UgBCHzIAavi-Myg0h9udS2n3D- zj~aA=4|rqXr>VIBtuM6x_>@Q1r?!kM@JR>+JA{`m5s6wBjoyC5(rRAW+H)VMAFvKU zO@!=Jj>2}YW+jO+gSmxFyN4s%(8!os?~|qDk@L*Nr;5xwOk84_PecU!fs(SnpB698 zdw|6qfK~%gL!blzK37gLmb+e> zjI}%r@RwXfl3GGKpEwgmjy;*E+5MWGd$cj%`S3ZBED`gKzO;*aZ#JVdd}%UcN#6B~ zGYMtKwiy^>)7Up{=|jC_9)`8a(v+6sU3qDqb4Pkw`lD#=8;L7Ex9-IG1iy-F5K&um z;$rW5|HR6zfr^^?7LR*T-42;?QLjl+nU1dR1Am1N3eOHlR_vpOy2>*$4zT;}VO{Er z^{l?nQx^%tT(V^r8{;U9qcOWzk|+(_X}jydhG@7fA`)G))cC(8{DN97Z=|$FktrJ6pwuGGtF7K&y)gHRa`)kBQ2X$=>J;wPZ}_UaP8_<_uKWoOY|>6H`iwwlKIVT zu&Xd`NAQUl)9cj9(@fE9QJxduzBKAqV}cc)d2ksg`AbS}ap1S)^bd$$>XlE-?++{t z!ai<`(Jt@E4^zziQfM3EC(cOEx6{8GD}7{2yGW#r^4{N4UX&1*Y-QL2 z%GtbvcYU9ubuPVbTdU{|3=s5Kp#O3XXAiH~Sl~X3keKn=d>PN8U$cE2mO7^W)rN_M zPdj)&Q>kOS$T(KChdVg0Bxg?}&4Pc~R@Q!~ z?Xx%DaFf$Rf9L+`LUH(rKj-czB2j{#&!og=!oF52wOzpl#l7@3(c0yiOj8Sk_~cEk zeh4a4)ccU8cV~y(qw6{k56>c7taVR}$%MYHW3{FO3uWrwhVH7}zeMvu_)%lEIBKRr z-)Au?!ia#JG`H~NCr4Nd-Tl*HDrz**lPcM`Jf(Ex_`rgLa~zi+OQ2{nPYi3dz&+?^ zgZ>PxIaHvgxlrK(tm5RNFp2{P-_dVdOf=2+?nwsBWIB!2pe?X(-hYaU@}y+cEh@SW zHRBnh#|!b@3=I)@zwk`alfaoQ5{c^O`zO>m%?u_>8HT=B;`cZ^B{eM6Lp zlC}BYNorv^EEnS%H>=8Xhw`Q+;VY}|D8EI}uE5kqJOK)Q?3M@>HM2F3qdW17Gmn59g zraAY3lR0H?riMw@zx*>{7*LtgTapW#wMG_| zwOKKGxU%#S$9pU2pRCc+$8B?=6%Gb*pC`G@pZTQc(@;gP5JF*UYAX2MIfHl9Yl9t4 zAF}LC{2%!eiMO=;#;trsR9>g%!JVJ>D?Y_j{P2>K`B;<2B7i0f4Zf--6i-se5fmW zDNXZ-Z&WMdmRuVgU~lP`wv)_zLMe>I{$c2iXMJ$;C%|8W^l!(5pU>=e0-)FT9wF7I z>X&J55)3p?C(5k~s3_Q>*`v&*jiJK2-))tH6M==$%84?BO{p&UcX|J^v}^^oZA;nR z#a+Cu`3g<&u<$o)m-9F;nyjm^L8k0FDxOyD2*l17=9@<&Q`Ka9IovK~EIdNQ05xns z_-3NNAOE6{Bi^CQs0K~*_U)3*Ej;t7UuRAZkVn4zwdFQ5FR`v2*RGpQSm@`7CuzY3 zH9~6QbqXG|#EM>We7m)UXGi$EV}x9Sq@Ugs1NVst8yqq9vXq4t1LI`k6)KK~KD|vf ze-G#W=>mChehasGbE~H7l$vL+Y8$ zP^bAI!m~rm$zHkUgkU{wnir6_g z*g88$uDq(Mskuz!WV{|RaTV-CY(FZhJ^S)}^6FHcN!b?xGhJ!8NkX*(74+Ba?DlPA z(Ibr~qm>`Oy`1mtWO_$UUf{JqUzIaEVAA!$g`3e*CqTQ#2|6*&&Eb*evUmrJhB{7t zeO=OJ)vgb`G0o&sC(F^jH{WMp&Wrk=-|GxP?u7;Lmms+q?Cgg0gxqgkCB32U{n?$} zW~{#jm1tsQM3$P#!1pXUatsXSZ25Ho0 zfBd5TU`8FBoFWd!zP`5i5S?52Bb7OCyuV$gtro{A@pQPK>qb^>*&Q`j2V-^}L5IC| zA2F)0hGnj&CgQt(h?(uA>{@)fI{{5uf+yfhk`e_j(=hfVbaXzl ze0aX`Di;TS*-0%Hy}9{enakKSdLJv+^lss*qLC5Oeb=+@x6dvM`lmzum?{W* z-sj7?gI_ke~{tDpql8hLd1YYx(#+B9Lv| zHwK<>{aM=E7$4d|7k$t!eM;GOiJa8@C7l5HWlha7m`fN7^T8(KwGqX4j}$R}<%~2T zX8Pw+{)1$HpU$m}F2b-YYK-3FgMYNLdcem&=e)Z%QRDyqeEg}wPZ?evFSFoX_%5Iu zn3osSXA^pgb2p1Ghlnb*~1*&OWSf(d=O|pdW=j^DVtsaY4qHyM4}&k zeSO<~fe1tiF)^`dfPA7LS-I$Y>`|v%A-o(_Nq3w3KGAnf?pi@bH|R1Em{^VCe zm;BeY;a8)4{WSl256<`2|9bWR<)hR84cNX3x%Z!~%`7RF|4%Pbmd)oLt@R(5#No*w zE3+8M{`U;LX!EG?Z0ku6bjTaqzX?PIX|X zqWq^?QXX07Kz?lbeuEt*u62Jf`g^^&!P`RJ0ktHukhNKqs?|h=wNX}q=dlN@sP|-6 zYi-l=+6QJ{GFcK^?EU)NkK!OC9 ze>mRV-90qa@GH`OAWK`3v(x(kxtNwkP4T9sxVWDkVpAJ) zF;gy8D*g%%&R$+lZdF{yBk!d)6c3B`)osgp=>wwXyMcdsyB)y8A=BieN>&%snPtrZMdvEVw`t^cyLsg`TqHRohbp zWvI;g^+k2E+rf`wmrUy(;mrN>79kmfM%F405GrXdOCj^mo%LtauI7Vovc}eej+ot$ zRH@7-R0EGc#Nt3qgejI6NUzi&CF0YetXF5&4<}0gm>oLbsqiFC`!?1!li_6wMa3{R z1268#EJ5aQO-OE!D3uIHbhVWgkbMLj0fh59-> z>Z_2FifERSKRSDF2+AJl#>u}@GaHQlK}5Z~5=nriUzDV2{`A&)y3{I7Mc*Ff5mHf; zW=Cn2L|fOORpTY0>o|tVvp9EKBRda|e|L!A5y^wPLZFi@oQdSXPb_RMy=dIP#|2%( z$h`tB@JBSnb&ovLOqB|rB)xp{7F6e}1B>fg-e5K4v~*6y5T{c|k98gXN=Nqo!iCVw zUfb_gl554ej-Jkxx%ZBK-4G3MRSegyaoSiN%$e(og?J@?A@&ow;|e>!hf=cpp;z5y zR;IAfz-|OWUJm*uD&Y-SCnZiw(7D!o~3rz(`+VUbTPijDSgcxl}Ci?t%> z-ryVB)QY2z5$g4*K)v3b8nH{?1P->F6$nHsj+c5C4-oj$7;XbKWVv(kfo1AUqSb1i zd138GH_NVE9ZZ1lw>&~M75(TUl_8yw>7Aw@U8(Nt4sI;jL4J~o+A-P>d~XeHx$*w~ zR=J|D- zr%<5YOLeiSuMMRsKkifnb~2NQG83+SDJ|TkM)Utl zJhJDZjOhqwPCSOC_)5Yd%BsJk9y^g%Q`Es<=MW|j!HWCMvJ7{JwZzpzZv)uy)YQXU z`xG(+pIlu7=pWx?kDbQ$5MgcNxyFp>`W`Dc}4pXjBcn(8oo z{A0V$@&p@uKceIeFV=>S_VjCTdP?W;c2!Xi7Jii&TN5!%t3Z%^Q{XoT9-4TeDC`zh zdVTN5d8Md$#>7Iy`AoK*^#cJGp(fMC&5@bl*b0kXI3}xptlra~=+%!sy0-ThAMx?Q z13M@w7Lhs9xwO&Xtj_o75gyHgOOQh3Fdj{kvfMeNOqY$zfq-YA8*F|-I$PGG7X=yp z_|8?$uV2KdJy3z{7%E1lUhCsmGL7Hn8>VlDy5=h+*Hl=`Ffj|#_(BF59rHMc+NUvP z(0;V?=kd`#f=hK|qBLg~EWBOC0P0br8xVZ114#e8`+x{KtTQ`cp3wNZeHKT3`9MgR z5K1{F*Q$rdc-3Z&uWETIwm7$wMtD7J$4>cdS@f!0eQFZk5;CMsA)zk2witHIqCb<; zCc=GY+O0BXrPlvA(=vABXzXN-L8^nv25rcjD_N7ZKS?#(ZREJKTsuJOOXMzpeBb%l zVdhbnuTKcoaD7Qg9nsum3zISG{`^4+HS(}>dFeJyb2io5Z^6;ALxW|ob+jMttYE2&x6_GK}P*JoH|H@MwgS_my{(M9Uh7OCnzNq%Irb|yY0W#wu z%X_=GU;tjnwtz<>JaTE=o~sY{61}wX&YMot*fm6tYA(mp;J3r{Gm(w89L5Y{hN9Z* zqncHBH~Tx)nQe>_PmmR7bSD^z=`EzHY>OK|CxMyGvHSK)(rM+FW%6g$I87H;+9JUe zi-{3`M@6r^-c%bzF6*M?q`vyOrPY4vqqVq%0f~;lW2zqb9AlCsrlFBR?&PS78UwGY zs)-kAY1!oFnnTE#vtGS7=+~Z?`!bwEt4LdCs&>Y?f*rDyNz~N}*|MOx!qPe^kZxaSy>A{IcYq9se#2XWW?so+_CcrK0MvgPo{MB{-6yX&ZxjG z6TKSMWyMgnd$^bT>fE3`+8YDkD`C@HJ)We4G(wJK`4YkAc6O{(Jt8Sdm&>)7&i?UI zqM{J$K%ZjNO^?LKk}=hJ2V4pw8D5^&Dy1bQkqH@y7wq{8^4$pGJMPV5XAh$SYWpc6 zS?C!JXE=8WGDChW`o?Llq+UJz`Mnv@V+pFRbbDVSEcOC9kF}cHK4jeH-7%jpJG666 zftygT**V^qL{l{YOH`|gTiP*}t$#9m=~|P|{!W$T`Y`>a0T&_nZ6eVnjA|{oo)G6w zjNs^(Cdq}ww^~NXG1&M)A3n%du(1^dC_GCLuxd5QN#6al6L&P%wddP>ieE2yn9NEV zLzvKCeG?P($jOU1`6Ipm4B};O4mpqTLuOOJ2>^CRC3dDMxco+Q*mRMKo)_T(CNJIH zO#o1QiRgkp*wuFzV1zBv^+kR}kXLglmm8rAZvlZVJKI!GB|R(4#6i|_@6)1V_4Q6B zdpO<_61SetN86Kwe*g)Y1Pw9#l8LF8(OET5+39aWl(;^GLd5EpKk>UR9xyuA4v*JFyFeXI!q(57T3(T~iQ6xwOz--QUGPWmlT z>Ry%%gDY}hM%|YP_S?B=BO3uXV$d96)O#H%`a9w>V2}&-X>TE2un0BZODHev1J>9pQp{7U@kJtWKmZOE^7GACcY?Y z|DxNYTYGneaPQDo+$pfWagiw|%d1p9aXE5Oj94sY(L*^ujAGmfE-ok8d!D(Ib!g=C z*rKupVZq_PN<(PR>^Xt-g(yPZq)4zdS`}SvMWLe}I+r+%ekF3;t5#DxIfSS(Vyc0a zIIqEh7B<-n&7Gy)hDXjD2w!1m6&3x^aV5TmsdEq|c(2bzwV|!izfCLHOX%Gu2ob_< z`3NEB4e963F)(x;N*mqJn)mZcr#p3@zg#L=iiaUNSMk^0{Nfh z6eWv|G0eAQ!^sr9nfjn0q=UV*))sE90gSJr(0B-{&w8Mb3#KKVD))J^JVa{iTe~p+ z-IXN@FnQ8?*wG=}n%Qy`OD698>eO9fyd?3>xq>4oTw$1-RRF?5v_wwzTWVsHehJv92 zX>FF{<%rFJ7+xys5=QmbBR`@sTDRDFhHQ3trh1X~`x`YA4L4RD^M9mx`N$qF{DB~9 zR<97Qg;`lj@H)&_G;VizeUl59b0%p8$}=!>FUrK3%R6?Cl^DOlv$5aU2X;cERbhmA z+4VXr)RArz>5AQ3;SQ88E)L9$jBz)v%VF}be)Q3{dJy%zMKO(}t8JqenY9c<5 zgB?mSe_=j{C7+23w2O<%ABdHhMKrhG61Zlb0yj4`gprySm90PSc6{#~G~-H&<)am* z=|c&58g&CuN7fscCidaOhX`dQIenG-Xa$n?HvB<6_1fE9Z2YvqXf}ZAQszDFcXWPj+S_@&9nXcDJ`TwB+CrPZAcu-9ws#!BPdyUX>d6)}Zf{$vW_}^9F zj^?pBD2{kLtOM6QI>3EzP~OPXtD9fmP&j{{z}s z97i%;mz4xEeorskGp(4(25%7ztwx!f9F%V`f>~hA0RbFpny`SP)sU)?2u~~HJy)<< zh#J-{*L%>=^2kcWt2`f7+^6-^I2g4Y{k6ft;z`EUDTJwuJ6%m3U2msJY6Z0jlkexj z1|OoknCC69E?_HuS}d}$7`kgN^D)Dq`J8Sx0QwoBoqj%qUc^h_(NcNUh zbUtOOT5eHzB%a@18C;^TP2->94)k>PT0G zUhkw%rsV!cl~wqBnn~mzHE6HF{p2fYYr~82i~KUHs<0g~6RPX^6~@aMI|>1>f1$8x z>DLc#=V+dq#HcB1U)d#2j4ArePl;tdfl$h@yIti8OvCoP333Y!8T{?vPQ^A!ZrMM6 z7(eiT4Q2t%xL%&Bfdx{$!6FSN)ZJ1Tk5{u?`?hb3!{sDDp}<$ zeneS4Bip+~@;lukWHSdjW&X9Kt5GuJhmY2tLU^!6wI5$xhfSkj_&|0V;$)p#9>{8} z_A|extH!A6)-TFuorG>E$vYvwKhl53G75WHiC>?h;HG1~Nm9l@Cx1Q9@sV}fH%bF_ z>YJkUBSuOm1U>f7hc*gQkjE=|%7J}c9#V-6N}~_@^jYM2-P%~~l9h@td_ZOG|5+Bd8B`7Em7iLB;AC&}MGMrF` z^;zh}l{8<5V{DjNBTZNsKDqaOwybIKaoVl7p==eFGFmZ$P*t58;Js1!?d!7(7uxjV zgp_lrSM+xA$$5kJ`=8<9Xtc*Ie+0o??B%bln7ViVl5JmKf00^=fB=AY=7pOM^4OsH zPYNW1v{ESpQRx{br|3V{4Pu2&v$bEp?hMeOdc81-(Pa;|Cu`8;G*6d4w|SxOySv9G z#oQjlC1@|O`3V6_me4Y?mGL7RtEbX9mG(r=^r%apD!5rb>PdrjvfTh`{bItVAFi9B`#lbda} zrY!}O;83cS19#(Bl`(nOtr`kc@o1WlU)7Zji)ZIn?GKKNf!nE2STVTy?C9vh&Zs6$ z^MI$fw~D^;>tIe23Ab`*mHHh!`;U?LhN}C0`d%X|B+~3X9`WVyz~NA~5M5%$(>&vn z0uu5hGd~^MhB;@yf=piKOp>&hsJue@^eVNFK;}XeIZJ-(^kcm{GV)nIC3O^DimLWQ zfOyCTv$&)mfP?K+-yvOTv9WlgJ>B)HBAG}uI}#U#$7}G>U+F&V5Uz`^PpueaA33QB z8AMc{HPY?C4#+a;uRrw+rA%1!sjgXwQSYQ75DoZzO_xPyM*H@&*|l{(FgcKdSlG$4 zbunKTy~X_uFYNA$rZI`P5M`V8R%f0Zd6HkjxM^G_paE>@BpxomO6?Sf7ZTJ=^arOW z)bIMbcxsTQJ)nsngYlqNuFuW0;<3d$I|b_T1Zu6w{bq~0oY_U)9YMX%6+cQGWLK0JF}qNTHIlu>L)>?{>9SH|KB z9U`GXf0dk+5d`(*JOp@GRM4(}3-1g6Yvmk~bnLsKkW2XRpS(K9dt$O=^Qy6mJOfjd`L+MK!?d{h@FID+NnjB4NN>5!q@}(d7DF)g{#EJj` z#Eo2PMXB6Uj`t{MGEk?dSrl&NN2_0M^1LnZ6mG|5X1{&+&OkH(N=K1+Ro_@o4udk+ z@+=BX$B(me$>b(@Z3?aS>y5j8TQ@D36qp`aA*(!25#Tj#(}|O)yly~;>&q`wbXAHQ zcq4}Lb7%-Yem|-K|I@V z!ebPo!~eK0Lr463N4+Z`a1cTnd2qe-&Y=iOsVy!`;Y_j6uDZdGIS~;#@Z9N*tX}N0kv?n!w>vXx^OJfq3X!OGaIbucf@?v8d z^QxK6WzKfsIeRbiph%Gwi)^~zh9_QbAIuTh4iC*<~BrlMH+cJ=F2pLye5_E2Z9The+ zHT}?EUCoi-_^CP`;b8j?vv!P5_%o&7Et~^8T_+r7C?40QsHmieZnXTgWr240QMlA} z{tEjqh7fKBbD1rX5ObY^n$~?0|2@e<`jXz^>(rnXiJfitT~v;jqL;;NYCP1$Ps{Dc z$Bs-&2JLw-IvhbJ(!ah1^or2X@%MTcMR)`R9;k&@k48sR@vy20{TLh=DCrgQLR3Jh z(_(7;TR1HR$<5Eu@*mAdn07!|ut@8>G`lube}wk@VkATAygXUe*uo>1Y$}~Sh{)!Q zdfT+=m2{Rp^lJw|-6MltXk0TvFVA)lCAC|A& zz*mMurf zG4zDC_v=zlSb$*u>@u0Tx@9e_Zi#m!t`>|nN(rgZm<&gll><-$Q6K^-aJ@v@gka}+ z7^mVR4J}$Pa-ZulnmX|G7hBwsflOP>EM3eI9dF#i?(Q<+ie)oBzjST18#%ag3|J4? z@J>hcDVTo$0{PEeq`M}8(MK*L{I&J|H@P*P-A|5q2$#myIuhzg28{sk0%(cEm;^rX z%EoJb%u_aG`T|Zdgoflh!vo_n8qAoSOwd$kkR+~ik_PAfsr4j|CM{dRE7?+46W#m8!j`!65vi1#o)z|%)7E-=|$voR9KcT8*$ zsy+a)Gde;YqNAqX0+H%1Y(2j9P-ETH_@gme1lpK1w6U51S9FDgy9t0z?} z3dfAR9d{#BqYF zVqC4@7|YGAh|aJqtKRID(8k^oI$@e`#hdwlMoC9=vTy{*cR=gFV=t^2PkPThrfCL> zV~##h4(CW%fXBhHMc-|4+8gb}-Tj&k94k`j14RW*fx6`&#E4_}<^uBfpZ%|_q5)ze zaY0KR*y3^$6^QQ?mbNT{^)5Dwi0FLj`b6vNQW_J_uF0RK_I66g`06H68NO$BOhQ<@ zENgnokLS5XiUQMA00`rrnKFID#C_I5CsCqBwqh0pU;G?ARY!%pE0OG@D zbQkII$Bc!K3cHpZ$GYHO*{Lq`p~f*i)=rxE(mks+e9Rm@hAKOJjo;%jZWT&FSEQh9 zZ73sf{C>VER3RY3_pUP11}fEe+;f9Mud1R=BB`dl|D-^14pM~7&b~bNeTm*TUS$?V zn`v%Co)^(i_IoYE9A*RT z!B+fRly}>1cmQ)KG?W1BnjIyVvokMEb5ED9T|CVhLV9Jby6d;OA+iL@V?K`xU4aa6 zdUl~YilQVTCXSt!&8GGPiVG*G-CSM8{}`kVDR>L=a(h6f6p&575WLqGBl4FNRdhUN zMaz(3itV@*JeHHp_T-zS02xE}LJ5HE9a|Tue$bpbwlm;=arae^C06!Bf=<~#HL~U* z>fcZ$0u0D)5hyer3^}OWQD9uP#Bu?#&DF&rfkK$Uy6-wo^VctL?b1=eYKq$bl(q9C zh%M|g0F}K|n{V;3?0)g_@x}IGXF#`Nk*rxmth+;;=uK0WQWu%%#(!lCB}B=8o&KfwGQ@oi5(5JK zcr@UkbGXhM$Bm&@2cRHKA)F%Sp`k$2Y`^O$JE||hf?fJT%{Dnx6>{7^bh^Kxc2a8# zph9G1sGzex6vM&ELxoGsW0E}5168s_ZnW14gCAX^(|g83)PO(2r=$i2`bwf#fOa5v z03DftFhx3YTHQgfut8|CvB&OQRpl-K(ArevVm$L;P#_eBf|=F>e`fv<%OA-4JITWc z*X`mb*TRcY5VUi?vysXx?3}@M2pCtoRdeLqM>e0yLi1|tH8#t@Hf93Sa+nW{Et@(U zFK$L`_a-|1)7oJM6ZqAeDz}D_(Ni!Q<_ODH>75?{pyCl4)(f3hyart>v}SsW9WMa< z3h);;W^oW3H$~?a5jzOgoXId*wYrKTL;dhbk05Tvc;5$^jb|K__kpSQ`{~pAio1=b zvkqhT2$DAsWuPOd6v01iLct?!4hhwWtgP6Yh|O_LZS5=As8B>b{`vI|znPP!CU)9W zzX6k_{gg{J^F5dYIy^kG#3?+UV&IV6Y{bb&+pHv3CaE z5JxZ%XU>v!1{o%SCj|TgiWtDJ&z6(`07gYc=WsSI3_9w7Ac1oL>1=Bo;I6V>!$(Q0W(|C=Ns1;d_RM8x?R6ZE%?l<8BtbK(lAyqDFEh0M?U|) z@1HGMv4xiN3+%?lJ{)c&p2;1_FLbK|Jr!e!<^~&h}hNxX3nZp96DE78Cn5*~a z1=*SD*}>S?AOQfZF9+v4m1qG@^bvmwb{?Gen8DDwx?;v%~Nx8cXxGn z_pD;zw%)j&!3eYouPTPJX+d9ji(m{;80WmmmuJDZcW9a1NKX7%{c`?CB`wsyo?EA< z8oUbO0n5j6%KjqjFnu`-Sl~{=p_Ke2o39JQcl)6mbq~Dk_IB~hlRsKq!lQv`h9Qsa zGmY3ZitW>D98_#^!fL#UJem~Bigs0(u&=-uo_IdSrSU!PC%%1CO;7(Mzv!^qr{w5S zqaJ`A?f7a!eR+kC3%bsHQq@&MOIP=noWhXnE;Bi`GHI1g)&6EjSq@SG zxoQ~ew-`*N7_&@-^Ix=FTu0B=dTLQ;lp8gDq%j-7+f{m#MPd7sUE&;>0N(@*cXx6>O`_Xweg>^JeXUpu zSTu&0LwGK&{@xsW+5nlAf!firizAeuz1v(m%qte?9SgFJmVbG zJwgdWO-7+PlLzvOdf?MKHs|94&9cG49lETc_IA}_-)*>@F!JESP$==MCdv5=c{c*&9 z06>e$MZgsW;^)9Fx5a~p(fZo1T4QERy-23<r#ki}+5?UuK2>jv`;9D^~2r5H-%PF;!l{_w9jcdo-=1|sI4A8im$5ARNa6S9>Rrk zg%#xy-xm-?ax9u2qXvg|7Q%cx#@UChA}f2suZ-QZ)}WiB&+Pm4*tdVc+1@^nd+_Jp zWB=73Bh@F>Ke$8KBHTnm0)0V4^@5j~^3`QW0biL58kEaKThIJIOA0g#_S5_hC&+!0GL$$g`NxrUf*+X(;IN?w{qLa9JbV+cwoxSm zfKXYXs14UcA7R5!!u3%*b2XQrx$o&r>qeDZ%*q^m;aIC`~MQj z_P_F2|DRoABz108(;Q~zpV#PDw$G-y`*&+84o!9OQIpZ@p%KP2P-ar`XVXMYu~ zc41|J?_G6D;VoE=vlu^KWEy#Bb<)WVTwT*?*$M3NDF{rdZGMn8en?`4Rpie|2N?{(f=Yrj>Wme!iDYSflS(mx32p6iRje2T8(GPWRg?~tmmVOK%hnoVTQ^TUFfk7b zsO2UqUYE|Z!SjB6&aEs~e@)o!;YojsjFXcS0YL%t$rSM66y!ehEoNw{F^6S(s;MQh zu(GP{<|7+2@y=>A;F_>|9ClRasTWOy=#V!T$2+<`ES#M9Qf@`I;{|&|d#mA95-cm1 zRbA$y(g^=qoSQ89WoeK-LMkM(`yy$-1)zF&7l+!*3hvkszQC*jNgv1yP$NM>j%VIB z0p{w)WjyUj|30?qcGPn(i_-4e?DoK3`BS`q=Hhv1nfoa!DP0q=O@K0FvY1?6kg|E7w-uGMBkjg6WmBQ1%)c8j@)AUHJ_R90+0|;vCHCoft&{4&wunU`1NKRijm(yGfW=zQ64 zu~G?m`0ke#0x=bI6rDx(_1z(%fkHqYknnu*_vVi8LZ?CC>VV9ZMZ3E4G-GUOk_=_+ zT|5eug_~HU62UM*avXh99n3eAO?S;7;y_So0k28#MC=B(YD~*UQ_~gLKx%4E=7=os zR_D7olSIQ({;RzLcYGnvC5CFsCsLdCv@7K-e;RRUfm(cBM@8i(5R$$AMeNV(>=lUy z1rt;YJ)Z0CM+(24KE1ByVO3>y_0z6cPcZ_yg~i{Nbr5cX1{Zq+zyItT@=k%}k9ef4 zmuM&`DY|XS9ks`SUDZl=AF4&QC-rX;PZglB3e+TkptMy~K1C;8<6(7xGwJuy2meXA zvgUc^^6_xHyO*tfG~6|JyOik1*w}Io-H*Y*w;&XWZy1e;^1NfFYX?cXx1dPb%UyFI zX=GUSj{c=fF8#zEl2p6`?CK>5W4D!QeC5?Q`{<;A?AfkN<$}gx(yKi{lb<5vy1H_Y zE}pK3hl%E5WkjitE5pX+;X=+8PHTV))OsEe0Q%tAHZuq`4X7ol3+y4}Yu8c7pkB(^ z9V?L}#B<*j(CyeHzAPH>UWjk6(H{_7OD_W#_Fq4fA@*5 z89)pmBBm{niGJzdmnOmJ&aRxkLX8bq_dwU%NK4BzWT>8~sI>!0j+VD(erLjH3Nb1V z{7$owHAt?thHho#S>@R!k`7sB19>}K0TKf?1PYH6tk^k#n- z%?qkE|MwTHWMpEtXc%vYL)p1b?_~PJd48E3id&VyXNBC#j|ilvmua^5b3sap=mVu+ zGQ~-L%!uyM0ftxr@6A3ej9sS@IHQ zpK4kUcHMFPAAblMLAv;bf>xyAvHTf+*aq?i+SJ`_0il6qb1jjscTOKKPMk_F74VQP zhP@_h)O)Kho^PhRk1(MCn-Rx;++k(5j0$bY0d_dtb((A5+>Pr-)H9~ZkTb5VO_5)H z4=|%5=({me7UU$mYLB=3IUI&mk}0MCUonJ?gjQ}IK0I-zx7W7BtB=E} zX_~=iz(irtBhJs>oB;MEapO(r6$U;houo3$i=ebh$Y23YZAnQ9(OoO|_x)!Jh_M`Z z2^oDq!(gBe;01!brnGkrlb;yFEQC*=^E)xBm<#JOMK-W3j@BtB9c;QbH?JHEoO$yA z%mOG99|9l#FF$bsp7DY*Au22xOfS%-8Sx&&d5RU*LUebPey=@p+#D@8N-N$N{rQV^ z%I&vDd>+*urRTP*8Dm@^X~^~X4%T`G;9SUe%e=1E)YR0KELmYW*r@4&?xUlVuPpN5 zfYL#u4-OdOw_#q=y?Dks;8^Sa10c5lAdwSlU@g)hDXxdG_yjj zedH?{rab`Ck#Ew8K;>?yyQXpHulN0#4kb2Nm#3OMU|V*cxpB0=Q^5VzYwqA)ar_}{ zRu&f~R;a&yeNBVfpvJeo&(`LF)|0q=S1%-@ifGHf6U#F~@0Kzx3~r{Hl&uB}YD`Ek zA|zuP-7t(vnD+#-24skDpB&qhUH2JobL>4dJKA2%Vw|{1Oxzt7qDUzBob zg*a9QbE)uBbHjzU7wp-jI^h$r(sJ>V!IA=i8r8{ix~FM&U+C$M3`T$#aXa@!G~l1^ z2b>iD+5O<7dZWi3(;*bMT_9z~bx?NLqy|3&u4%852&w4RrJ1k>MVuF3NQTGzfLkJQ zl~7tM<~mSHo3=p%seZhVKGoj8diMPsVh5O_#G>umSJG_cA<0SRLt)8^A{_9l~r?D}M$3D8-1;W7MGUr5-$baivf zZJ^|N2uMW)lyTAM8`{ER93WNfE6R4?;B@M1|M}KTR_sftS^KMW;Frkz z2SYP}u6+utiE8i(o#hzNlH;;5@E zGyeW`UO7K=0fUC&tB;RQ*SU^6QL&Fd)_RCS`wKyp61Uyw>}7q4oh_%h1q8tW@TR`em9qk`whYjiQk}?+Q>rz*2>s3qW;& z_M>5UW`2&;!$C84%nj-Y&bp|5`hWNbMHY169vRq*KGL4l|G`B%R;Bw>d^K}~$OCL# zND|ZE7&~PdI>ZAmBX@kzoEWQL2YA_`j)v$Z8+6U5H;*HW1xcY@gGiMPakMW1^X#u* zL_Dme({Jj>(@l~=pJChJj@vm)hFG>>jL>NoKl%_GrA~GO8;;i&9i`g-A{64Xj>->R zaT?Ij;EwB0cm!&_3Q18>Rw@Q%7vK33*~R6r5alt@^F8o=E`ky3n|t13 zQBTMv8YbF(L(=A{ImJ-ijbKu@w!&gvpZ%kL%(HiNyo`U@%cWUNIjb8?gQf8Xs$uY) zhp{Mb^Z?mD8gxGQT=|n96evJ@h(f(%(9;(*x3Mt)Gd`X4=HQD@y{=wt0*>TDKj)?- zXNtG|=JvKq@-vX3e4=w+!9TCb>us>z{O9v8Nh3}LR`L>qMRgPc7iTa}{Ki_v@alHc zJ*r%c@sc;X@OkfN2HDoaX^nGe%I6ltG<1tK;8y-oB3WXk?WA)lI1dkajB!(|tEvJ8 zr~*EQQ4K~dBnz!1L)qhXPz*FpK3)E{M-aNZxVgp6w3>bi$}BmRFb9C!W1+ZXCnSa& z_wdfGITVT$W)+aNuiz5Fn3+wK7jWve{kRL=`gtuYgEQNE_ZJ4iOP{LMAK=H66SKqw zG+cI_8mb!>_y#fO!(I0}KZ)NNcmy zBa{QJ=p_+-YV6v%<6S%&U}-9^wA#^UXNt^h&YrC@Rv8GFl$uCVTv1R+5M=OO8pha^ z9S=@SbpE>_x0%{#+qYC`r1AU(P&Curn+qoTftSFbAUo(*Q)0P12X~6;$a(ncp#;;x z@3`Z!vY$H&HhY=_A_Yhrvk{$v2JJZRfjtG&eG_L3d$|+qs*Ko7@0|*sk!|!T<>lCn zr6IDZAnv%#I%h5UsG!1hf24Y-Ao^r}jSw(^TNizv2$L2i4SioS6R9#TyLxFbqk24L z+N9~q{I6esibfXqvHQXJo7hw5 zX{w`GHe4yK9Em#>9j#|!@sRqG5^Hkxb(Gc6?hNnqOB={&D+x#P3e&*kA_Y)2Iv&ma zyU6Griu2uW_%>xRgtX38u2a>=r;@47(8apb*e}NTWS?REZ)cC*|4`Xy82we*2gtta zkEpT^bn(7qIr*x?_g_6 z+uJiW)$RS~j%zVQf439M=Kg6=;5OS51EJCSaN*Q({yB(fEDxplEsUY_E404>z534j zkn*Js4DSK5U+=eM)-dMIW4jNp-x-28K$W$eE>oPJ_eC0hK_InV)m9_}QgwoY4lUHF>vIBk}U+GDTp&9P@)U7ex28-zc=R${uhn$=D7LyPl?cfD{hgrw- zTeO9#gAqij!{W;Y&!`^G4P}E@m!8tAd`<~DjLn^;Z+&4Pc)PyUdbpVRzVqzJL@qTU zc|5?_z}K#4JDfc}SXcEAONuA6HkKfQ>Ko)?kiw)<-TqP-2~{-C8#zluC6c;a<7c2L zf@438_1Yu^m^31$w6KvdM9*+>{r^Gb*&!nGB>YQ53ouh|0u2bTwZ)I;?3J60a+?mH zEdIL<0OS9)=ym>4*qPdffxBXk#E^VfF<@LIEUi&M6XHR6V zs>lPb_uRB;6R^D{0#ylUu;;l9Qf# zHr?EuHf?(N3B5mW#M4j3n+RJOyno5*uh$c;^t?w3a)N=cak|V|{R!uTwbVbIulHGP zKI`HEvkN;;oCg-Svw$b3Qa`Y~6+=AU&j&b^&|J7&wK>~$M$V=k8MHM!>R zt^4-)(UbGQ2cpi>u&q*b0TwN8=htq3f1wf>59Z0wB5!bqeQ*6=BAW=@0SnwRy@Ksb z3!l%~-mX4>4;^h=&BIc>>llp_#n!rR`fx-VSg-HTyH%lMlgC`Q(Qr!V+1_(o?l}Y; zUbphsU)OI;46`~+FDo+qD*+FeF4_0m6}($~f6yhxkXF?zpqZP3+B;6*b0xur!EHC> z?c{2wnf_gxp>x_s?ewbmRfdt!5x;*j$ma;a?+gYm^QFhx0XT>Ca2-!@=RfgTbI#N0>HhW8-6vE{JWj*Kgmt4t%qOrUL>0TyxWSE`?Qsq+JDmxB+>l{0s}L{5`>$DGu;6p0m83 z8x|I*_3F>H4ySwzEUfpEFJzu+y)wp}V`?2Nz0jeju;U@mV(y{6@Czk?h9>SOO=J=Uo?$ zC36@tw7y+QUc(sbbeArpyj`r+tMAkXd1`9xQ|vaor+Rq?5Bc*Ud<BHu?GX-j( zG(S3!Csx>B0<$MJhuHnL$tAwWBkUx&o0s9&NIjG$Vv3rW zG$=(_?G-v7ifz9}})8kh1gNoDSOLh?9nx;Qpf_>4>yq*~SDiWWdRR zqRAz*SSy4^t&ppG-m2B$dxAGN(c}*!<49YhFGmBdY1oG6QS15{n;UZSZMKS@Wx0`Q zgC(X#1Ao-o+4XY6-UHs^)UcL3pZK=yCEDI^p92Xa6P>yP_m~HGU!z?MHmc>p` zO}nli>s_&_a`=GhFN3L|rU_4L*dFT13Dhh-+rY;&-YRXFXBO|tTN)Z~^6Du@FF0Qe z*P?d@bv#v;YF%BJBXg0TIqtXeN{!}KoA|EGv&FS-uPfFu9h~92j!6i~))jC@T);sq zVKs0U=6+gjA{X|Iu~}n91m=c!Q3+!pU;CoO*97=b*r1)XK`g@aS7?KX?FirGhbUD7 z$GbXoD$l_nu=LLST}P(17SP$S$n=Mmlcxu@#vVjC-!sJ&k#+lE0}%^dLt6uJOlGb_y(Yt!b zwO|e>{)+`o3py>U)Nxy5x2LNLsU+L6wkcKCaj){s zQDAC4Su%H(_tr(Tde$NGa~=Ig%Qkz8N`h_8#fTkh-EiF!@JAvGEB7Q1-H?*v4p@#= zHPN5ImQxzzDqaeOcq3m^*X^H^Jx9K9uci~cV^w_@&4m*1!-^6&iW}0F`M5kC=+$g{Mti&jcr5}wxdw()|m_TZ2uk0F9*RX&e^xb*=^OFwiZ*jZztu%dCzx9 zh?8;rxOojx8az!ysBiZI?wpl z=o+%ohD8(QdxEi=1@{O=Q)Rqd+2r7l1F#ZU=w$1$6g{NC|AGJ0U}7@fW`=~XKD)EC z{vJV!q)UOk%Y6Yy3HN+xb{Pu|eJ)mTLto5Yw2y!4cAay&*e>1x$I@!l!Z93dY~=%$ zApx?F;d@-c8VB88BatHS58U+h&8J2!^OA&%Nb7L$lE})5*S~Ia>G-bwbh@zOxmGY1 z>-&X!rg+tQx75c-7#*tcaJ_L+>&MQ)ZIN1Aol*D(#ZpN7KD@bIA)c*d#voVE~V*|BYt3^l1zIslodT zhU2JrO!94f<74x*Yp0s6!M#~MU#W$fIzDAl28zt_9zFR{KTA-4gcgD{Zfr zFJ!c?dffAPn~A;)_o#ytt-A*f+UkSmgO*{bfr_N(fv$x#)GPcPMh|0E_it*sk&EXV z-C1s3a^X@GNJ*w&6#w67^%vCj(|DYX7#DsQW;$rJh`lt7`1T!kj|-g@slME@ zMwGwY%iyt@%#&ft{wd2Rbl3wVObZpN8ZE&mE>suT0HM{!e+RVAyC5;RnU*#F!H|E8 z-)j4UJCt0M=AymW$0K7wSOKS!6kJzxT>a7vcYicTmbkOZfZ3#_ zF;VKAIUS{qjo+`luuX67Hr}&7tB#^%$qn`qVOVQAt+z_1zK#y~KC6}l+E^O2nn4RC zEBRz#M>wsgP4hui4v*Za7=3_7ymfmWihB zzY4#ym(B`GQBi^k#nUc^@5uWw9pVeq&-48&%kQv7UNyYm<$Qk0@N%bMixI3_yv7s$ zMVXa^?Th4K>yZ?=ppkCO()dzKd)$0~%L43RLUp!lKvq|1SIE1B9eP_m(iFrwYHp-_ z{{X(r(O;pH#x4X-;5j$0(pq1GKi2o}|*H=yuvv_VRb8n`d z>|hPTEg!UX@B2wP1gFRKi!+wCUTdDz?@g=SIx(r&Y>ZL`aX_`_D1SOgm{52xL3G$E zuw35qy1t-6ec1}ctyh!vx7B%;6?Q#GEdtMZTW=Ig0o^k8p^&`&S=a%Kzt#>AcV9RT z__M=Bm|zaezipXx>r*;ECpZXBnJ8(XI`pd`pc;M>R@BKtXW%$e*_cEo8l;_=VBop+ zH&d}I9Q?QtP=W1tPkq&mBT0%qn}V@Xuv(hLncl-iXKk!}+YhZz8K$di65#`D`4;IV zg{Xw7vpn}Iyvh~*L5*)6$V`2d_|TrxJr?mo$9-om+SlO7u=;Dr#ex02zxMODe{tJh z?>UPW?baQaqIvgIxzTtzvqjD*hl8n1gW+vn%4Na!T6TbFMnCOOJ)Q3@lNG(N-lB-k-9r-sh5k`x-Z!BxS{wnn|wIRTvMP4p@2AOpfb7+3DF+z6bIPk_b zaO_FbM0^tGhfbJ}_)=!J4vl>!a+92*aaWgpa~+0pfRon$%?)UsmP_#R#D5btP{}Cn zp$fa=XTZX{sD8`iLH8R2ith^_y33{?HDDwut&EAm*6d2b7*=^71K3187q#U?SOUNA zNFeYyWo?Ha97^=BTW7J;8%)!GW4eml<`Bp=9~+6uXB+kpwyy^quTVs#`Q4ozT`)8` z(2LZGx_EfBx}=iVm*nmV1&vlA#Vt%Px@`GN)EgS6@;h?BNig2jvgw;bMB84R8SpLr z>YNE|Sq;);$~~ z{oQN5+>mI~{)eG!|$Z-eLjg4@V6O^EcMV!Faj+=z9 zOMfdwGo6ceEo#KPj(U+VBF1lj=!y7tj4GvQ>~QmNzjy$U1Uc31pZQ1}#Q^!uc_Z$< zX^g~;zmmubX+cWS(`m7QU%*0*^M2???^PPIyyl~6Vv~2iet4p*h(&;^yNVqeCaMO4 zP`L~A<)VZZiPn!~AZcoRa<_;3Vm?FM4IPjJm&{`15K?m!ALbIj^Ju=3k(ZN9G@B#8 z%!pA<*Y%?-giJqYnJ%rLcC4wVDhQElR%t70>$Lu&aCMF8LwhVJ$DB2a-%sN`ZeqtZ zd8Q}G5B?iFp2Np+q~?e2F7MQZtnfijZ?Q^yj=#03%=U{&!KdGnk{dAOv>nQBA2WwF>7 z7U`gG;)Mf@6g5A_j(bhdC#cj`&QQ<;AvZ8mYTxaI3AAUM>lG#x;pVECEHm_FaO$bz z-DmWl&0o~2QbfPl?9}1*!ww*wW~O!SF?z5YC$C&q+s_Fw|C5%U6lc5!ljXSowCW(} zpNxIdQ#%Acy`6G7t0#4nO!QH08#CKCmQ~kB{=bMX_X4v^Z#_%wx~m3?EpJy2FI5$*ZOJ5 z<-^`he-U_m6SR7{$qM&|9=y7~3daJKSFM&5)>WE3Ju!Q^u9W2<3$ek5s9}=d{5gP# z@q;{2CtG<#K<1r)BO|9LbBW?|TXpN{$@8(P*CR68;b}2PfJVw2Uuz$jJ}kU&z<%t? zkioDjLbKf;WHEc7Yu68U!^iv}<;wdK_EXv7yk05v?)mg!z$0P(sZ6n|b8Tg2_2Wbm zwmYOxNplE5u-s@B@#6EP?8|raZii<$d0%?K*Jz#BhaC1lv5kquu1xC_5IfNL8Q}ku zTc09tnnRA~4e|%1A09Cof#~|rx4)mkUGxCr)WK{@B7=wu&93?JG>uC^Zw(6MwM#?Y z`Hz`?rkT<^Zr_n#qW8CWVFimtC=ezSQ)|l`+T9c($y|BD6epeUT?6I7jAIpE7y2=l zD?BA$n<0F1&1oHr38fvOABM2S|L1t+AWiu@5_#DbkWWu4?zy+yaD#;H<~K;=V)Ydr z&-`r@g|zINfStHgD0Z|q*tC-2PQ(6f*8kX!e+?Eut+MR!zWN|2$T7@gbEik*g4N~( z-e@FHSi{7YBhUDlm8Ys$|86Q}HPWhnTJ>4$zjgMD~YelO5&Fzxo^= z{5RdaeL2}EZb%=TGn7(#id5)z{&h>-}KY@aEIvJg)8eLgG}B{DGqqX zzRaI9dayMU2s4q%uhi=-(gX`gwJBR@Oqt-CR>9=WXrbF3&Se%%_d~cW`H3rT#uc zjCq^)uVtg?8~0+j#LrtV4_Xuh4qL)uoevV5=JYH=8mgRleo}e{91dL$M|Q0KmWuEz zUmuD|vM6y9J#yn8+!DucpK}G6sIZ${BKgu}p#%>c)0(ON)0HGKn!gnn^R}bbGsb9s z1vr!x-v2MTDE2(ZhgVicA3-HeZgzDFy7IdLh5{^S0wWy0gT2ugiZ(EQyhkb0&h}3Rf^Px^91=C%s~J zQWe1h=pi@du>}y=flv;*cPPzR-!jN@8VamZCB#znm#Y8usGqT{jGRb3yZ=npkwut% zxLZr|-|SBlhi>3M&)8rQPhuSUnOesDKac+(;ruTx=lIg?IFyBZ+HH$nqJC&nXL%Kp z!J_(VJ~y#mlaY~T@%Ev#QbZC%5?j5dt8SU&EO4rw*m%*0^p_KA8)Si8%jn%VP5U|e z;~hl-pLn)od}Px)9r<6zYTN)EHaq$EOoa_5C5JLY0H5-{w<3ZxgJFEuc^Kn4+n_`8 zkUAY<1e~iNG<#YidcU5H6_yknT!*10{7z?Y4l>UUtPWszMay`?%@<_DQ=ftCB-#+I zN-2RRz^SvB)mx;SsxBlMZiglfQ+eG=?dJ*= zYGbLSo1rTrnF6tZ^@J^kjZ=`HCN#{A@@){1{TrRAb4~Y^jY9SEdn+oOIDG{IPH}z{E5v%}KIgjt zYGCQQhJjrj#1kH?>%KkMCT>|*()7U4Zm*W;(q}-5rZ(t>s?>mEd5@zLI5Lr&W#ak^_VSC7yL+?;@-7S4{GVhjBLapqu zd%1;ZxtBo-#AQ|ZdXbe zIjM4&~IE z$GDS`-#o^SONF75uSz0=>LS-u$eSe!eI!{gZFy`uY4<>(5NBk42iXX+E78ChP9l5w zljtON_x&5mTiRJxR=HVN>TJVOwN+k9>;Yne<-%}QhTPt}=Y7_+Q$A$V2yek_VpFn6 zvw@f349!epo`F>>)DoKZb!yl0vwZF$nigB}f0eHG49lpz+zTyg#*;`wH~L25{1iKE zs;}h!UXBmEA*^h0w9~xQm3L0^e3a=J3+6^%xkgTTp%+2$ z9KAjwC>w3fuBIj?V(PD~5pZ8wxf6a`uQ1N(0Gc6kD3oD#m<#4AG$q!Iw2*((;}XKB z;~_RoHp80>k-1URK!5TpKEv=5Jzjp|yZtStUQ;pV8z?(~clC1&kLA6Oywa|wR`RKQ ztn<^t(E*kfNWw{t@fK@rQG_iaWL$D4-?Xk;EH+{6L2Nh{oPCQWIoVL|ewyK4I%1&2r z#(`;{Nqa9fs@b`uvRJHg(wUi~lP!ALzK^(wdgkks-lm3{pw)aM_uyRvG}a7%ihW@l ztrb39n!2fJ=790kF|p5Q>C>~HF(<_e` zKQ^Wl`#tis7c_QDDaFq>c4ti2yL!odBF{1{}= zannOUBKDQ=jcNF&P%$MDxiM@m?u=${we;-%p|*6Am@>@yfX`;YlfwS}0RNd}6E8;y zwpFNO@#@3|p&lR2)K9paii2}7Eug8Q>IX`xMhn8JI)Q7038qAuuDTNwYHmU^1{alU zCJz&&Ii=}}Zh4GGyB2!hv;`j`;98JOOp@M=22DhFW>B{dsIVLZ?09OH0}EroY1}|= z`kBqD_}~lhOl8uc3d9riDyiNgmWdwuhhd2+mk|2I%#E-R23;jQoofjWSl|`T79aCn@^Bw zr9*z7wp+z#DypTpo=1yls=a1hitD|>6Bw@T$4WY|8Ew9)QH#+7c5zJzDJF={gDlZ` z>qE(S4x&ZrScoou3B2gFVsN?}2S$hJ^)y^aSW z8a;{-RC6~F(TPV#Bgmf&N!toC)Ab7zz2j;NhJaH<#y^Zd{wla%Af2BaVKpT7R8~0F zfJ5s6d2%yYGTba_w?rqN;oHv-?lVE%d?pY@gu*+vH_%A&+Fc(jIu$Dwq3^&hqTE^A zDcw5Op*e;iUw1VGn;pcd?cRM`=NCzZ6p-$D^ea%WQa8S{h=gE?H!nKixQb8Sj@w-C z`mRd#t&gX+3dvw1%9{M;dhf&#gOuajsdlC-&9mCCy(FM0gNC%_4&%s&&n!_dQhk47 zTXGNxmvw8WgKujs2`i>&+o^&pik0fgRaWQW48mgJXTpf)f$+#v6HRX;(Dd9IOg-2V96ROst=K38HUehKmm88qh}w&}VfN5a z-Kl-yK;e0JAi3rFf*G9BO(<#HK8XB^cn57Mu6rMv9Z?_k>#b@EJURJru0}wE_bChazKK{dJp4GDbupt|r`rg_ytG41D$oFEq%-P$h zT%4h-thGc3_R70ib?Q+iG^7;i2M=rIhn7^jV8=wAj^+8G6@a%5}O>(}y*DcnUV zK$oED+3uEL$D+4}DlkZmiG0Z${+firBKQl4+XsHa`dou+1(F-pg;dbhWP2L`0(9X$ zO-eZt4u~lihLMeh&`KS@>o$#oKx|lQ9pO}O_{G7rhP z#BT(fE8!MyTCQMEzgZ^x>uJ7VO z3SI9(FEJq+>i?EYh&MbLml+u?;Nrn&>g8y06=I}nmZg6RTSC9rA(!EL5jC|X4w2b; z%f0i`!Iq;xjh#(8;Xc3CAEEE+JLJ)?X}RXNn%4GaQA=f27Ih^9`#{ltyNlN70aC&@ z9mlLP09ATTl*z60Zok^FtKJ$)P4gRVKa%&WMO`DLVB)_m!?cLMM(=FUiqouV$=~`D^*eZOcY;C34!af@DTmw&%}RQN$6* z6bFF`MsriuY2w_1*ML=aKIQQXF6x4(;Pq5i))M9w@T4-pssvIsZ)g#jj%}cp z$BacSsv0~nWy~`L!fr>=rg}4Qoq-aBt$basnjnKE-lFi@B(#SE&Y&pZfWICg9)l?_ zVBu?;-nw{aB7tt&n|@I2r)=BIJ3%$Brs@5pF9FTb-NfPHkYDf;uy`tC-kh|kXUUCrO=e&WE0i&9A$45Y65sDyWh9g2t)!yiKq-@7?%in?;< zPz&_C%CAZfy+i1EWe|?4tF>o7)Ouz(n#T5sOWbI;z`!nJw$;N_?>e$v+Le-AtQ;bf zqYIJH3dpf(65sxY>*P3|t^AF!SxbA^hk#E~l+4~Yxah2|CZg;cm1`V=9Fb+fj4Uap zS^W~pi<;Goq)RYXR;=4i8m%447$m}-bBtUBjY4c4GqwOm|8b#rnD^YsX+pia=$*GWEPXh`U}&a# zy|O@fzSnHSzUd2~Yp=lL@xwFrgxs^f0Gd)R0q)+s<(2uBG@~?FJ)4c81EerHL3KcD5V!OG*vxq!+rG2b~_yXuIn5Q9~;wL zS<87#kDce?{5=zW`IYz%DLfnv299R5D1$YWX=06%{e4J}#;^OIuFshIqNE^3Q>a~Z z^k5Ie5Gk24M5iRxew zlcVd*AY&KDfEsgWiLQ?>yXK3DjZ|CcVp>=N*wB3ECW^ABkn*+s1LpSY(u&puS?(g& zH1H4Z@~;Q~oJ8dvIvd>rKT3*=!EbZZ-MdOI%+Akm+bR3i-M2qT6jI~!{e}fgmb}h~ zg`~+~=weDpu5Y;s=~Q3SUkP(e60fhBk*_Oo)*mm)8=XCJCTkyTPhc4_xN)E>-^L5; zW)R35me*7}pwtTOx0NS*%mf-B*C%r{p@yY9)H!7#vz7&;Oi@i?Y`-KL;`m zBEeIOG5Vv{1b?JS_LsC9ls%RZ?NFB!^ND+W{VH4 zW2W=)8=j+WkeXR_J$pA?1~R?;p_*XdMG+foDwAe=)JZR zRU$hA|6Ie+>w>Aq(eZc)jfRMF*03u-_plf3`p`Tp@YR(@KTH@WSJi4p4GBF66*HuO zRudWO9{N?Su!=ok{Qmhs`q(MWbm0o3-r!ZR+PO+FmHrN1p__3rwF{dZF(cDGQfs!I~M)-b30UgohXp8pnn)h1!oX#d1M) z`N02<=1B8~RXS9>C~_}O;CiaC&4M74SmBTs@S5yWWBY<>am%w3; zBX~S`C!>;ZwAx{dC}~!bO*@?qEORBSMA%V^X<1tO$WY ztXS$oeLWOaMqNSLPDQuI)aFb?YlSU?8Q^~Te_xiPcwnDu%Ckd zp_)94Fim!zS>aJ(C+FZI-{9Ql&sLob4wiD^TnYM3`36(ApFmYvv@2O-nZ*pFl!7&< zCty)n?SVR5t?m8ci*4oiG~+54(%qGuadM`sP>$?$o(=MJeqV&^)bavPlQzNRkCi)< z_orU*?&4lJoY_bKVhJZY)=Od=686- zX=f&Cu2V;_PAHAOJGjr*S1=k7r$;9%KA>;qrQ+pi3K)2=;PN}ZpmM%R&5xoV?~@}* zdedFjmy;`Mhu6D#zC|WfL>rPJH0i+e!s!J!fyN6~_$TEhz6RJrlRdr4Diw)v+qs%@ zF;4(<5-;(_C}AB43_JECwJlB+s9xT%c3VSX1fboKQ#Un}+Y6Mz8@Hclq~aivvBClH zf&poeo&O_Pe1VOHI|4ZwbjKd-KgK^x0{K`WXCEI*LXvWP|l{ls(|$Y z-NgR82D92%vkj}X79jiYTtJBtm}&Ve63w50R0f1-!C=o&;@{y>U4RAR_B&5WOW|1D zxuaT<=iu`}`m&vsF%M|FVPxsPs!O)}Rg|yzT9EI}RzH~@IWRVT0`wnuYPgrDCtQu* zxFra?2T*cN>`{l@jTsIEob{ch1cQFhdi=NI!#0OsHrj>kv16{rb-+`*Y3HP^TU!qTR9awAvs4 zq2mt?a-W<@1xBVi@2>Sb*>~Aq4*0jG&FBmF(6TMdCyu@6pR55BpFR{P5yk;Z^TG@h zk)sm%gBP*4+mXx~CX?$26`1~)=WACpR2(_yZw(L6D=3V;y~bFncJ?a!bv%uL`IiH& z(>`&i9fp-8=56alQYW6vX__bG&>0w=5$1>1aJXH!Ak)607y(pi85!vuHX__TYXogB zATk7XKtpgLOFfnzjW!=XD1D6+s(C&L#WkiBJ!@kCt;n z`?d3f8DEy~roMT!s3AJ5_r#?jg`Lp{Km)*P7nq2X$|>7;Ua2d-V72h%yg2Np%G@s`91U9M zX1waWu&BQ>_G-R*ps2=y$h<(kc+^cx4tif8n%3n2pJW7rSlFY(t|<>|U79!(Xc!j1HdCsDj+Kx`hvN z>dH3Fr<{RJc}*K#G>!w~Sh2@;6`Cd{Omw0&a(;e@Etwu?FqJ28h+W_y$Wxy8X=35+ zLz>_*Q_X0Gc-5(T&1g-vl-Q`)xxBRAnxr0vnW!1R$4$HT#7Wmiz;1|Q{MPk}OpEuzw-QO14T)}W+CDV5w> zNOfXG=ToFb{3#_GK_^_~?yE7{{k3>)`vQt#tUY=O6H0tc!ORKR4JXIXqT-@-y~IEq z{?jmy0?yR#q5dq1fNyj{IbK69v8;;7d7mXy)UgK{2gJlu#Q6BXqrm1LB=uf7^7 zIk;K~hdg^eTCkxToKwzHrt&K-ji#XLCOnRzjf@H_it07o zgf&!1nMx&(TTOxm$W9%m-(z5liv^s5r~SOG+tZWhaZ^F{nPpxJ2CnK&xu}o3qiRx4 zVS}0UT^uQETZ?|JYCGj|D+yvga*X?wwQ9Xt7_%g&rr@Zs$q{-0)pFsigyVO?8=BJi za`Qe_#7Z3I(|)Nbehqkwh!);tWgK@!iL!u|7D+eq>3M&w&V*vcq4h0XRBE8+Q7x2f zRZxY@3UzBSqwx*YNXLXG9&1@@1DW@+qqR3Rp^2WoQd&3^`D3f zxye<^$?|h4(1I|LAeJ7^RfU%pOYJNa%P0j3A&Wp<(j{qTd!bI4Y?{W;VG(S|FB=Tg zm+1az_v2DkTT0Z-&DDy^-A6v3(pRteQ_PA`b4&~PMh+|a5v68$5KxKgNuaJ>jMb!M zz^GQ1FyZa}kww5<6aD;Kk0Tpqnq2(}kG;vfL8 zon?wJ{YXH4uoiuXQJEIGjB4X&w-!PfZ|qapbpI?G<3kY2V$0830E+C6>x0t zcHiiL>B~F0(Z&p!E2qv_6fr49XnKu~s9rL`{^hUlv2B0pu#T;$2~eSd$W+RF`&&Pw z(RUgjrmPqO;7_`X(g`c6>l^&2Wh0>G9u#Wc4&K7?y)OA0^3kfK*;7^(9)SIJ1Hrk1 zM)!4Pu65$toBed0c+KVysiSeZi4HelkH^LskhE5<{0M;8@4_^$l333Cnl95oYk^@Z;zN1~a_uZeDWz>G-su+sYrO6ktk1SCY-qQ0?0P1eCOLbAuYf zIlmaa6hKZuCwM*g9kTK6h}(n`N*rO+E~Gzg?ejcRni(?fK> zW5A5KCfmO@HJF!WnfW$k1MfG={(lz}pMD20;T32LzZ#f!1GpiHacC8cFw%phVqc`m z$}Emt;rs&vLF23Tvss|;>>V)a+XswsZ~0!4YEf85Z@@+y8~_0XApn51m~+PRN)caR z$YR!eRDgos`wQTV7#S-ZuKGRi0xViI0jC4ov&8<3EnCs%7F$t;xt7+yJnAg^7h~J0w5tjwq*~2ASqt`@!W2hVkoq83V=I)vm;)jOl*eia7fzO}wBj`go|AMHFE_yCbc_^)z6wp++b?WCNH@0v>-4bzh62T$sAz)^QhucgSn$8J+Ea14JtQ`HaIRDZm}xw*x$l-`g|(*mNRatm$;*oE(bRlLyLnVofXfbrV~L!&pj*BuxcMX!?74GIiE z<@ud@{u;IBnxdbU*$0Bq_D0UUoyqo*-=^8wGC?KECHNBP%F}#fSxoo9VlG|?MFd7czR8MBxdHSH5fz))yg*6%CO|#NmLaVtq0stNKt!H zA6Y%`fmNDI+{S>&gGAy;MxfdFPYXJb!~A!9f5U%ePJ1P9;Pd~_7hU{U32OJV343mw zh63wff3;g|DE<9k;L8FRDpAcpzlzhaHEc)z>(V&t#B#oWzt!^plUu8Swyz|#|HRHN zd(%_#a!av`nXRT1)OrVQ(}lpQ*8O&hfIaihf;(#QqUuNVc{Qaq>?>8L7dxfg{!1F8 zHS6sT;T8A1HeA=r8lDHGq9G~*!L_dy1$TOtn(BN!?Ec|bz=XXWS#q4_>G^bLVrjw6 zV7Rcf;o@pM?kHZdqoe6!AKl~}prE?=v$5%Hon|gzvrUQ^yeTsukcw(tf!(kc_nI=w zSxpiZ_atthcmQ*siCGxi2Z+wOPA_^%g`dmoF6D#!hnx3C^ zbHB)tyvq%DWx>B(7)g*NUfhiSF{Z`y>!%La_o$%mRHf)&QT;Q!T~nJP;zB25qYHEA z7r(yAdE73qLQ+>95D;1>DH#qYF1$|DBrpwI}YSjR)S1 zhc_}VTh7U-@5hFl)U~ma788fgZ*7@Lh#&2jI$f-Ig~<<+wKCFgyl^rAb8#}pbPpfE z2|2r;6z7wsNoQ?@VoU9}KX`9cGPcyR$8yfM(O(n0Fotj5I2B|tWp2^)uq(&6hLcTF z4^SGQ-uf)@O75T zu5%fH;}vz7Dx{O~wQj$=p`6Vt+5dxH6iGJ3sBW`?m;CZ7LMysii=MxD^9F8SAi4h{ zH2uZ*PR>M`)z(x-G=ji@EJ%YM{w#b*mSn#_`vZTUQu3+F%#g@Qrk|F)rkBbuJ%>d; zaYI?wt{V&6k3(Ym$-_EhpB9SebV*!$&T$kiS?S0HvSChC%cWEVV^l0~USv%CyZt!q z%!&H!uh=Q?$0yO61)SB-v8cPm(lS#%V|>Qw-htk%`*n^M>Io{Z>IR33GTnR^wCC4E zC2BWQQ_Qwv?&M2_AJeSD_&A#~yQ20NN1JJKFH7P;R?1vRqszyruoXt?kF;AmXl28Hhy*W@x5|BWACU_aFVS~2-V z92(3dI7k9R-XaVAv7w%DNm_g~aooSi5y~YPr{p@y^8UhMe=${Y^JrR3I9`OQ!2$ei zBvU~N=feu)eapO^R5qca9(u10UdK`BP%-3$_Vjx;cbp3YQE7;V7Fmc;IG;`oA1qZt zuXQc$bv_~4=jEINji1`G@be?jrny-|A;jL7L&k_v^ISt$-+`*Ck$t5&jSrN?#P1*O zAD>Zdb_8~J2yHZUCuxR~?!-a+x2KIBs>z zY`f^~q#qehigYPaaZ2gJVZlr#gE7AM=2EuOV&tRq`Fo7L_p8T+!GpAI5BEKCGPf^* zwYL1{V2^Q#WCyo=7p63FV4lu2S>hc955Sj9cgf7zZNYO>w(OIF_~uf9#hqn-3BUyX z!rKSn!D4tVWE9uOPk{6xZUuEiT`}ohQE{Q6?XhS#3L$BS!uUU%rrN-P7aGjdSa}S~ zCw&f>Q(g$*e0*CZ-_xFl?V5ajzfW^$L4i~b6I9-_0S1U!hYk@8J z{=QPOwoV93c~g#)??T3slvZ`g`Ql)J-vINb^#v72+;Y>aJ@fVoLZ=%zV4+~&A&jpp z!3T$pR)Sgvh0G$v1AZ2DmbKyFNco)fBOP>AapA1A&_Kds7vvtFLcv%jLNxbaEDla@ zHHr&E;KYH2dl7YHqK;{bx*9hithF~~3*jIB@RAEHA?iSqlKimG=id1GYERYu`@~H; zp`uqE-%AaDYWX^sJdz8o#5{S;$kowAB;jFl3zZHxOg1F5#^&b--XwB1xQmxi4UK3H z5)O)4)=3ID$(tL>diD8uwHM(_soG{N*84Dy1~pp`xDTy3NMTmZNZy)c&^l7X z?F3e7BfsHmrZjL{hzwGq%=ohrtuMZN>z7_XX-ku%!pLkgX`&WM_WnG1PT^{UyH%=Y z|K{@YamR=L8gY_?X=)Xh7teiFHvZjP18=?R8!znhEYQD-1?-NzibB0RbqkTD9DSrq z+Dw)KGCFGI3vcB#y&q6xRJrIe7JHrMiS_iZAhFf_`6uZ$dHkkTG9sqd8KX97%m~ih z!IKE;L2I0$iNP=;r#>|n-+zmc&kaJ;99~FBoE(m<(SW6AJok)pB5^fADtpamM+APa zIwqPhxiy?lk$(j4p(~OzL4^PUXn*ff1(`SCf->&tiE3uCFT3BJS$UEIefVz|ONx|D zB>lM+2uLi<=8!+p5D3$eJ^$gi3%tVSe4 zsQ=lq3ar&1{%==USLVK0L|l5}W_%OQcZ$A@pE}T_@f9;=7KC&-syVfhNm6r+cog|0s2YYMiaS(&-Yj zdlNZQKtU}0{^VESKL&uz(GE=$b3H!oV9iyj_8s}-k_z~)l-n2g9`WZ=k9L6ef}|aF zoj=PXugpO}Q+(~u7b8?xVAiVpxzQh`h+G-ah*I%!{w1(;OwI=1zbB3Y0ibc{D&{jq zDgU`O4&?-(WQeTEY3ba_JOMWyz0$DA`;%~qlV74v08&Cr#I^#!#1FIu#2d+(RAUIz^N;1)fvY(dyPY+vx_ZRE}m^5Ab4_H&c6bsUep0+Qj&Yl$X ziysZ-qAxeUuRDnx?x-4nJ1P+6a+ZJ7&lD$e?ffVG#jkeavu{2Uz86!fPxn#lmv8fa zU4Gr|f5jnjiN0K#FfY-LO1r{CS0L*OKi?63;J0wvzog~9`@EmH$vb!#VEJ+06+{lW z0)>a^04O{G5a}f#1}b@`m3Fk7Jjd*!BBC*jc@JW2S+%&rf<#q5tO z2b`Q|4({vD%Pi@QkbeD@3Yr=fIq#IXd>T7m2lL)Mtsh34S>0TdUlVrTPj$(X7U^ytP=xmZD+*1g6^tN&#jJ!*8(4SWf`NZo88& zaT9zI`)E$Z%=X^jS2L)YgAj1El#LpW)nU!Qf?N6p2g_SFPN5Q&)y9_x+F3y#dQbg_ zLdEfc_7zKyAv`_@MQg5~Ms3fh1Fy8i-a)T_Dew9YgSK)!IdiJFriT{H_8GZk!|pR$6c- zHMVi%ds@^(WNS=IN6<|`{9oasxBY{<*~!Zv*JlW(@UzNlQ}NR}?)p2UvOiyn-2HRS zV)h)L9_AV;{Of2#@9qeBj=$L}1#Z+1a_Cj=`ObH@+-x6qcgwu1{{80kg|gL^42fF} z&=jde=B8tk-|6y)NuKfO;wW$lLLYDEo=3dq-Q+lNlAXh=-GiXRUS<9w&5KOMqqFBT zLyS5-aqec2usf;d3d6)Qf8WywV>};=_C4Yq7NiM00G3?)Moqir2cKtwz$g8ib>nN^ zh(}j#FoV-}(woyk3BQR8@j<#vTH1OK(^LC_$te|ymV>_Cz!H0pfng_(L+VN$J(q+3H>Rm#8`;8+8<*Cl>@ z0gx4$(BJ0J+j#=`aq;yLz#PC@-(0L+AMWp`{b$9Cvrm6x0tlKe$zY-N_}hI%p&<(I zO5Wf8AL>#@AbN2!FMhLW_nDUVnTK4bz7T1-cHDf;i0;Njt zFFrj!qp`7ng*z4xCWPEJZu8~0WOSsAHMsuTQ}m%5)%x#H2>^kAn^lg*WAlF{lK(%! z@%)d!u#@jTv&1}W(y*@7a)mQdB$Y^vS-fPoD!c2tP=xd!#Y)vJnaZA=rDr62BV~ss_@#bJf9xA>3GmS#j?<7>B@j~LN^MQnFwz!P{@vsxZ9WoL6qUrp{ zr^HJ^oWNi0ec#EYPhfB@->y+=uPgEzyXEsh>+`wlzzJO`3lX-@om`O1s$whCvJRqO z7BX$@E_%?fW=OaA0*GsrF0lOI!_2_;2!hVIZUNq5PS53S}*@RIUjdE}J3ZCq+YZ$FQ%H zQ_>dnC1stagS6=fu5(Nz?U^sC@Az3?vVl84L7ndXVZjMX>d`^Y@#5 z`9tG;;YekO!NU}L633LiK~C2cT_28B=U|~zHTlU0$oZ>=EdGM7!K$fdz>3lk;~q6P zsipzTj7fX{jLT}{=Qy3Ja@3Bo+xZfg;i$H&8Y(J68SY5VywZSy^1GSp*!s^A5uxn; zw|^d*%CdM{uU!#_d=oDO!3%oh4Czg2vN`EU2H7}a*4+wHf%sw|4;j`RS%Ti}gP zNuDqR?LRPgD`K>tTG+cb7<}S)vqgk7)M9SGK(FHU}fHe+m{-}?68 zl2)9ApL-Tt!Q3EzzJzlh?N4Oz%1bTFp_}51O65y#oAP2?lTsWR^T-_~k$PAP(ro3* zw@syeu*WRzrReT;omX>c$*Fy4;4o)@+lsEm-SH@>r9+wIi0(5x_t{9$8U6#KK5*CZX-Zvx(w=`2<9OTS9Svb{&sc2q$DnDgs#by{AuO?jS2tUOzEh zau*UnF-GAW^2qzvXL%qc2GeO-LrH$GxeBBciJB8}d%p#Wyy@76@RO4F!Za~tHGD^v z@NoTB;{{6MF4N_lO+c;friidUH|)Z1@2Xqbk(syLWZ+;6b47}^e%<_Z_vrx8DX`an zuh(U7|C)arhiP{H%!-QpyN)CI{hbS5$&meIub&il{^L4*^?ea@?b9>S)V~ZhEOb-! zB6WX~W#0vflXn8>GIL`(RXb?G_#HEduK}Tcn@iZlqM@UV`hbXAgf7mZsfX!MXhJXc zQQ6*7 zq`7_>vj6#A>tkzb3>y%uNu^Zl)9?zJs5$TZB;^o^aEea;{yyG~N%Fqg zU!UPG)NjM`^=DvxQx2tW{1 zjZ#{rs^wVZI=tKEtwp~vO+Tv8QS*AJHlI`}( z+G8;0#sO*kK-IJ!6&KH&#QXWYaduML7(;r{${Kl#wg-bI-5eJWQVgTqnC@Km3OwJ` zlxvzEw|j{r44J-7kfd2C^ue>?a~3ANu-Veo4IzY!g#q(9$e|=!CZs*+7yS~( z-e+sajorgDfv5JwFj6Dekb}I_pr@jY(SF=@d^PG3sg(ywyjjcj=eH4`AwKsAqCCHG z2t^^;MK``x!?gmKFqobcgpZTU7hu;?*sm}3PBA2`+K&K#5JHrQlL%moenZ!@q+d@} zLIcB6FwKg9BQaS7&&Y|-(J*K3nkLZ@DU1NTw}qhR?#-6`wW0i<*KfDLR#AgYbms^% z#ISwH$c<}*Sbn4w{&|eyvF&STb@&>u`wM@dq;@oye6Rt95 z=hBc`R@H_e0|CoDHt~9&Yjsb&Aw`mt7SEZ)I%UI=s3OVBksgwmJhAA{5+x-n`_7$1 ztt{{-(GuV1eoF?i#w>(zwTK&?$Ior+(iy;0DW0%-3Q!&D=nRWK?XMgvw#W>`_+{T= zSJmTB#MM1`XK?sYB|xlc<+oSiWMJVb^dJk`n6_WL5Ny3lnf=|59kC_ z)h{9HQd&z4K+80cK+}$=DMzDjP)WjJDfYYbQASNUZCd}y^$F9~9E#T%Fa}WSMeX&= zmBhd)h~{S`+MV44s*y3@4ZS$~{t&3WZw-?TYsk9@jl0y2`*X%e5D{Zff<4_Ik+LXp z%Qk%2H=38DJpRDB#xr=%n|9$Q{GR=Hrs6#s$xou9F#g|Ltzl*OgN`5lK|B6}S*L2)7Uqh#rn-Wvrn=d}Is;E(yq8}yC=T9ON zI5a z?{#@}<<~Wg^xKQ-PCs!&aZBik#d)2XMu0=ouVWtFmj*>p)kPA)$O{o4R-*Zlfxs@t z3-teX+k7k^iH%{ERW& z+qIUH4myQp%YI}G#jwgVKmy-;SUt1%sG=u;)NnWd)urxG< zyR26jTJfTZE3&lz+|K1{_bH~ppS9mF%@>+5#ffCHvm7AUX=M&w_|Uo-6W{yc1$P0F zt*nUl?QD%$d+x<7!P_Haas4mAv7EoD)TF*KV!4(GvobP?mCii_9R0&_<4E(heI_xH z$KJ&*Kd~W?YR!jwkLjkX{}?M5^#6CHv(tt(Gq=Ol%)(e zlCJ5ODjCbHNw4P@L|Bj2RFB?^0Ju2{=mV4&H&psgqQ*@KV4DEV3w%g#m$Y{HOwO|t zG;S7kd@C03&R}iVFqXLaz`G|^?3upLv#T`}X)`62@tPJS0$&jc+fgY1X?dVe7=W{c zD^>f&MUA^XksMXJ29eTu)BxUmg`T!R@)Hd@mF$V;FFK#k{_1KeVxXt&K>Qmv<3o!+ zZvPWp{g+Sv6A=9W;_*YKu8O~yH{j-D`|N+8YW+W8Y5(P;c52((YuayIvZf1+0*(<& zqkIcDfUJd@mWuj%ATKsx;VYKjl1j}=+jFrGs7p}u=}2ESRZmNC1f}lna2>h%>%rd@ z>hPr{q$>ZW#qNa`Vp|fSI}k`T6qeF_*DWMl&DN>2hkDRE%ChhkTuEm~fZvP(udYb0 zC_qclUYIK29Y<41nHuxQ&PraApYzv(6F2(~FfsADm}e^kPClq3)7YD)H+umF36e~B ztY_Dc0=CO>e)kvc)U_No*Ihkt8PI*g%~lZ%%}Ni6iKTQg-2~r#7E|?%yCGi4^ZfX; zTLjf72KUS~Xyh)1!$pPa1<6I;TA>6(P0%V8ZIn&XjFyTR45GEeK}M|tUBwlHkBUcH z1~a~wJ~=(Lezn0a2js_Vi@LF7%rv1b)M|1&$wvMgmL%UPYO9S*$Tuo^yVkzku)+o4 z;Ca!$TXQFGv#tdz?+kuY?qrhHKCUvRjSlB3bN?~GRU9mdVT2?-O;XEDz-l>C*$(?= zuI$*G<7%~ts?)i3Ogk&Bx>j3UulZ;%{L|dgV7~AyEkuMP8TDYgZcfw(QDV>TNAQV zN~*JcED#Zlblhfx3zQVy%uQi`7_tqj-)a|&@-M(m2{g(N4MY_1Y-6%kAuV3zMkg%W zsRQ}pF#k05m`5>EtNet?^(mzxx1Y;_vyqC}a@0KW9#eRIEB0G2b;BtadlA)oiUHqb zgM673bC%{KIUY9diVC3n_$U|t}W$Qai4QcWpi?oT2QR!g8N;^(a^q< zA(^K8IO46Q+ZIM*0$*5?!30HgcP-P?)ATc5BGl_f893;nN(CGahb7%Y3X4(Jr?{gW zA3u+n3+K;|gq}_mOW3Wmz&+u22E~uyfnNS!WTWh!#0Ni5Tu2IL0l`Pl&2&6O=|d>( z*s!}O6mL+goC< zk_FzbK!SdvxB))DT}Pv5mApNS$pq3Od!g*8!& zh0*JSyWT8C<@dPdEFe)NSyjvz-uT$hENC9kDidFE+-1fuE|@J((SZG?qK^*)$4n zgy9V_$`wJkez*8;p|_93*Xxp{CF$bf0Z4&X2(S4IUd)qHmb@RqYPL_m+4}iAGlb9q zX4{TZ6flVrPciRe%1k+Z20xMGw`Wr|o3tu1Ky8GP#to{oAaptKMJ1!aAe*53l-hSG z$WC^OjR~cg0YMz2oKA>axASHjPX=$h+jxMYU`@BzL(5 zhDJfsMVM+2QF2KY7A5_t2a)VJoT1xruzR*#(SU9EB)R_FaD8uq#+D%RtKo4vp7@)i zOuTJ6Pk&eJ!bU`kRk{Lw>vB7#pCP47S`o9jN?E3xZ9U7YtTMqn1Z9$A)l!4KFN$%` zEEbozb~;DKVMwWUg7G%G+xH{-jQ1KUY;nG%=MzyVQ3zgc?Oh7Ry)?vE&G?}wXQ-d6 z`;Y;}$FX7SA*?~)p6&{EKiSM3R|;{LWi{T&iugB!z{c*3)+X64AxoZ&DLFR0z{?Bp zh~W1hnWib9YYoyDVXdL=G&Rgk5&;M77hz?eZTv|7x>-J7jD%~r*^lg)z^b`e-~zdx zw?MceAX@BgaFTQRRhgP?pa#-&5Qp7NCGnoo>n#HKXbK;{XYCG+oR0U?Vj`5k7k(G#dTMR*%_K=#-kj22tNQKCQ(fgAp8k~0 za-a?&cg5Be6SwZz1~;)*foexvc$i@)Ll;nM?{Y>(7q`{%BykEM$vn6_=v?BVy^|#h zK8BebX060JK2;K_Cz@T&N}lZIN36$MSBo8H7ppFlT3G8p{(khtVawlhRNThlk+ze` z0yfz9neS&#RXJ$>o12n4BcPq0@r9Fdz-pm#;_0F~TTDlWd17`wdiC@vs+ zg>qDVjQPvnQ6p(Oa7@4Jh;(vcQd`bJE71&6T8}&JaAR6L?gSENw2JBRAHMfojto_| z@5O(U`ye&SaXis&grPA`i|qxZxpl4V?d5(^gsOEjok{7g+!b%z3M)asohBb%FV_hf zWXGyLYlFbGhYf3^F@i*MOXUIMO|gY^K}ElXeGrx_|1CQ&p_OH!j$t!+c}SiR4{ z?}jvWo7;<=CrvAl>EEMQWn&3HAuck)1amcRNrPAr4>@9>-1o^V5%-*wiLE~hb=^48 zUKQh*D?WhgTx=1zPXzl3-C>G(;O{P{zu5JKw@|fy!1vwSw7n<~IGQ9QT3$(0JSk1~ z;h5}w_7sb>M);WjAZs(vtE3(TvDcH(SlTOEj9xm&8t%KDX>yC;V=hnXWX>H~bJRC& zma)y+12VR_4pUC$MhaIo$~}3#17yG@%!qjP60H~+q4)z8 zWe#p6KPJI7C?H%5)XdxvJM)-%e)gAP$b`pSlHQ`2}$iAZl5WzTftFIT<>3a zuezxeJ?9P|-5_*Za<)p7Fnk6dCyKPMV>9nqamX63+YV7=LFjYa%hU~2Z_5=$+kG~N zY>t+g{Ugh4>sR~_)j-Oac-P?d>TowM42EAB&8t+5rr;3{l}+XIPONAg%d!LD`G4op zivr^QugD)KGOssa#YK82!y>6Hb@EV4aJ+snO}c_NqDRa0y9ds*r~4`=FnWSUQ&Bs= z?R64iFiH0ySuR?bjjj=`R<?6<0#!}lx1O&A75AuE$91i^R~j<1Q4iwIv<~Op$ng0=Bqzv@9A?RA3&$X<(R%G1d+jOyYG zlj}G{L&K>!XYE!?cU;z(=$Ttb1NWl#8}v@?eYZO~2OdJr5(;GJD-Q{OumsafvYQkIvm_arg=T4Kx(g4TyNZr3fk*1}= zoM`I7bIrY|W$3aAhSdmi2T12`tqm8}yvL)(18e~%5W4vJUeN1Am#h4p6jQ%KPSkz| zInRE(bK~Rq=+=r1V$r@gA;D?G-A0!6LqzdVs6Cn!Q`J|S@Gtd#GEm<_>8?eB3GualouZi8QXs5%P5PTj&P9aZ#_+*Q+S;3{kG zvq>`}cP_!sY5EFRZV`PzXsuoQp%AqZs;*4a<9>HGq5RWoVcx02%?}u|u*UqzF`@_T zy4$x_esj2m-Yd`m68^@sQtU+T?DX4y1;2+kUP}qQ)PL(XT7$&dPd5Ek{w_4y?)FaOXxEsdY%KKM4V8{s73TwFJrQ`^24?Gh2$@88CX|f+ukCFIr_^Q&BWIx!nD!utU|p19i;Isf z&hpEQH=MA+Gor+~rE31#fzNNUkCSTqX?^KkF=l|q#OSV^Nyc`y1|sL$I0xO>>-Tuf zX+!_9+9nQc_KvATlg|T>xCHEMNaCAwLmc{?{a$P`(d(O`5wKCnR#oQgu{lKHK^@gq z0j6IVHO!#B$Z_Yh&xaj9PSf&*=;rc=REz0S*7~U%MeGh*l^QIkHQAF*I=38;=~Zhy z%1e!WmIU8_(av|Y$aGz5)t4c_-eRB!{Ya2VHF+K=%Yw9DdZ8y3->OR*5!C4Xm0P-w z647XxGg5~Ct56yW?Pr5kCDKL94Pb`uATjgc?8%f#yzU$;2T8Jzei&vIcYHr{M;b2O z&imo*dN5f7tiOxrJc(rXJ7Ij{!W{E%z~x?x`bNp_d6|eoLpD&*upeTZlmV`e$H)v9mG?=E9Xf0^F!|`6O4)k$mW=AV2sBLR_4r>B#Iyaj|k+C;dUa~V6 z9T9HY0}4K+;kL(~ z84RY6y7P1Tz04S!gwL=+d<`61n|ChvuO!71P5Kml7OJ3Pj4)Uw#Sgf z7vC2pR??pkPb{ox{@B4iQw`5f_Mo@O(_7?R>V)uQh&=nSu6qR?5EdtOLH1>BeN}qf z+h6mH-Qrp&uZ~Mic0SAh1j?yaA5XuPmzgFIT>Ur<;>POCfgfV;*h^=)E-4JKK?;P~ zJ!CtD6z;t9jAz2KReP7S?JbLW7B!gQz|^`jn+eX8jG!41pzc{o)@;S{!y(yrXwZDn zpn67DLKNlSCCk$A!p2pWf>kldt|8)EoaD|XsOi4iodBhbd#)sA475=Wnkcn|wk(k(L&Yv8vtAAq=seU>U(G%{n(I7Jz zaAp88cmQ%#TQ(6#RlMI!9|4)l47Lh9c=+za1 ziWflmHJbKM>XZKy@Yb+qJg3cy)D1|aM4qWtq%kvYAf}1OErhP))e#EM8 z3L>`4()o{))GpXTyUr9A?4p9K9_# z)5E%(f#X1b6eKpb?x~y)&_+cdATj!XO8@QyU(?fnQ4rvOTb$=HyStsj`rUlwaxf~@ z9dRahhiHPc$sL%eWi@T?I;782HW55R9<9CeAm83WqXM_4xCVAd3!|UpXS{F#IcMX}8~5 zudauLpVvL?aG1}P&~Q5UZM8%F(y9eW3*s85<~ruZf>GKI63^kRoWi8(%o-$uEpSCz|y z!<;wVh*%JoY7}EYeYoEc*9YN`%k7g5Vr5j6@1=8Mdh}+4?i)RpNb&Swux0*}CxMOz z$)fTbNZ&OU5As3oS}zVwIp=EDtn$|Ab7voqJ!?|aHY}m2fSP8;Dn-QveOuXA2EhBRKWJm4x$Ej>OlOH5=)5|53d9 zQ7xAND6cB=4B3=&>9;-(`TjuE(B0oT-%+jP;X_B8CyJCLQY9rY7WmvtYwZUs30_xo z7vI7#v3b~)<=T`oN`EbLo#+-T=)sfR#Wy;H^q!JXBxJcwQ~=>HnMsw@tT0kmot88I z`{X;RB+f-W-&-SwEPQvPwUX6yhCTlsvUe@(%+tM5Mb1GAF~-h~tE&$-ar!L~rRd4C zuL`6$Y$riGC#U6tUmd$3|FDf2WPK^{REE8gy{@~PQd62Xje1%W<`Lj-)XJQyk^2D- zb)@Inh;p;a0&LU4VuFm1Qz=={G{i^bIZb#*xSl#Mp@1d4# zp?QZp>+U&8(_yx2>Sme)o^TY3OJKJ783I;pN;!6trfPt)V&6?q76Aivwt1f@g~C*l z?Uj|MwRQkgFu*tcM@YL70zlfcOc~lG0Mtec^+yrXei|PTCT1)i139a~F6o-3n0lGp z=@k1qx=k}e;AO0#S)HMLo>T;OA8!&RNVPiOX5cZ(>U;Qi8mowwg&bRKEU(17Q<)qwDgjKMVl>o2)H!7HDqZ)Z;qhL^{@#Nc5&5AP`C2Ri<5{A5a*+I98xy~Y>Fgq!Pf}8DYL$aVhNIJK zb)=dbTg&4D@1%-JH6vw5d4HV8K?sTiE*l+{G5VbIlZt_|E9TPqo6R!x6=vcZr40i( zY=*C=qY+Olndb7Dfjv zAQ%-Rpp}b`z;c0C&-t0OX!FWdy1Q%Uj)**@Q!-f^$RK-A*xLE87){ zbg0z~E<#?;CRkml!JVFG zM(Za%sa!{24<3rx0g>D={(jCL$! ztRoV%h5{~eEC_r{N`pxDP=1Cpd%-tRiZU>@3l;(7&M&H2nmUv{d=%T-WjkuZFvPB` z4W%wk`)s%E54_d6ou^cK<$>J@qzkDqP(cwPXv+4aeBN(93lu%5k|bN^DqMrNEiv7a zmFPpypOp4khuuJ$sR%^TvsSA6ndenam>pZkOFSZN;g0Cl{EuWmu)Rm<$eP5#dmj0~ zVESoRxG$pYMb`rc7XbK{gW_c~lsD5iT}(Yl$$|J_WcWdhzavaipHRF+-xWKYwK*a( zstH+Ph4-b zTYJN%=unR0Q=Z*I(n5957pglzrhtxcVqCwC-D8Z#;eLuGuLep>~sco^p`d=8=v2SLojqt>#}8 zEvFK|tBNd50{~Y<@xbZnpL&5Nwaz~!4T#bcZqE|{{jAohD#0cz$q6*ke?J{QX*jVb zh?YSkl7J`vlBA;{r+CkQO)1#F0MaeRo1>x6j>O;A|FjqRL&#zQ?dtx4y@Bo>F8>AS zo2hfq$a`aDkO#U^Sq-$agID)s-2lz~rf7_S#&bBoXHXQO-&25zyN~P6q8ouRxQp-C zvh?DS02+qz1=l7~7n}KWqPn1xlAq4ncSY`dqRw6rLsz0I?CX@ted(*5Ds*rm!Xz=g zqQ}5Mx_gFoZ)-0!@rCbi659)TS8J{|S5-&$)ap`+n&19pyPW*nJ;F6-evH0`YYX_oOEIFYgt{CGl>dZ-nka=1$n-yC$si}P&H7+k?tuI?jR z@>?!tT7;1vWi|49kbpUZI4)xdP}V92Dl5H=IM;X)~Eu6YBBET=cJ5(1F#i1K-$^^C&f?S^!gv?n2Gc>{oT2YRzcK%gE|9nFIV z;3XhPc#KaCS8msDszxZ)dM`@y*9$z-w^If{05pWs z*$0p}C{oTv8oZ`&(3DsfM#~#o8TsNQvwAr==nbI?jvfyDFeHN#H}b-0R_P``)m7FQ zKL2a&)xZjMgA7zvN+|)5IGp|*0Jum%;m~$!={}?z1xm%n*QE{7tiv&@xAaToP&s+A z1Cp0I!2&Vn)u;4PS>;%mXGOdBsOg6SJ$=wzEm;lQhoJ&MB}bZI@-DO=f4c#-krxbo z#aSfPR+C`(THb*=;z3aVZJ4g2BX2&2y^K(PR&N!iMSjxK9)KS? zpH(Ed%a29aZxIKFxXA{|ry2F>5N>gyG!lk}l{lvrB9antz|8kYC@NLVieEjt<%!o@ zJi_2g=h2$Z2U3a$Plr*{61?M+{u!sAxcd!ZqenBU@$o0Yli}poiaOp*tDxag)@!QO zf|dx})o>ygyiYZ~a5w@Dz|YgxPI_*k^Z+-2|bKCC6dA_oZ89F?^zdK2F)rLjDGQR zexI;jteBjDvaU7UdkDU?_ND_V4G5|+QYhs%m*tm?jbUavIH{CjL7U6VaB?VUWG8qC zt&*!W9EIutJp<*0R_zRt9N4@MV#-V_GUHCux$9%?hwy#7mNQ%GmN!K^YWi`g38EvV zl!l^d-r2-)f*sfmkT8Mo`3wv$Uy>fXk656mjtP!^SZmg2V5ImNAkh{7h^}K-N&pYu_GRl%x>F!v?7=5OoK; z;9>7XTT!ktggD%p>8V8!d6>#WO7A5&WTdzw8mWXL#kyWADg@hc@2X$Xe|Ztcss0UmqH-{i;9! z^rupYAFTfOe#?y#{Bz@0-KH}O*)YFm0>JTdfc}N!#kl>4q2cBuV~ zU}v3a)*(mQqC_DYT1F!D9$>n$B}Yw%2T5l&UOO}t<4Kym+@XPn+ngE}x31uz^!?)L z5H56yyUM$U`a<>`9;Wd^ukEnEc&qe2cxUK$r2ksnEyaJ@HMC|*OAs$yUvZuqkTZ1I zy87w=xdREIPMEz|iMO^r91O{pO65Xy(S-KN$!^V67os;s>S8-tdCR|Xp=+g=VfMuK z_!dcaM1H6OIutzwxV#xO0tANP_yeT2i#xplD?K? ze1^TLT0oD!N`gzN>7DNTjFqaBu~w8^^Lcm=HrGE9zHw}~KMRU_F3?w#6t}UuJj)Mp8C+B?`*f0^FXto=uFbLKVFY9z-{(j`Qx*`2T~+~L2o4o-X~?tKEykf zWUn7CALSKmg-Fwiuo8akHPC+*nxrqRp_?}qlajEz)7n#1d!Q-j;ioT$vcPlm8PTK) z2TF0EP^vRGVb~az939&r#>qjU9F>~cLHHvQadQS}u_rw4etzK^C^zHQsW!!pMI?kX z$KV-k{7j>r7uEzqftO7`IfhQU^-MM9kntJ`Nk8{k*25R(<`nzg1Gv$xDEYRYvZ4eQ zmwK{jB~tn-79C|>i|VKZYvXou_dK-gqy=1O4w4Qx-_Cu4Mjtq2D?m*FaT<*%o6bb_ z&MGf=Wcbe)6nI-Ec@^+x40!CSLg#dvJp0aqwY=NdcX6m`gXMM=b>l!zlcyGo`mQui zy7LzJdnnRQ=EBpPt*O966FLNl8hE$BLdV}Xg@@F+8?pVNIR@IBo?GjV2AWm6GuA-U;?n+qr-R=+|3K|AL;_52Pl0nD mBk&B*|6^Qmf$`1x4Q7Ue60d=eE$uDf2P~~5RsPx}=)VCL8JJiA literal 0 HcmV?d00001 diff --git a/docs/images/indexer-clustering-menu.png b/docs/images/indexer-clustering-menu.png new file mode 100644 index 0000000000000000000000000000000000000000..28b3b0061e5183ef545a180f8aae3502adeea505 GIT binary patch literal 65683 zcma&N1z40@*9L51BPt-$N;lFWLkQBH(n>cXJ=9T@Mv(51Zs}%Jx?_N$k!Bb|7zUVu z8UAPVob#UZe&6^1|8*G`!}ILDSL}POb+0v{>Z)>tHz{sjxNw0`L0(4l!iB5p7cN}V zynYGzq-`W64EXP&tESwu3*|#paNvh4)>0}`7cNvr-8y?k0Q`L8wYLsUmIO$7v_+t(-r|#=AvrJtpz4Guz_{A&t-kRUL989Kv|B(g5 zlbE-GZjui!QKtqn+`WeAOfbhu?AWJ2B^oyI$*gZ3*7w;#=;`e=!CH4WEXz<1A16C! ze7Iknz|Qk6^%MT_2b7zMPR^{Xu>SX_OsC*~K9w-xQ}yph;x}n=NK^EQvvK2Lv5szc zXXx6Y6|-;Ce?7K_2|hp5!_`Nfr)HvQ1GxGPsqZl-Ku@Fm_v!Wh4gSZ|z-g#4ir zqn~W4|DdWu=-PjFnKasT4%iI9G}EF_TdcfGm=E>NCl^mE5=|g4QA3)Q;qOXAE%p7l zPQk8O3qMg#n3dE;=jgS96701MKWrrNF`++wzu}*nnP9}uN1b6!(XFOvJ;MO{iDmAy z7{WH1v4CTVfD_0WQ9z2fcQQ*BhrNxyu0(&^!ocCMKRPF1F96M~Ulot(hxq_Yx*c@H zs#&6U;d^J{nWxtvST$VN`GJHLnhTx?JKq|cS0d;6Ys<-&O=))VG!bwS4z@tn%;^@CQ4NFbHbq#Z2Rtq3MlNVc6F^3zF!~XMbOMR8kldnYmk0d+82aruTWZ*LH5_!{yM12fDJpY#MpeUe?sP+q#>-`=Nn+rj zh^2?OtY+mCNXTI(hEc1Q`y~amsXomK>kF?q`wmfdY;L~O=DoCRN+s@nw6C{Fg~@zRy@zHVrnb=_^Bj8bjL*grB&0^~L@RlOE0Vf7!nx&~C-m|0@co>mK ztlIi~c{7^nQ~mFYUHWkoay|{g?x#v5pgm~~T;Qe|gNwDt0ShOiH9I7oe!|E8b3-nM zNjr)Hs8eZChx2Ip(@VSZvx~OYDR?76u$$Ie!@ERBEk~I_CXs{f%)`4NeBapa){xuyQ{cqL>MVQY5l42v0yleZ#=20Xx?IM|=>Ud2ZiLdVLz> z{prP1*!l6EMXxq;1wjZpm^$5qaCfV;nFxC_t7Z5ubtd*y>!sq2lHW$teBC5qMdmQU ziUfM}{R8c%Y;>L#v5CnRqDZap`uH$#@6QM6&+EqL>8n>4`ln9qO;0x~aHAFX9!*=1 zmn=d2e+WtVcRTm=#D37*LX2J}7qpen5Ka?Vj&j5a8{d0mx%oB%tPT<=hK+39tt^V* z5DS8uH$c<+UrQm(vqRPA-#05kGo4dAl41T=5&C!{d1c zkpOz1cPBe0+U@Q04Ytv!RH-IO@U8wdkD+>}Dvs{i{O(e|oR*l8ypD|86p3k4wky|C z$t1bk%@q_9{(VF-UyqGVI)c>t>A2D4J(n*7kChZTLWMQUeAguhUh!sfW0xd5RzFQ9 zy%Tmnq@~`{9(jLhD5hMaM1XuuU@&gNO`VFB@A1pH?VV_20b`dtTGxiy6kS_g9#hP!hRpsz%21ZtQtK zTjcZpvs5*WVR!%reU1YB#5f^Ne1Gq}Jsx&ulAtUg(Ux&mdzjq(dY29zx`w7%UJ)iIem(^+wrj6PiY~x_$h78!pwDM;OcH$8m?1cKDly!eBRZM!dP6m!rH@ z^1!!o8|fgJ9I~Y$!sfN#%dOVb|Xq;BsJ8rmafuucO=I(`to*G^fRCrVIkf;9J9QjsInxX#ut3D?6 z4GWfpqI(3R@7J3$En;07zv*T$&B<#iOJlNSK~H!N22qDpu1q1Rc9-VEtn1!+@F=q6 zkGo*WN^oM;J0k%UU=(mo>yA&7E06uh&qR#ySM+Mqm)&9d_D^iXOxK1Uzt53LHdFmH zlw?M2jzkwIBvJ6^{&B%29W@@t7R~+l@ zk8|}BLOYjAf^y97P*KOe+B-)%C&(&i=%v3Bupm=N>A1NOFXp2oZBh`|x6YRtwtT4l zh|5M7Dm5xn@a|E0Vy;q=l5%NLOsI(KiD;9sbBJnTXe;~%16P@HUdrKA(c|QJcbS1` zb8EArhoAJ063Q)P-d;+fr@qrIZ?eG_FRDE8O-ZDvqPujt!A-q|*O~xoPy^ybgQtUE z=Pfq9S!0&Ke&9&96VHUjcIGP!dlrozeGljU`QEks>U2@t((nf_Yb{fCi&ijLH3qq|z!m7$~ol7m-M z9~6frnBOCdwE9FeVjekCZluwSiAh5rBSYb}_kC&IkOX15!Ih4K6bom z9?R3AC{U0oeXbhq@h}{6IAHxbTa{odi+G%4h)=r1VvIn&=|qIZc$0sA8-^8wTrz@t_6McP zlh&&W2{hWnaL=|cI6VoRbM>m}X>um^kZiL493Fw*M~whMvu*JQs>^dLZ^&3aVXilp zxd4Hvo#|(<6i@S6`X05Mib|>7gas@u@{1FdsJzp}1}@^5lU;-HW{Wxy2VLbN6ktR%Pc>1oNhs{t35vY?8f0#-FU2{JXmB~7u&>O_1!n=Ay2i6-`&pDy=jmTQuctGRS`q97S>f^Z17t?CTh3t9`-mUwq4Lj=^ilzs{pE%n=RyUKg^9<+^3vowjje|xNWMZ6_xm=O`0tEu&W&D z9rY`f;h3qs+lneeO>{X?gT=@xQgXt?Iy$D|h3jTyip%Bu+q;?D@(J&CU>&c7tyuBy`q206-p>)f`F-UFjc}8t^9u*~3pghW zfrG607Okp3>$~MIXtNG)?IWKCpQudlvx$1tw4q7&!s#e-F@T#>G7l0=d95vP-~M(L z5#2DUa;6VmwBa|_o3nHrq3cLBaffe*pQ9thtYaR#i9^N4KD- z!}jBX{#6&7O1q|%!1;cEk-lgL!u$@+;#`0HID;(YR_(Q~3s zoi1>LIiFnatYOUb&q!?5Iz)x!WM<3JXswO$%BdNQpS&nP!Uc9&J5P@b?dIvG#93La zYM`SM0^~h1{GkaHH>XORzr{W;Y!Us`^XR7bFuTjReO8SLIosNzA5dG4yho*FrHOkd zw!~QLj(2eVS)uGD_uL+>5 za+HvJ*)J+Y&ztI*bFP&xpOqx3u=Nrnd}B5SqI#71iF*;d)v<#76?ETrXp*;T+byw*bB39`^cwITB z0CH$wb(9dWd*17zfc$~*TdtR2eX5ow=KTg6ByoLXx9ywrW_#mL3?=g+A4O3`@b~`9 zb~UUUPFnyYkrSXSo7ts8n`1wTM>4+@9eiEq#x{(2Ol~bN{-|uVR6%LCl|xKG(6&UF zm!BE!OksLdFnB_Jn~#!&)(uJn3kWpwccr#~ef^yB>2xaA&mJ-ereme7Mxb zGtEg~gXJ{-%quZVb_!)f0jI<#KRd3aF}mMRy$|AN-cU+;1(y<_6;E|Z81piiIrz4y zV4i!^U^aK5MRYd%3I)nM>xpgp0MkRfiJ=_M7n%$0ur2gby(kJQAC_~Htn5>qd*=}!-^(js!SJF`;+We}_^5A6xm{vyNlY_SIzQxypb`#(hi z6+liuK^D)D4HmegU|d1zSaB6@YZ2o!NZUh*6@sAi6hTGS`nseRrp|Z%!^xF4jx1t( z7Uk-YV1s})GTd6g>F6*{?;IC(9rc#_ugQ& zf4{|1a{NCZN%U69)bTyInmn_GX<+I^#J(CU!O!2U3bp# z-RL=1C86v}n$hrbhkk3zu&j;s1O535X>^gb{csY6*8lj`Kuhe5cimA$5&H){A?j^} zzV6d$7~k)`2Dk@hGs-~bb_z=qD%Sw!c0%Ha?79~E%6LW|v$Bcn(Y>KY(*_B}6CkZ?E! z778*IG2wp#e1=Kwp_RkQ^sPe|2ba@Dv~E_Ehd$kH$O%dL*P5Zqt+W{+&mYb7XW>0n zr6QBWr>1GkLYuAL2h?HJ>j{>FZ%>H5*XQ?d0gTs4w?sm%UJIwS;?jg)^iw95I*Aa# zE9{sT3Oi@}@n_6;jxOpp?yFv;7I8Zp50qPI+{ojbHHllO1V1z4<)TWgXeb2K*!1dg&qAwd$wkkz zgSq$*=}VY97+1c#pu@uLfSqss3_ci0=94&EB0}f%W~$=;c<|Ip2C$KOk~eMcl+fE> zCp`t@tq2$LpE)Uupglk7-WW<>S$uZf;lz1F3PjKAc-T$f{9mKuCJ-37WH zLJ3Z!(d((sZP=sPv(Z(x4GxJg!~gQWL&^i7K5h89;IlUkLm1=zE=lAMiMX7coC4MK z zTqZ4ExHIqF2ipi#Io>4)sJ_zn!At|NW%UccmPTK;1KI#qCH-8GnED4z%Ui?N&H3zq zX>A)ZA^m$7yc4C5S|*y3b1k5R91|+!vTirCsEcv_z9-6%SEdy-zpkRIq>yjxyq0w5 zJPPI1g1R%!UO$hGbV#&xS5GwdUkiMiiJOEDSFbuX`km(Z9N913`w}|!{M+qPkSObd z$*((yee2f>?!k*OaPcg=w7P=qsINZ5Uwqb5pL!fPLoWr?%%1V4)z3;JiU-cz`0Jg7 z``TuL$C!ua>lbk9lanyRYA5>Oj#k~$PWa{Arm(iYbGN&IH1Fyy)SVz)^neH z;it_Zs}gUe(9Ym60#*IucJ_-mMXP5)RjoVE{r=CzL|9+dmqGlAQ{ffXJ+N>U2KLv$ z+3xi>_KOR%uI#1QL%cdCGWDDRTNAQzr{bd04BYRBKmOBctrDhSCBc6?AO!}z-`kCX zIU7_v<>W@Kbro2q`hmQ?SLug*K?1MH_5lym4ITsd{_18}eahs<>w;!gn-?vuzhD=0 z`4o(b#-n=jUZV_kVf$ zAS_l|Z>ws4>?C(JCvveyXIcQ}uVIyWuz!-_3lag(gpbh_6q)PMH?{KbBHF1vBDPu9R}F<}<}fqLkJRCFZ|^ zh{Tr)J)*yX?+B#`xJ_}$pCNSdKflZh@N2a%$1bN3;qo1e@sQQZcM^ZOf2*`<2azu3 z4nFxQUo@pdGWf3Adbp_G%;(OlO_177^D*vP?n*@_i-$5{dNRDu?y|88qI9bzzPPYZ zkP0pxB{rnPQWpt;2&*}OVkw@cd)tjjX0=vhhXIl9#fO}9Km=jJA^;RtE1YdxXg!vQ zj(ljQr@?^S6}H#p*?kaiZ%QKqJ{O`j22T`cr>n6L zjYn&r&3z-&D{uRFNv5?=zDmJxqSQE`y{vvQC+U($x)@5ZVl-5p`SFel-=Xv{+f~t5 zOqGc@GC`ghz9}*;GWlc*6-?}$hI~eD2bE2qd2^rld>>gCYZ}g{!Dmp4_D;U7z~Rwb zi|23h0e!KDS$%6c0rPCG>G=j-mZ4I$2>aYy7*gR0h&Hh%ucNKp<(ph=1_)8$-U48c z@=HK#TMZS*t8JH+DhxW=D}6yEQJos}K5J{Aa#kT=q%QuDb!?V9_X=eb`uZkd#&&4j zDM^KKz-1|tD;7?zSQ<>6#kX9AWZ@Ljc`nmNT~*q6hUsyxd^vHi`KHE037C={e?8MtsE-hyCg0`Wr_qM>9#}$oE`<}YX{$H8OHT2R$=SVZ zPN{A1?vL;{CachUbMAY0E@2#wP$`ay916-r%Jdnh>>m7S;sl~MJM&?^a6{PrbNk5sRtq zAI$(NCx_EaaZ4_k3d=_;IB~kSK6v7Dyq&P@K}t+mb&hHj z9mpA3EN8ae01|pt2$M0?$P`?Yh)hRZc*}KicKdV5b;%B9&QZ_Da+8au=p~+D*##ouV+ zD0rE1fb^C=C7&@q-^>#bYFp?w2!Je1S8uF-->g?zYqSu&+xw-Rg+4H@7eINZ@&5A9 z(&!)yi~aYAnpZ24fzazdcZ77 zQT)e5-sL2bFYjw^ji>c?6KI~>wgSM}_PMHUVHBo1cRJWz=RjHdt_?ePYx=M_e@MJS z?yJ4nh4>~0Oj4NdB1wWU)*MO4C?T3-b3P-|gDnP|A<2Z6l6`v`>)~`*DM0)N zT_ky1ba8qj?!)mx$8h5pMIFh~U3t2toVJGG`AJa6t9_fqEcTdW0;X{FvJ?@YBPxO|kvLJU zz9%5Zu=V8kwc|#ar2Ls-u?4Cn@q#&jAd8UE)EYrE32dD51##2X)4jn8!?{cfvduEc zY$HRf#VFOAh}cUc;@wr zh8B*Eobh`lX1uOm>%*^u>67z7U*SgF;&WmSz9xOglqO4sUt-( zP(je)BLQoRwp@jGo2LGQGog!vKjKxAgCgX`F`?ZJ%G@y~Di2;5Sx!Fo=DlyZtw~%a z-3jiA%X=7K`931~;&0fYG~L_k;xkRw%zSRSd9Yd?tG;!TyL%s7`07DHA#(h&=B#8{ z5(7HgH*?&AW9_6vXtO9bN<}OwUnM`6_i=?{aO_}iqd5Dckh-@9thyJ2St;$ul1p~* zfio+4?A_EAGhQA>M>@xMg0pD~f}zzpEGqeWB2P)_96LpbqT<^(7+xDS-Q`i((kc?K zegp*C!yAB#1Rdwwmbzv?wt3L?4~MI^`K<>T?#{i2I_kG+0@36ew~$!#muGSBS0bI+ z>5B$8C^Bmp0~44bbr-=kY;34)6EU_trtI|yihS}$ugFQjxK@-t&Oj*f^AJ|~EKCOt z&(({K&)3P$i|4w^snpm753?M6)cMX`UZOLI2ioyh&?v)Y(L)EMi8Gs9MA2UuMxrg& z0qtnoaSF^T)1^zpeaG2cb8@$Ps|0(3pH+pC@G9 z6IZk%YS38hyD`RM+U%`lkTpC-$4FX08#K?iFKG%_KCD!yCV4_U{YfKB$~I3$>ME=5 z+ij)w=!`tg@w)1^gZOo0beCyB<<@a+#Yg(pbMrMi1a#Hg|pClLcrdbmCxI#rr@8E&0 z5~BbwT>b&+4HCI}yBMb~$x1ywjdPZ{JO`#X`*BjDVKsmJp^{!BDG*lu?g_u4i06!9 zaZOfaMfbEWps#i#P>ku6fw=?Gc(JJq_Vg?kOa3MgK zsh+>e=F5L&1!_@W{I;w5SG>8Ri5ZBQ&k|qT)v#}+(vm*~P^~s*Gwp4dA14)^u+Nc^ z*lT7DXy3idRy4ZlafG=HmT(KOgYjYFQH=ZTx8RoGs>dxQ+3X& z%Tv5Ha{`Xe;Ex=`DJRf;h;b}`<54a%6Mr?{o7sgI%6w3z^R|#1#EDlXU{!@!$4NF&(DY9BkVd5=;J~Jp6+)!{5PIveX+`}Ay!Hb>DfpNTpOtBBBUGOM zs+Irv75TRj?l;m+fWrVB5fEWSy4n`Bf0dKBwZFp*f6rRx6*pAWqlSER&vA*zVzm`h zyVOa7cBr@Nv1848(?Dh#WoGKk_S+-amJsl701W%<)vl zU+?_#BFjJNI9UO|Ru#i@w|13!YQG(sgiNw@-_rrY`h`XS#j1Ss{v;oM-HN}K(oiwo z+q7pEob#F`JKs#$+Wa(sijM&QAywiNe)E%ul)s|}vydZnQewW!@wGo=@aQip=f78U zhEDEKI+c!Wyhb(t;4o!%AAwOqUc3Ap34J?HZptrpx=>9FNFrhJU2bpEw_+l$J@K`)DA@%%VO_B>TIILCU3bLL5n1#$sc zxWA72#TT>FN$ZcKr=mBpIc7NpKS&5^L^T`+ZWw(87AB)~Oa|v|hAMq!AS<8#maS0Q z>n`2Clipx!oRcoswOKv2dF6mMoKWlOztyUC0`{Cgk9J$#++QCQQ9nNcms};{n)S$< zvJpG4MfSX?9Mu5BV6y>dhcSab;gKS*ww&h2*`HfuOS!&@DyW^DdmG8G{M6-$RAy|@zo3dYF z#2Y&e`rKtF@ASk zMlbBeM&vq6`E{g59c?<0ZrgfMQq^o`{)?~#m<(t9?Z$M&0!R5aEW$Z##4H%D*-h77E`mvO z^j|Jq3^?PrOqRI+K=uVCYhK3nZ{KfptCvy$)K5>65%XX!=#ZRPi@lSsls!mGHX8QW zBA+Ogf*+K2_(Y`qX9UxSpb&qX@<2z|`(uHT7!r&|aEFVqhCZ0$28;Tm&)GvdqBib7 zNIGv2^>h@O&rk_;Q*Oi#)+oRmZ;mayIY&^=-+T~YE6!z_V(opmdznYzD=@$uuhL%C z^oxbWhY36!`mG@dR(h))lqiP1_t{vPAjqDn?*dOPENt|0;MdOX#T-1<)ZDxLo%pf3 z#QmHS2m2MRyok=YnFa>idN+B$8Ol_iFuN|U837%&O_;UU?yGg>=BcDVkgU~7v69Lv zR~SUPY{s^X2y9)Ngt{2j>)(Mz8F~(CCK^?c5kv0QWUfloI?!f7_l;GyFLZ_eBml8N zeyv4?fHw||OfQ}kGJT5)b$-?Vh}P*jdq8fDBfHxBM}8w5(&95!4;C+62M*t`890m} zfFHheS>XfD{pxET%3}G+<#lCERV_aLS0QHfJg|JP`=7}D^OP&H_3sEwQwqw4923a4%|vvNq4M}b zV$f)spQD8GcQYx;za0oRZU;MjEK0hH=?AC;e({BevY|9w^bZ}*4kTCG`*Xy_ntwih zgpwPpYw0_)TMK*38 ze(4$|@>N}viHp9-`*o$Sl^p_h?&X)la?Sx~Qj&D0_&^gPa8rpKJosqZWBYUL zYeTa~GIzT(XzuXk-XKtxrXfx*3DB3=w)0$WABOXytA8|A? z0sLg9pv@ggMNNawIGlugR<)996!?O87QAXW zeKwV&t(_}*q-?8_SrgtesXHit^&Mjn(BfCLd3Yy1+D}XLrn)J3`ywIqPAF6bW0dIo zlg}nY)`!JOB2wX&0rg8o14-xDNxkT?c850Eonalyt4!OlG1Z4Dm0^)LSd`d{lJ__B z?f$ompbNHL-E3X--IfU0K`1j#&^piKb~a3U!ZwTnRto&?n>4fLij@JsM9qZM)w9zA z6rC@~JZrse0T+Af?6nlcp3y?r?I5U_8kpr{*V2Ddf%a8zm6L>%9&c{v{>c%Wp?H`eXnbzqRr#k@TT8d z!qa2W@%%c`g8#;cc0*t$M&f2wE0XbdpJjXw=5yS=_dv_%9J`?=5dc*ZGDeN-=nqEx z8wZQw2*M~|wXSJEycF-()Ufn`qnBqu1|;z?w#aiYQ(_WVa(D#nqp1I@)naw05Rd@J zyb)d`Z~{M-@LSp;a}x1Yk`qr({TILj3p>s<`L#zPe~QdWEMN+FQB}T0ZOHGh^nEIZ zpc@~w@L61v2ww9=w+h0F7>&;0or%LOE$E(gOEr%Et%5uUii8QmeDM^V=#D1{~y7F#Tz$bOEUCPgD?nsH);_J zKSft!R|_P(cUoaiAYa5mL4q|Qv(CQ|Ve^J*lnQ)Wx_vN}dbFe>J*#~z7^O~W>U`X0 zJ&pQG?^AU~^(&DYxQIGNJ!6NozUkhlcFqW>o}Ldh-=jVaAUcO+dSm$XO9cD!c}R_2 zcgUO@{hk^GVDlaHuGL!2cX4PHvzOz<_!@EfgZkn!5=B+5#uGp*FWC~K`@2B~bv}F# z3@nT>+j$QjXi}Q01wA6r_y71S`(FP;`~a0ZynDKht(Xru3+@hQ4T#QJk%NdIxZ73f z<^h`);rod|lLc4T40#JE{QO(Gnkmqzs80D95}sn20vtk?$rY=TS}*bQA+q;K@vxoY z8tp=0(vz*R_l!eP?|^nxO5fwdP+`)}EqHOUI^-_-D$ONKyxkJdU>*RwuecNzDEl* zKM%_aGUcvdPKvK;&H}BlIB^R(qGF=J3VnVxKTzN5g|RI_&)HHpmiel;E$6OzikDpu z4dhI>7)P=>YgDgo%6HMfFSZqbkkTR9QAQ(D`c}Bh?D^j^6hDiPS3H)wq=f|yYhhc>Tu@90m9vQ}N{+#lvbQXVk=_Zh;Yd_(Bf|*MT zJ_;6rFuyVZdY$JO@YvoqHocSlm`*}kEg1b1qL*-dl4@gfzrDu?9V-+<=h{co!pw5)x5aoT*Zs!*osE}>EFq`hu`1>SKlG18q73mDREmMs zWW!dLMOC)S&k+@iZh9-d0@FH*Ro>4Jtr~kGWX^yD{M`u zhppFyi6qk8x@gUMVC#qNAZJO)`8Adk@X}N*Ser+ zX!YE0E#&}Q*w%KiV_5gDE8%Lo0^r2~N-KetRST=HdgMZz(;OC2Agp z+~(!ok|4#Z=W7&dYw|G@n`t>hUG6o1_DzMxt#s+Jf)p$SG)BEa{IfJ`n!i2~&6H1R`9@KZ+ea=HKhS1yoh-qSN6 zYWHy9tI2gAe_sAvtI?pxGGCBA4=;i`qyr)z=G^UozPp0Y^D^2^9;;;*t7URUTnY+d zy~l0~{-E1tQsVxd;$>q@_TyVj;z~nSr97l8BcI3Y#!W8et~=Bjc=41x{FFQrwZQRp z#I}7b=VjK5w0-~4W(CL4mAmrANyeqC>vvMEO)!%zAosk^2zg~meJZjiqB$KVHUicL zooS&tZJxi~CUfSrh|;8CX#_6aDaCNM$?YFUT7ZYpF>B}u074e3E`%wW@rKY7T*K6D zZjRcT9*d|Ug*=lNY&XX#wZfPW#xAk;9X9H9mR)@gZwSd?bt)%{;w_0%IqLEqOA&r> zNdn;D;2hT68LhiN+@}LJW;auuO_AHZ*5O^85B;r^s!Cr`@?6Z<;1|rl_2nxbuxb+4 zT0)L5IcJ)U<#Sh7kj)&=d6L&3egb*K`^)HME~Fn5Eq&fagC&E+E>;8*?gjez?@rW< zyGHz>XSO>Pde3vODX-uSaJdp^nAK%tm^xZyTL9{SgfFe-s?1&FtGJ#DN(z(cDfU%T zVi_ueL*Is_q$fPoA@Iiy76vaLbAHi9y#E8NOJZ3nTlV5nD2Z0Z2RX^$E2Ysdm?Ihh zT7Y22q4wt(X~<{Ch_T{Vl5L0BXN;&-ok!degII4$($!Mw(eE8UiP3tMg4DgM%&$8){E};YQMlgVTgJkN*3y80Oin;+M zDzi|@4~z+=*vc`yDg3oi4e7w9x>2Mu0e$6TswSQzKA=R*P7kDGi3^`^TdUf>cjxfn~7;tJG4jz>1^i*_%=o|c)XBWF}uHUA8 zaB;LnqBMBD3l@my6m)x7k{4z#d!j7vx>SGq^nkd4APg=sNBFotPlOf~E_j=je#+v` zl~EBwPYh3M#s|wTQj6*LSBcVXYE`eZg!HTA&9U&}nI4*{&N0haGlHzOzLf0jNlyB{ zgm=2PxCuW$?kHyJ(X|>ch-)()Q)H4pzmi-nOT4C4m7LfnkP>y>fV7*X!)0uFWK1M( zDEU##GnRDM;cv8k{)Z^>+GDNy$hpa_#Mg4e9~XSK7Z&HwoApbSr}>#C0PH*0T}egd zo}{$&Q$Vio12a8=kwi=E@RNwgqg zpzdB`4euR^bW;9fB3nX&Jm<)fx>r?d2$Cflki8Xsq1K@+Ln3)^;KBkSRA!mu>XVuNe z>121Dr#;|^qhj-|Yyf}e!d$z{H{7mwF}HnY-<^W`xbyBe+|8}W&~fSxhe`4Du5Sd% z3vL)rTpP?OpmpbOeTGbVkH;1>0yF)Ul1=RaUaMHfVjV^OhrV|S%^jtYl9lCj@^TC| zwY;fh7A40@2IRqNU+k)^7iWfz;?`$Lx>n_@=! z`m;#SRP9iDE*y^lrEA0wpmvQ}3vPSUpPmQ#!ehD>RMB159Pz{?ereM9D(&WD`b)bL z?NkcRD=QjBafe+Q!ki&q8Y{QHlkmAs5yF+Pk70WFSmxP2zS}HwQ_Nq^wdc*75X}~z zykMipp)|>s3U-LCvLV>kl$ITzc~JJiZF~fCG^V}(REKlKx1=24jxEkipgF`2Cc!^0cL1m?n!6V zWLT0N1s*v+gnBln`x6WgwrpAHT2_ zK7Rd?>MgoSbE(5vgC~9VkI3)ZwuZq)P)yoir4SM@I=Y8qREi($`d_8eiTkx&2O0yg(j+P!F>-BK9 zfo}u!M<}KVpwjfRT`e5PDIKqC04y7mrI_~?^CR+lj3iYQYVaYLW#|1UdHIxlmTfZ$RU5(Wbe2wEipUfyDV87R@>!5ZGE5agp-(ZdTgY8H(E9q>P z+edQle(&shD|^w8f6j>Nm>&*^_?c0|&CC3Ha4Q9P`i;Cte0;I_pR@_S*pZ;Yt&sah znXm({Tk3=_M(1VE6}ScS6-w&nH=#-TV}?ro&hN#${~nM1BjprK7667r*BAXxn@zp< z*)tbT;SPHo|1l*cmbrB*iK%SHBS+2LO2L_v6LJrO*Tx>3HTID=l}OvFZ`3e1a$cSzIGBYxz|pM z`vUY2?O1`j*zNyIj`exiDLV7q8|a)&XaY0@To9uMuH;c!=6+Tb_Su#|P-8ZZ_fc~iX>oiy|M zXnC4Fvqke(Df1yd(Jo5GwF4#}XEk*`9B2gEa|NPef+pL1R^l&JRPFC+MuicYi>grj z0z+1n05c4ATzy1BNt$Jcub1-`97AMh4z`$d(v zv(5a->q_Uz5$}79KaeM9)dz{W7{sbD}Obl@@IRbSOnQ5C)UmF z0>y)yacGotdO(T1PCSr;CKZ_=ckII)p#i^UAvX~!{nE(~Zs|I3e|`@f+tXP_>+&`t zS@9LV8_kKgYHBgs=9k_K3~=+ep~U$2fV9WaZ~Y;gAcfi#P-RN;pr2C)0Y$bdllYlD zQE+!xZ#1)RhGZ%n>K(^PGnL1DCDUic(WIN(h~r3rsT!!$P=G{FEF>Sruj;^jWbo3Gwhika2g*xs|zv7hd+ zJ2v1Q{C_BW>#(S|uxt28DoRNSDBUR?l2X#$5|Tp*A|*ozsDPAocMOcg&`2w#Al(Rp zGy?(>1A@f6M~|L!p7;5#_xk=eetY)b_ulut?zPtb({}u9cX;^DbZ!2mH^QP}b!L(- z*jVbC?VS#fmvbg20gMM?fODQpZ~}cSb2mTARm2oD7`1oLe}I&@7f-t~LzI#;>MS|y zV}4-Bo|c}P;qrKHZ(wlQ;LXu64g%E|{2R*rc#=C3{EBh>cI`&Q0wPxZT9QhvjzBSu zG(DpW&05rhD2CVZ3J;)6foV!ALj+@qI`;3*5aSTk0)=F%`v*vA1EHqN%}HtkAlCeWZln(Ms<{Ca zm{MM~hU=TOZ4T|YDndFl%6c}yFMs>-wPw(T(DuR4+lcezr8IiK6smF_lY zU6b7a|1@pagdeSVd0m4JX36a*E765b$>mZNjZ;~~d#Ltj@ra{o|LpPAz9B|mHN=!K zjHIGit5Vws>Qsj&LX?EAzMUK`S0Krbf1&>jS674y^@CLA6aDe(E5U8o(<<3YzFo2T zvDjQ(JR7>I7ggOoF!NnzwDcr?{!l3g zwF)*F+5zh))u6Ex+<`1hfjRg3FZ&Z5fg=y;{suiw?r(_PsRN3>_mWxLy&~8D_rS#0 zH$j(PQeTukKZ>^MUfT!f=3P~alfM`dyDPQ{?18s!Wo-BEV~88Sv3tL`%=Z=yzlRNH z1DT2eOf3dAFq%HZOqv_tCM{CdPy01e!Wuh|VdKAIUCrsk6mAgQ+BEh_%H|-(-usT; zaz9BqAl*|-j=3cA!+sH*#z{2OS1XmPrX+Q@?|9Lg@%32Eq!{O;jGgte=F-ZLqUcBl zdNsDR!LH7k{B*-Vb2#IGt2W5M#ywj zkW~97{OpO}P~_*RHV0z^IC}N)4;;`(c@^XQ10`2*H+0w^`I8g(&5dEQurxhNdPPD- za*(7uVOlM83w^5#zG^kcrId8nc%@z_tnwW#V%Y%{nU6GDRa~5)|C-{G<2uoFypkTV zrP6+oQqX2Q=z({~78Z&o){l2gQahh+xcJc-ew7ZOBBKWX8u8B&CL^u3i@r^^RM0h5 zyv^&bI=}nMK;lR6T{}fBxnFL3wGEMclY4Y^8<^ zKYt7b$Bi6o2mt#&Z`d0;)nPfuef==w3P;P;;a+)^5RXLh`t*mcMigBns%80H$%v;%|C#-JjN^cfkP#bBW3;0_5`GY&cBZ->kKKma<=DokR+G|Qh zT%JmJ$NhQt^;2aSZ*eQ)XllD<@_rMLdEaSk-D-6s?^EmwT??LZcYCm4HX+ED{`rb(DkGN z%HZ!)oB8Q=vpp<$tg%q>WmM&7-|1z2xo;*X$Me7YS-%NADbdyzg9ogLmZP))K0BI3 zG4B#WQrO%rgc_2)`AL;4s=6d10nSc#go!$q-I{ zd3EYi`qhZg59{%D&5op!?~BT_?i^en{gNov<2qaOB2Xgnn$qo^pRIcL-&`@uQMbcW zOSG|*YryfUl`r`RtDi}BQG}GJgT_5`unJ`U!i z+v$Bbe{$r0W+fQ_$E)`^(g8q^G2K(ZNq{6~^Q67@mmDRo;o{u8Vjw9TVP`q`f_}YT zF$xZNYkn)AidxTr_);^=96HY7zb)iBtM%Qx449@tG`jPBEatsv`Gkmz=}zxRUjJb3 z_3+cUl?_>=Q%h2@M2`wtBu6#}3bn4{zi|hpb;Iu- z;fjKJ0Bvdo0qSz@;?JP~%8?4l1z)}SIhu=34`b zRb<7I`9gCw=&Oid(Eoo85{(ocJY9)5B%iTW6URNP<254#HXnKulOPb%Oq_GSeK`=E z2SWy3%#&M$(liEUC4TGMKWGc+YCuG;QOzf?_N@MZF8Q88s9UqdZT9=ScN{8|@$*6< zcV2BIASgUKU2fYQUi(U;ESU+AQm%n*W7kNb4pTp(q0}w_Y&o#I|PUjz4{+KUM^{5jp3M>zQsLT8Mw0W)oTD|*& z%=mh3ucmfcT2T);BKxzJBwm*QionlWQ3iA$azViw{`JR>D@cn|UpRSz+lU2W1~TFN zHzkAmsZ#X&sK9Y%>WIlM%%-Vjp-66Sg$X830n_JqUPUTMR>r+9iu5co_{uyq7nlY~ zhuRC;knRZ@27nt5T(C%7;&se|=GX4>IZQ)ZvLzVNnJz1{v1*~ZQJ~c@>OL+Zk`q}j zD0kTHb5&)&-JxE*1xxRGg)%e4m(uG)0+r!H8RE;HpvDbhfywo^9psEvL#^ZI^5mcq zSBc|!Gu@N_uoJ~K2#=vB4}+plJrI1ECP~%ysG#w_f|du8NN1GbCb%#t!15i`Anad& zBEXHd{D-|uR)h6gVv4DY)rwEljKg+0x=|ogzuBlNV%J>}uA}?1t9$Y0LqDWBK>O7s zN0{U9)nz)`Twz}oiqId-DK|E>IOuGAWI*)ntCV7L{r8s-9zz2ddj8%CsWukn zMK-=^{Nw4|~? zG~`wiVJ^PL^G~G)AOn~*a;z#tGVLWeDR9u~xS_wKONHl5v*Wifc`pgK3+p$DMCNAm zbk*EVkg4p}c9@&twVhVf5+1>xWaea?F%pP4t8piGJgQ!ZwQHl*OV!P4{&%lo@qk;Z zx5pFat#l$xJPZ^ZGE$u|MQy@(^2?IAMORAHd@#u5N*cNzz`6h%Q|p9WZ8f z{xIITTUhx~gF!eZhh5!Rh03|*EZjtW+-jU@kn@;mGj(_dT2?>{yUi?~_15S0ROD&V%}Y4>)5*liLCiAVCTME}x-ZDEjIF6?R0xDZUkq z(ZkVrfW~JNT`T{+0xe^1MiRSbs97_T&1bHF=1aWUo$lvH#S+tc8OJ-cPDk;kbBp2SU9=5Ep9?cd8W#hvH!LGpUcr zHS^|`C|{-XtZhd;_ZUFVCJ9MFu7$=U^72K+S?~RzxRzUuwM!23xh7jrm1f2lT3Qk| zx)8Rc_uheZ+E2@2kf=*9$^2kM%p1UXKwp3^Nvl6_t-lGMqqb=hFU<3{wo~yWAL($F z=u=CQu5AYW6w}ca1ezxnTWzO#hRsBn4*? zqN-_;ae$4jSQrObT`GheTa;%$0OcZ2@4H1zL&RCh2(Kk z;l2RbH}_P|DHOfe>Kg<2gH1eBY?_j(tIrlaj4rQ z0znki!0kDLn^&zmQZ)VvO7iJTU5c!b?MDP5x9xCdzqR9Y6^sv-mw&J~+P_~6e zPFL0NbXzUk$y^6Au@@^Jqj_1i5 z+h={`^y(k6{y!5G%dX|@5&ZWIb%SWzx#Kl|vNpLX(BO^$G58d4tiq@Lh8&v#+#|8O zO41e00J5Z$tWhsowuzP6NR0 z#RT2{DX{N}IRxAmR;e;x1tXA`x#9}ue1I% zMi37w4YJB7`L%?)0wMF16THiH#MtM#k>}{k=WoHoxz?x2bY1nX$&YdCRUZ)1uPMuE@d}E^z&IM^M_OXfk7l+=)u`fQlYS&={<_C0M9u&~QJSy5eI!`G z<+vWt(x|B z>zo5Q*J(}nfpK2h_% zplr->r=Zn*;&l|-guxmL#p2z=%e&EK!0MGnP&kufCN3pvj}7 zX>uCBVoSxj6-DQ3jxa{=?{faGwTHSF8c7!Eeqk@QbJlQwsQj9vpWX^Kt#i3cMKlt7 z1CqR%(}#Hn(c>h)-C{D?F`Jag%cm=W+GeORcL9_$6s1$1qc+x*f{p-jmLq>z8UNHp64^rvq>m;v+jYbA( zS6J}3k0Tl%Mz0{yP8FcgpDS-TjED@@yJ=gQOpw1HBVIsj!q<^f#$mc*d$~&0TFBef z*Nqw9JiJb6j z9vNbK$*{X72-Q)gEIr*jVnuwt;_boxIiQ;|xV0H>)>+CY>7{a0=&mwG()R0j&l2cA zIl96T6q0N?f!dHlF~FA~>~|$sETSU_1#AbFU7VMzq@yuRnSz>qeOFI&YY>LCXg;j{ zjvugCNIZyVPVbV@W&g-@5l!bb$H5z$`p)QATMf`VsSi<(u*JrK1kh)xBD>4a2s#*9 z??uZEkyKi)$ z8L1N`iBeQf899?OrQ?`Z>3Ovkv9fvU%lk+Vs zfPju}By%Wf^?l+?PHH%*mhmr&L>=Y7L*L$IP8u#vD>bV5L~T}UybnH{V+Vc&F4=kJ z93(iU1#6jd*vq^S5XBoGnQv;z0R>N*DB5MW=T;NfwWz)~V|p?W^77?KEMDoEF6%xj>jvNptG0u#{V z?CLS@*dNbI(3Os@NG*LvOh{jqEGA!QmAD&_8yER-H~bHt^V2m7BwcD?5Ee)|GpOEF|2Pz45TL(&IA>e9kDlQfo=s}SLP?8*VWE@M z$09D!_!!)DAP`i}o^%Q!V6US$$Nr7sfba03)iG)CH{fitwR0?~$iPbb$)^`R8Vnu2vF0*=P9eBz~*!W9w8^^{nYAOTi;Rh;A z)h)yNB|`HX{p|^YGna9wEovyFto7nvF=1~^^zr^qX8_|7t#dK&*SkNN%6~f*Ari2# zSoIK>{NatfNJIatH!9digM!iEK-VVN_r39YE#|uJonQ>%R<}Y1u^-e_b{miMjsU za=~fHgH_Om`IY3OLl%)@PcgL1+J|q$d@K5lo&z-fyOa5o zc%CH(?Z(vyCiw{i@irxc`)LjDe?uwggBD1?N>amrIeGoThQS9;{@zVMf$s53z5L%D zUIM0s=g$sM%LJY=H>4!4TUAf-F+!w1(&$t*D6?vMe*K{vnTl^em^GTlRre8singQ_ z5z*scE_4B=6+ageeYO2TCIvjv^3-bYp-GoHov-Oq2O;56$VWS8gn~0S``zXA$eW^4 z4G$%1HJ$dRcW!d%sMkQ1Dk2?>oYit{I6i4?Z1drx`AXeCm&y=q7qhp&e{8Dw-T-N~ zgr`ZmK)`BwVgw)iwNKp@PHmGZK0$>6XbX`k+ho_NC)Tl!dEdev&|D>}waR>niS&v!j;=w2UYqSl@_?lw1{iG-+89|{KWSvxIh8ywVj>y|@z zI@?JqPpdprxD9h{8k+}&Bb|lD*fv-_$r80^UjuK4|8+Yp3}kz&SH{MOL6R+YQ^y#m zDs~kmb2>RI9uM{2qM7|MDgQ_jsbZQ}m+oF0hW)<=LFxYZCJl7i zjsFCPufcBb)<|D6H2tx*+y4@c6IBMa!dvR|l4;@8wuCxp%Sw)o_ zq%C9>9agdrYN!`a4&@NCZpghkAbJ>;D$bv5e2*(@XgrFx(=w=|WkgR$?l`8$@RAps)~36SUw2$R<5uAg2oj*h|&LcZ+kj7`|$I0J8%8 z79?2CpuYY(S;SY3wo24D0bnr*dV=t%=L>`VL}`!`{uMCT$MaSTSAb~GaX&iDJ0=Uss3oN} zNdF0z58+joCmeoQ1NB;5<4wm(tGk*k6qY0#_9ife zF>}{wO)F#{NnMDSh2O$YDacxt+jx$h(VBik(vCV?pH~t~*Yp>4bv=cFKotMQwnKWuqBeme+LQxAX^^m$-|dpB77A^5$pG+Xmhk=eTZwf-knx~&7ll2))98iPzq(2jG&B6ea zL*$DLm1&_AfUag-6EaZciUccCU{RyQMIvU}0rFzPP9cQ(&}&ZMenolJXo&2L%`V~g z`Mut@kBY2t=xWlZ(N4g4ypj?^JG%MHz~_&@0=It)T1%*t=I1de#e8MN&%tfyHOPvX z-I?ix__5NNOjoX;bu*6NEWfie9Ad~$`4C_3wVC+V2sUCnVLL!7;pE;nL!SsX<RCu*D6sp~gu zdh+z$EnnNzz>Sgk3iX|Cq`T8IMyFrHMP9)9|L3;&dlhUgk3ImJif-)KQ8bvh7nc`D zgUj|DnUmB`iQb)e<6hTSV{ru8CJw$2-g1HbpdjlviWrmt7fw=;0i%lHr^fEVfvV)m zM^S)tRiL;T%A{UX%y02ZqlStZMXAi){Ovo2_#}U{kh1ZK1p5x%^mLkjooe;CdE;HG zdx*z>sdvGjBkI2)F4R9(sr=b8{eCU=8bB4l-QEVCtEefNo^;ZkZ2~DI#SKY!9vT%D zheTJq=C7BEvGJcFJSaX3v#LMMBhzUdQK7h^oJLArmfP{@%Ciw0nR?{h*wVA0m#pS+ z2ca2fEAbk5--KQepi@j^swCOIKzDlq*I~Xm6+y9T#&*Bi&H|zSb9=Tt1L|C8G-&jh zQnzjEIE!4i7#t(}Pg<+3YQZb4Tf%d{nJfQBVH4D_%X90Nb8rfct=STVSrzM#Ly-U- z*wk&$U!Fv0ro^u-RyT6QtfgeJ@jt2A-{G2Nm9V`5w#qn2oGJdGuHX+3sD<`XUOT=9 zt7c)5UP3>h55s-I7ypxm{5*;jf6ZQeqi5&VQ^I=vpFih6sq62b%=$t)-!R4%&B9!0*ZOGMw<#asoIJMYjdyO{KWs@E_FuvE6bJ1d>OIbRz+QERHgWsWX$r zk4(9;kX3o1lBpxv)gvsgbc3Su1ZXxM+K+#W!m&g^xJ+OghvjYF!&<7fK;_V^Bipy@ z84R7&&G%~U>?UpJUR5$w+_3Yb`MUWlI)B>r{yzCrt&Kd<>BWIm5_R=>+r^5N^~57y zGkM)F%kWXPkYR^fV2{?f1>E;}4-@&8;3FIYjG~x^Pq$4J?IDK&z=B7hI;5bpl!52a zKV~57Eh%&WCh05Mhc-nNhW!;Pj1u$M(bL14VBK7B5^-e**}rEu%#+3R-HLTtZw-fz zJAr*pn8|G-^=EF@&uR-Q6@x-u%SIeism_Vj=qP)mUAcs*ykBl* zBT{$uR9!#o62_)q7%27>D2=t;Idz#58O?l%ggYr5X(%Yf5ckDF_MaR6np-^bt>)~7 z={81KZAFp3AGniY$x^by4l}7{$)9*p@V8Ij61#@OB`BuVvcE%PuL$jgtNm{yst2hC zZPVAiClJmSSxMi+*@-(l4-hm@Vtp#X9PhrpD$?W7@%0_^N$yi~{f^JIS?%%Ed1(oK zlUE@h);;dZHN>PTtLbA$eNrt>2{i09a=bBct88&1GgwqmR;>jJ2|1?F?hvx%cMC}9 z)1Xr-sAP-o;Poe{tf>z?9wJg$o0YHtu6D?n$v3eR^qe^1wvI!&JX+AzX$8}eh^i4O z-C`z$4}Yp?)J=A|&gJT>SX6g2-Dw2xYjzB~RbbsTsmt=@s0p8=#q^Z}tm;-O;?f%hPrnp5*kn*nC}-de zIYcJX?j)=>`?WAKBF?2ZFDmAMuh*#o?FV&l+b&6NGYE*g&%cYjzMCDdm(JsTO+LrP zD!Xc3@u(-n3U9EDnlalBjkP+o^CB~YKXvi@^(R$KmT^8H<`Xf40Huf9I=jr$_0yVXJ6`SLrN$h%ooi#6GT8oAk`zSrbuK5XU% zt}4r1Cg;Yvrp-Bh!;*T9Ez4_4E{Jm<2NFHQ_;`#Rs?OZ-mut#H3t-@Q(>x%De=V zjlx^!?%w*)MEAlfQ?jvekl{{coTq%`-6$4Coy;02Cvm3=%(U#1R~MhKW)tm~14l78 zyG5H|a?Mkv6sLmCnT+|f<ryGK!2v4ePFo^o>=0~r_?1kc4F zm){L{J+$Xs48!V2hO>7WrA4~zh)HuSFE!)86WHaVUA3#4ez8DyC zCad2NP$<&i3mU)yua0v;ql$?i_u;-m))0{PJH3KGW3$=iV4|(bHNsoZ=yz5ri)LWXtn1Sfe;LRmN5rT>p_HrQ<;E3B z?I?9RGN<1QSVLgpw6}Zr~3q5W*723mz$qJB+!-dps746ibnqES`eg zZ+euF_DavbRA1_zW-?@4_=`!2a(W%{+X7c}u#PUMZQTwJZ6U%jiTWCvyq=zJcfSly z6fOSfNp$m76WL27F=q+2g_>sXJ``bIs@9j1G{+NUXiDK$nMa*rs)mhT#~m11lwcds z$mh8v>wXSic2#ZQ_F3wLv`B~k$aXz}G7+a&a>m6X9mtZsU>-A*&sNti39tyA^Vdna zm--BVlmY*Dsqt$HF^=pSH>2<9PdoNM!tBdTKYWZRFA|73gblS}xGcPhH@sF8ZYJv` z-G`+o7c*BLDnfi*8ffGlIbCLblM8z`h{V15X6+$fbjjI6AMuBaY|)kLNvELtb!%Qg zRd7n4>ZtgtD#zap{(42WR3Ju3jnG&YM_K6S9G+&%K_x0n%cho0*nY#!|N~r=;v5cXe`zrxmiU6zrUw2j#DVN0>%ziehVv z1ST>j_o1^HkLtCoEp`fH^G&z2fGEAG?Va6MN1pAU6IgSE0{s+IQ2D8wzpV8JT_I4( z#N4lW00CZC2{$D?Fovm{5{Lm|Y7!rx(~eGfJSin0VT`4JnrrKR=Iu*y3A>Gt`U%w2 zPXHfkTAq)nQ-<`twSQqIwY3`czt*AgU^VFuAAjQxhRc_wy40DaVy2$*H=b=L?vqui zls3V09v0k;ypE9cx#O$dD;m7p9qcjB-oBw#Z54~~n^on!mrcHqXwYcg=W=Vw(xEUg zT^XwJISF|J9TxTrN+Ek>XJez41P#MN=H%7Xlkz`^Sijy$FA!6%cXBgTL)Gg8B~yN@ zem1*vh8`ofX!Rhl0N@7#r*Rnve(xWx}?>0X`GIg(fRgl}O ztWX{}HzT@zA&NKDsn?N^68Q<1%&1{lQm+GTR#Ob^=E0UJNqHdsR&4p}uEl^=lPq*t zjJ^@psMrYWKi)dp`ck(%oZ0mB+cOcTubcG#r{rC@j|)c@=g17bgu#M={#b6&7McQa zM>t@CLD}a~C)%pa4$;Ryj(b3IHo65W`^LNl0At&9Xy+^>@NQ+aRBh?iIew#S3Y+eF z-m4$`VfYQ1f{hR=6x-aL)=wR7o!+z@#@+X?fM z38&gnj9#5RXYVN4F4nyf?bm#ZjZx10s1K-^N#fi@Qsz_z9(qQzg_$a0GY}-Di8_8Z zcjTXTOS~&ftbUU?6p?Nel{gSiz&_*?A6iV=om-f2m~?kAk_LD;-+GR@7{|6}J=fho4*2fIcpq_I;7M!5rWHo+d^C@PRv zFz^@OGe@`ADcWJv3bIOb*z5;ydD8A_%aNGzW9&V6Sq0CBJw0UT9&t`&g^-#D55QS1 zlQDAW88^6x2s?W z;)@4n|0!8hKyV1+BqA!rsqTp-#ig@?S0Awtz@OpK-4fX=6E7mcW=P)$O}AtJWn#(` z-J2eohC3r0cQtJjg)LU#0_kG13iE_SVcVwVf}UVh&(C8pH9)IKR-#(dfox!UaC0(QJUy6JV^t#m&k3J2}O zh<28+YI^r2mxP0QN-|CgMV?^daNEoRQL``HO7jpTEqXWI*|v)QJ7=&|U}tXP()~x0RgUtFPRD1A!5y4V1o3lrx2lKE0^P_$ijDLfgB#@^C}9HoyZHe>cTaUh{z#%!L%<{EWAV<1o=}Zw&df7!`jH z9OF9$!=p654KcnNT|oDioJB16&?Ol_`2TVv?Ju9dIXW#TOeUW^1zJZ15l#TVp#En{ z^ze_NAX;)-TXsdP(Pev>_&Z?uzdHAW_RG-7`@d+R%eyHO@0z7~M9KtQp~PlZp!X8b zQx1A$E`NYB8wt=@0lATc8rpa~dCXka4VAt>EtdueHWiGJ z?^1q&$QlPMgvNt#&?e>j8PTZR1~CyQLc92tuZis7W2``p7^`T*OcF?zIK3myrS%Zw zN+g#FVRMMbrz;*PW1RbEM%QiLkbh-1h}!Vns)1A|%3N?cdksH#>gS2;trpJXL$^yAQ|c!dmXYqrkPV%)%F|Qt<&m|2Jd1T@;BP1YR8m6g$QY} zA1Du2))?76t_gbCwR}Yo|6Vdf#kVo0O!{X7&Xn)<1eC6M*r^aUB#ek)`@=tMrmoY=VbU25>;h@0 z67!|R2T{ZF6FTDL*c=*HpPwvvj%YKnB(WfmOGI2(WON3vjts{h#uY4pmq2=;nD}Sl z;Sj80%%#^)$(|$LH|V%VeqhO@3$dev$*M^^_kPTeOk2n0w;=2aJ1ABAIxcg)$3S3` z{jRekblRsFi0{DD8fb!~z%0!s58r*vFK2l&o!qvwhM2MjI1ZPHO7_=fhi-F|0Ppb# z$IHuCZOUXAfeomUZ9gh_#!M)|?C#o4E|ES%O^IFkx0RqgzU}|!!Kz()9iE;8Sd%6n zdfAeajMXb|yqZKAI<8qR2$O#h@d}ROQoR7c9z|`u=6qzK?_I zI;8NDfcD_^e5Z5dHT$~AQQg=~ov`!tpG%@3t{g^8$w?4H$N9{|1&goVBdZWs|HPs! z3wFHx7iVb4+7u(5F_hRCr;$N#Ekl%$%9(=LHQ3 zgF}Wj-d4PV`W5oO#5$ zAW|+&WfWh9;(84_6zI%cW$Uh2oj1%jb~;E=6Bs?e?>((phQsl~R&g-(AjHZ5xh#Yq z7JO|_VayWeqo^dA&6x0q6HUSfvVPZa=RMtvK?QMD9oddI(wYyb*qSA93gfOo z;+wr<>1p$C=ZOz0Di3$&*|T)Rpmr?C%4*J4#kY1hr4WUq!qq{#pPFL={WdI!HWxSY z*m`W4CsYC}o>ZZ46T>dSh2Yo9;x5 zbw@zJsCydzWeO?J7j(iaxh$A^H*R1_{ZgO3-9^K_wWKV{5G}Q#jTZQchpT2h&tK8n zp*@rl@qMXd4OSHPq63&^9_3Tik`D6sa8)bp(Ujqh@zs?giS$WqNA5zbPc5ul0*lPx>pe2 z-(cSTc=@gqHElC<>aB zk2XJ0Ger`9sna^@YlbNXy0AAiDbC7`s2r1SOT)E0-ju9m>53Evhqzg!G33iiy`amV z6HKj86?Sgc_UW`4^AT1Fck$@pd0+)+d<#l&Q*7ky)V0B2gUG@u54-{4WS027`}fEH zs^sBG)``$Ej4v?2pfs<&3)U-?i;0I>i1a;bT!taU`WPOk9&98~h)MjOfuc02!Vts1 zH!)B{Fx*OfY$Hzu!%+}&kUBtQR}nca&+*r>i&{EH%jX0efjc(hMODLWp=nQa|EkuJ zGk4%eUED8lXABdFH$NG97QA}lh!R9%d?`R)UvCSze>pm{c_2}PfYMCfeC2HTSvehw zZ9w?a8JF4Noi_LWopai@UDKxQDW_jS$PD7_GbkT{Dv|eoHKWv7TB9?%BAW5Cd>6h2 z7Fip<44R-IAc1l%HbEdPjkYR(2BK;l>wn=-1uO*=vJ4kXafS0mOZ0TWBR4E+ckJ{{ zoS|WTq0sW(T5n#~><(sl(Z+L{1l^2@f^_ikR}0W)-cCfHo>r1r-jgkN41@#X?$&J7 zdFTqVj{1Z--rM1ZSsoPU5#(rlVumuS^Q z@eoEdCPFCrgE4sIS>DYYx~6rhk>bf+W_(y(-j{xK)jrg zi_FqjZg{+OU^ zZ}>bHH9uTdQ8ArZOH+-HFFw~C6VR;$?i6;)#HmM>k1D*S1Z|v`1sGHz_v*66D&R;I z`MbIq&dFYgb#DTzpj?>kS4Q`tN2RE`P1Zcoo+xEN2P0B>}V zpWJlu^lPz3ypr->F9a&xfjy>BrD(ez_SX&da3|r1YYKoHiv6o<)oTWnTr?I%U>{{e z`WDa(UIS)|2dUhch#WH&c%7kVwdL_j(!)DMnp4;ggv9oVoi>+8tia{c1T_b)l7J22 z&^lZ3mdRgD|2UadtvJ4DE(w!a`>EIBgPLOY&jlisnhP?8*7U-*r$MK@D-J0pj|=k) z7~+{zAK7il?yswG5XnW&zYnVv)ggN?5u~13cv*%vWIXl3x<@I{j2}sUd(1z~5rtv|**j)w9ZEz{%QiO;sV+RS3$j) zxI-d01IlNxE}~W%1jq-UZOEvZIe7Jo4}cUi)WHaI^-JV9Fvj^8dsJK20z5=H$!pOd z?62jr1mm``v#T5)tejLL<85)&UoOh4d59=R(`(L!(Yf> za@sw1x@JXVWg6`=@Mr=pY)`%4utv~Q&`eX+wE79O_$ARRFht$mX~ z(c4~j^2*etNf+246_71%?d<`ll@ZGtgkCax;Ye zJgIyDP~`*Nzd~1-889qhegcdOIAX#&;&cO(H2eta)max<^C0P7!OMgkF>qEsh~^LI zD09}B6SlAF)qCAb0hIhp;ZYNkGB<+b?}i%J|KGD>>n|A$i~*oGVAB{7elH z_I`(+oi=CjU8Mr<69>PZ;rgi<0-Wpos#cm$H7f%vB+`-8K0c3j_esY-evrC4t33*4v8{I(#V(H|c7 zYk@mGSuXB-HgSVZeV2*r>k>=Ns02vlT$#GA&Is`8pnm(&byn zm!7n@W(CcmP_OAE-yhB9CJ({5yX0EEUj{|duUf{w+jYopO_zzJna@;WZrKA&ehFvUMu?HTnJk)n&dEdG6c zJ`zoPS$z(;RAx|T@SEVk!R}Yt310E+23mh(i3-(#>0eo=LI9X76&)EsFwC$7W3`Fz z;Rnyx2tKqe?;$A&Sm-Q*Bs-XSE`%J2jPVuGGgWycvfZWmVgCmz@D zgBJhFdJ<^e_SDG85>=0cM!+XW{Z!J#f3f^a_{tn46ejujDG++Exk9p8PHi(LF3j_! z&UruGZ_obFa6E5$ZYt6CCr|E9p{xevQv;FffT=mO58ZX$W#;~ANv20mP100cP{z;h zz{+0OYVJVz5O2izl7PL{iA*INyuFDQ)liM5v8TD+n(UjEJmH|6~>AUwMqNQVa`8sb2pz~==ff^`0&5*;Sr z7E|H$sFX{ zY)3Zb{>rBEXzk&~)@HwD-TC9l<6rNY{-lBRrR;WVnsa@+-6_54Gj8pDy5tL#C!nE1 zGt2mec6S-|-E?D9y8*ORB(*}UD9&OCk@E+?X5k-v5x>zOg; z7~>vs52C7_k;#Zp++D?|@|zTX^?~2WW?(l19-g=veH)z#!3v0S-|72mAo-zYg(3A+ zndU0~$_A5I0$1eDt*N;8nu6w?ZpJa<111$aQpQ&>1RgM3Jqz=FDIq~1R9koK{(PBh z(uFz0D)zx^N%yT1e$pnGpcjyfH*lAN~+`K);ZF&t z)@ko117Ib4<4XCoX-z6)MgOcxvMzo8c6fbrS$c*X6hlr0 zGES}aq}|%AAq|}J+ZhJ6YNO(d!j=PZ!9T<1=jjE<_F>Mwqb1$y{YjTIj~YNMV_jB0 ztK$pUJXDHiKnEL~XKw>E(zV_WZNEFm@>-p3Qy$BSO48)X7eM>w{ZfaU84D4MnBJ*@ zGK@JTB}|+zgm9C3R)AS5b%gOTS05RhplGxIy*Wp|V~4G5%Q((~3S$CR2uvCiaI_DM z&EB`Vha@X@1LXhSd5Lw`=ifkZ7`1X|cQ!@_v5@eEoUn{DW$HDOWZKv?X{l`;U3Y6o zT5Lo?Zy@9eNa#zR(UXXaNYcodO#R#VPbS9D|0}>uMDeLDFHMT z;*ujd4YP1-3*H&Rt)6pva7C1x;)97YQC@oJO;n?|wfOuk{5AG7uX0(p@29)j8j&-; zH8#Yi@X?DeOiY$N7i3KnyAU}#1OM%KRr#i>iYrwd?s{{TJs_H=a9O>sVxlTm#;+o| zEhi_i&zXap1xKE`8(I5(aa5mBoUKsKn@j#oGwkm~MMOD0*V1A}fA*wb+~SAf@y)NZ z=Tu6GPQW(-8};jap2_P{3$*ZNO*go}<@aRDLts}Yt?0(#eq~z=Xl$--skOIK7T-jm zeDs7OH8CNmNs#KpU$%32vgi@UEvtZ8W0vl(%SD(%tn|Cg41kk#(3v|cvKnXgek~tg zt{C5I`p61q6&@k6V3y<@VV5c{_a*Ao5*{^P7qc0h-5DUdQUp1`#g|6`N;OUdkc{MdGh*F*B8=2D7}q z!#OZ}L9bVzPoBLQOVG=|R`5)KZHz@{>7a8Ih;5Z$5M?5i(VLZ>QkPQ!T*KJg$9Jok zuf$JR!1q{CI?dDWGaspZ2znt%&ta$%k(*ZA1cki5^_992U$OK++a_!nS$ga`1!DTMjNDYQPXKnwx`(6{(gChN zLr& zO%_H##AhUM=gV)CUx?}QRI=$xUalDM*_L(5o?QiXHtC2s%=zY5qlKf*Wp%X0Ls@t8 z76h2upcpA9_1qmg+}&MUib?#n17XJ>=Ho3A43K<3com{eTU)PP zv!YO7O^~P~N9L3@0I*kCkayNJ*JQi1U@c2I^(B~D4ebX+wYpLC}uX5svz=`I>w;V!&lT_Pd3 zoYF7X_r3oX{5tgfUv>ZEUqS2E@;&Z2$Mm6J)X0yv(wJKf!^NovM?Z;gL5aYRrd9xD z+?{LlIp9Mz*Lhtz1_5T#nR0%2#sA|D*?%mxS4- zMC45Etl~)>1_W6v)@2nI+DOnn0s5Z|XeD0WC4Xm1Wl~no%xDAkW4xwAJs72QRiB*t zBZs`e3_A&VYs3>{9Y_&d0^M#~c@o`+ww&voehQarZs{sAR-uVRzpUj@Mty8p2= z2}vLXy<8TlU4%}KRy;i}TIRs5f4c}OT^byh*ez*$248ioO+!F?%ZKb6t*Sa%1%j2f zzIPST5OzUqxpf-3Jovt>c&)nbUmW+@xmfE!{a>YS;K!qk^NMAA5!yFjcbO4BT)}KV zdpmBbArn$Exx}mUmxTADhb5}L1PRPz8Y{0Y6~tvXARjoe?~sO@4|M63MaXo#7ZxvH z9!-`CYdT^ONY$`pH$p{-yJERw3~00d@ru4*t?frckceX5->XWx_WTnjf&+4d_$Zjt zpmu~9bj{0m{QfnHL?6`>ZQpx(#vhrU$|b-|xHtswI=OQ>W%<=`+{4gjr2MSlips+H z%J7L2B>_@8j~XQ%E1}Orm;&a^3yW4T1{rlE5b?DpXQi$lh{?@CT9Hzf5eg*d-uFtI zcw?$ykBxI-D8(ynzLkf6!5-wH8aIALd z%Kgf-;S(+xlU$Kr(~dy*i)$YZ*_$J`-^N;81Bls&uo(FCMigK$h?x7!UccpAEWG_` zucTQqU~)-xjEGEOOAiwKmTBY1`*x$qW;ui}sZ-_SyqcgK3gLRJ7=etWd=KR@g3_aW zd-a}$R|EGPZeObAFMKNBgTlhdID-q)Bi`0;C3dsiO9a+Qo({@%RC}O=ho}hAFy@Wk z%y<~+UUJVsv^eOmyS}b{&UF6>SNu)u;0`>(9CDu2aU0N8?PpE8ugG_ncM9IkZ8qiK2@R4!@E%`!W`!tAjPBchp=L2 z5Xxq8y$a?pi5)C?CKlf%&DgqwiYthKA;@b~7xgE_X7JcpY1xv3JM!Wt*snm@wpEz$ zg_TGqu7vekm7v!13Dzl47`ZGzlz3ehghqM?a3r75zGoD(b7oSu)PpEdr0o~0w7U5qkOmCRQGG!(S+D8}c%i?G&dViZIX zVd9wM#uZ7heFELOVky0;Op;bS^G)2OtZ5kq`ymA7$|kW7%1i$KGw zc&J&ZsNL=~j|Dn$umB&qy2o9yn>pInWVrlS5n7jG_(b<4_Z_(PU%D?C#NIU{AiN2F z93k=s?*X=Hx`)M<%{?YGwz`MUEoX-xAT_84-JqUx@ak`JOjc$rC>zy7LWGJ1Bv#hp zdzldC_|^y;2(HWWXuP6YZt~Uj#g)9=Dk5MxVB`Zpg{6^UFcP#_hiT`b2V7?4JNQ5- zBiRqXnSdJk<=rD~@4$Qm4U<2<`Sg$El&tt4OJ*i{Ca!&%rs|)3S@hu+Z)|H0Q5s35 z;mqox1C;MMzcpEd#9cgYACtQw0-{Xf!Vcca0`ur>u5EIM0~yJUhV55mS5rn4-+VEh z)h;YCc-R6GKT1bby;%ZQLsEsk`1Dmn!p&H5QVEKeBO7|m(2_Jp+u}D(W5S|NH)@{jly*47;`l4b!Oc#w^R~WW@iZ@3)E=5#44Vcj@#_f+lgzU?U z1VbnBKcMvk=HcHJ#$%v#s9t*sE0V(~znmh1vja|HP zmS4&BtNiH~SolNQ*Uh=yN&qk6%-l8cAjW6Ge|p42zMIWT$IFMLfAQWi2!vCi|Gt|4 zWo6*sgfD;U?}HO_{L*O$+`d0hTLhG6>Z?TQt0-zM`<*bXjoE$O%t#~{+cjf-82)kP z5jI-@d^Lb)>1-`7Z?dNZ^Ac(`EJ8+q6ztWgV=SS^fE_4YNPblMh=^B{Tax3 z5jxBdMr-nX`-G##aqtNzk#|R|zQ{cjl`IRs2 zPu<}>ZT8zBbXt#0o#N!$YHJq}_C_Zz1Ye|W&(7I7W2)>QIa{+j?Nj|b3B_7&yJpA}^ zI#fyX(NQh9BHa9$d?KbTX{zHalX{;*bG9*eLx$Ws!P2 z)450`Egt8&9yXsg!3kU!|OaPkjw_>?zX&u zms{0P9*2TGK3tq@J45HVvTirYVRO`3F6nyKS=dWl<1ll~TX1nag*){RwN54rqeBAW zwGaMkQo1V*@4kc%kit`LU|I>VE?9u-w%6s>)~l>YJ@uJyo>{x$rTLx%%*moKN zzV*&YWvo@Mp|7UlpS+Koa zhNRl}<2fp5SfvmSA#&;j1xoT0j`(sopjzuFfKQ z%bw)cnQ6-!2Lgu)9zH-srbEcxI1VqjCH2DB9yV?PPU;ttHt)5YI-ZW%+@Ex?yHo43 z@Li4_S9drKDq22w&6N&=#16=TmnSw4cs@+aHh!3XtS)?z-o^pG4$B+mR6=>@iliZD|g0qM&UoKu# zWw9@agejTc2kZ&L0;)!TLFsUgk=>+jafV<&|(k< z4mF4q2oGO&{~l&%3p&!dE$HUIgc;IF}#zcoaob^yP9Y zf0tXlUVv{*`F7ky$!0T5ftF~b6igXmM5xYuoOMhN;5oRzWzXl(ue(SiY26^HYmeGZ zzkc7DyJykCNQgVU95%dq;f$R{mBOET&XgXU9_cxE&@w?Y0dIhesW>0g9k#o{El25y z+|eACJ5hVQR1XthX5pXX$*p>QI`}27u#Lj$kbqwJNgZ@ro_lUIPRP$==BpsPoqpp# zKK7F<>Gxat$(D4cHgs+tT*J>3Rl8v7Y5xVo)$gbDlN#x_tNFW;{fy4!+@{sH!by*S zLitHe^#9GK3|dC57D3S?m~0;iDpzlZGBytop1Y3!-sGY>Z&SzO37Q4X0f*8vJ?Jg1=R z0H=clptWzOj)(_f_6snK&AbN#0uZ@;Q=C0+d*XrC?9fH%{PzV=aaGHi6T9i|oSO4E zuCDLDzOP*OA}{eXyc!pTXp9(IqeX(l++Iu};3sn1B}xd=7-NM;cx6b4y0m==XgL`` zHtNUyZS*YrS`E;`l+qL8IT|~BN>{+p8^s4gV4Z+@8FcXDccgTpRJS+>sX6^w+8^qJ zGSWK7?V;kuE}ZdOxf*Vb(dGx?pln4GoDwMhiRj2HpAxWKZn2pk#U_x5;}<=Ou*ozy z*}0UA9Eb^0$+D|vfaL}(0#wB$cLEGP##IDrkoHK9?lSiloA&SSrmLZYSL=Naf&VQn zR_R=o8}Is>1+28{rlq`Xc`&ag@dQ^ zW~n;dxEF12g%fc^+u+qTV06);wKS>-YUDuXEkU(IkES_n`1GJed>u{Dxzwjj)md!T zALmW}?D=N0jw5?bI%&4IB1)d*6IqyK2knI`{M*_ic5YRG`fp34S*OjCn3(5AP#z(g zMzo?f*>d_Yun~d!fyWfk$nnfg9USOuo;x_YQ0DG31#^GAebAQ8;poUd>Ptcp?HG$g@a*=V^^`#qc+$i9_0#ZI z@-3(r9O@9dil$caujWB90%{FUyF-ijaCe>4Zp#=NcH_&FUC_HC00X&U?cq$dI5wI>ErFBB4Evr z&$R~@r|N-Y7D<*nyy8A))Ij_$Z_bEeLH%Y{UvG1UNgQ1s2>9L3r&824c789n05*Rd&aa(y-~vl z!CWi-AuZ`<*Y#MKZW+I&vs{7sEsU0}(Cw~)Hm?A=P$D$MW#1L9U>Rw1E!g+W%WuXk z>js?oGO%?BBf4%woM`e)pZV)QWBuy$;@~To zEfu98^X~&ahe3b7{Qtij#lK1Q{$Fp(>UN-31-t!H6M!ke$p&yK|KlG19U)A>*1h;2 zS~3FOjtFXgKuR3^6~HuL*0u|X-uk-?dW?doa_=3W&6+!~LHG5w|58?xE2B#VWC9%N611!<4;4$u`XsGtGZo#K~ zJGcY04yunph4N+0rCUY7w)%@58bvo@jO-(T&!yp|Je*Vdb@qEDgqzk2ll62w8QWwY4#>4C~ZV^&%;G zcTVCbIRV?y0g*r!vhyKvbNY|defV-QgBZ!r??F-NjP7_ZW)nvw*kylygV8^&hOKs4 z!hA?~`!HIwcL9BpV_m}BvDk;T^4=qhrTLa5$LEH_<*fz7D@MR2E`AC+R2=l+6uc$c zPbP;zAV;t8x(+u68z>+`075|75~TbL@0D{^^XXr#`n8OLp%7`8XPKq=36e9#{dESB!k_%V|mZJPl;*{OZ#OufkN)I4NHfBZU#3P7)M5bYB2b8+BLBa|fC8z5T2} z7AUthova3xF<^ki*0k^Sl~Peq(dt2POd!=EB#?G(o~eb-%NqrPm+;^klYCTgqOB~x zK`MrcB%up8Kbzgv#sw4B!jrv{N zsEde4tlfpf4t{@;W}?p7V5-l_ttn%Xm@q0J zZwi+J-^MC}I?y_1#YR&sole$u3vm28^UIGwN#=7yc1~v9!1Jd8ztvSY%JWlGc>LpI zF94?=s8R-(6@8mb%LaZ$Ntqyoi<>LX7#4HL0OJrwK}kVQ~6}+mhb`VT{cs7p$$c>Oq+Ym=R@9RtNm%rkgCF3qpd4sSh~v@)G>=ZBWqN#AP|RoHuIj_~moJ znrh`ym5!6nUs|;eCWR-b$0#Xy>9xI{HOR5>#xdi>2|F-r^YQg6{?QKTNDkz&W@kSH z%SVf2xqZ1Qsl5bFj< zK@(S{C+__wf99J=4)VEF(f#HEB7)chuvc(E1|$`pz%8=zAze@MSf^t`r^$u4BT?G8 zJ!vySe(T5DSYCC}n)F3)*0NZ(i$0a%JO*Z*0B6$OC*4x`tMN<9{_-Bye=S=wI{F8Cbq0{}aT1}a_4*53h`1SlqRM~3AdoRP%h4@i~!#Sok? zAHYGF8JB1|Xw`M(6Gv>z#C8P8lm*Y23+7`8MGL8Ctg6{8lx70pAa(R}|3f>J`{*)K z;aTPOUqbXo^zaLNOJ25hbhukoyvg7h&E|11TdNlwQrIR>prjJAa_?(oNGNz3?yf^R zDvu6%X0gIdLLrfW19zP&O9!9(@p&Dug4?SP(g(7F(d#N9zqgMq4W640{oclvxkJ8ALu?bP05?4(gg%0D((M zka`V{pRO&J`;qsRh+b*p$3fRW-cEZd!`x_^%}3@0SQ}ozn0qw#zq~HQc439khuRF* zv`)<6$}m$rHJ=j|UhKSe+gQ_7ymPq!ky4HA3F>n6es2^JR!a|jAN|uUeAZ&*;*G)z z^FL}~z6azk;#gMcdUcv@AO?;DupJ!nH9_F1b@cT<|FTdY;M&YZ1Zh=(-ZwbmJt({k z`=>)9&8L)2A?;#x6BtM_CC8H2%1KbN9&)Pyd`%Yat3j8q4>LK}DqfB`BsoqqSix9E z;3%}6p{f~By4eeu{>q~%l0YALd!-mbHnu>!&D)gpP)R;=4V1h#u^<94v@aWl@@^Ic z|7O3R@NlXz$!hiqc@y82JhUYCxPs(FFk``#)eTL_AW*66Y9BK@oe`d;_+3H{?rnE( zPzlxPlNb{x8KA0waSm9{)$S*h^Sx7pagU(FbM=uNyz@Z4SQm&S$f!06m1(bpDhac^ z=mC7W((p!{`wkM^kGEcQ!W{tPugPIo{09MPjbgI&2}l+cjmWZJ#t2^-Id*4Y47xGoYP~HGOSc=n_*0#$Rip~7tgBFUz9#Yr#a)!8V;tKq|CWwbJtu#_D0)SR9{9_ngqXs zJh#?Ia-(`=MQ!FdCpCx@`^i;hMoT)YnpwBb!>lfvoa1!g4re4m^ zb=0?#7U2|5G2Kx#ieyjN;Aj|#KufJo@noHE+|;Sf9OR!~MJT~f)JM2<>FMOV;Z}Q`#Awq;7RC{N>>~LDViF>0au+|LU$(;D3$`ee9Q83cY(4R8OY1DI zGnvhNYLtNK?8Ggtd{o%)aH@9dEj1=jsA@q#+D!)3hh>O#ED8}%Ry^p6YgmMYJ&pp0 zm^#bW*O^u&yr3x0+Ik?k9(y+LGw%L0p~j0|NC|MYESRN4&&c||Wse9y30R_6`EQtRFlt#Jw0sEov?^jy|@i#4woCZ>C_#AgTB z>WJP+!!JG=e(`iyv|zevSrq(8DWDtwvLOrj`%9M|m|yHq5b2)$ga7|y!z7*<*`V9_rJ~%fO4R-{@GpEf z-k-nFpC3W(F8b$UGik;+zf}}jVNk}gqJ;h>+_66`(L0lnR~&7gc=qL*)xr#F zWSW^rT3#mtQiAZ0?V`7V-|peRIQ`(9+QtxqV-YGV+Q`7dODjwLi>K*nkqI6V{7Y9< zYl>}7tBGaP?O1>)q)xjx4GSoE!QU77`rnG>Q9d&I2iaC!;nudU$IOvRyjGjS5Eo9M zZPZoACGZBG?`nltd9I;NjZN^D+pDR#P_O6thpb9a95w7JAkwO9)B&aB1r{O0-s}~$ za4sXi-L#eZt`lY7vPOhT|qsZ!>-D6&+*K9V{JZ;^QUUE-ae;-TY7EniW;f3o}7C zhLvW^UqjSY9qsqFBrNqEK6%l!OvdnF!=$RIAuaAy*utduN|URMA57py3eMVU54iUk zODD)wx;G}^Rp7U8mb30FWbRac7|({*(yU)NPRrp=#-xm2Ass8oqTb(#Q!Zm$C9#wq@KSJv_qlhQ#6sMZcT=`wmK?@i#<$G_I*% z_oBLs#=x&d_D9)ylz)4}G(oMVHmufFKC?;KuY3%nFk>iZ2Rfk`z)JP*c>s0d#v?^Y z{PKxK-|fT%1}L`k^wCPBF7bmjRpYs#g}T{DR6F788G~b^?QEr_EIReg^KDh?M$y%a z!R2NdxQK?~{bTq=R&#Ym)}e|GX4y){J*6cg1foI)^1b!f32|vF%c*fz!q9x%uLaA? zzFgVcx0RgBk!&1hNf*FW%tebvPKdhLljv}Ul+I^?Jgc82+WX^C$Z62V|vA zcj{smA>$WxlWebO-X=PV$eXUH(5Pv&d^&}zWRY+UEf8d+fkgaEp+$9m*z=oNt z_ql#rE1eZmi^|UFhESfWo99I-$fIXT$C0eRdcsI4dMq2*vMTI9wB>)e-r}u*xwb9Gw8(-uQ>t|d%c32;$tAu+^`(y)T>KQEuaz(7{qW^~N>3Yi#A}FY z1UOR?7G?I+lvSWrt!g7JL#4I9*v@NeCK8o#4%(>tH5dS+;xHQ(`)Pz%)??D?V>Qjp zagG}GK>8CAx!$$BPM7L~hIG`4_m%yL(C!#r>Bw{5iRWn>(slfhNhsyA(oo#F zcsajma#{q@$1KAW5+SX8kd}>Ya3>`kNeexBP~IhKz83G7r#&HXJ*!E$HD>Y{S^bUJ zymo|VP8fl5<-^DfpLP1&+hqOfVEN>WkWz97-n{Y;@>r9~B7*toG4a#D; zL0EZ0AGF_p@O|rZS%i9C#1swc5kst54Ygg(-#H~rDO-^WVVZ4Ice|KcGnYX z`9NbY79%Qh+q@D^TB_+1j#U4$8{Ep+w}V7Jyn0WsG*!~t=m%fZ%{n6f^*_4^ERhUk zH&AIi25W56_Rx5r>usYWE28{yp|C)*;#-lYA&f6tkF zfcpG8esQ!fRB^5IHgMP8Jj5~2yl=)?7|i2B^sG8lBATYq!e-Rz5io?DwZQH%q7L@n z$sQf9F0F*Eik#a<-~%$KYbm7U7gpp)4cU6B_LJ*hQxr5z`;R43b43K5q=F9x78=9O zh~KIhb2-;eFv>eWUq{UeUXbprOQa{zqN{?q2oVC~*Z?in$mphMQvZHUclBmF5lII+|0gt@IuzX zHDO0daOwU}%kztz%^DYOoUMM4tpIYQpnK1C$GHE#bNR%}@GiG~kLUrGD=6E$!H%%@uSBU) z(Z^IwH>m@KX|Zohqy!s*vrx9ttjscbr=n#Z1|ueO&TEF|coM#w;aGsfr!3Gb}JOy)lE{(Zy>|CJ(5^Zb%R zx3uv5fcKQ^Is8eGW2N$=!1j0b1Bxl_>znh#tp)x_L7-p#PjJYX5x)Kn?A;>r$i*A! zFQ({*xDWROS=C8CH|!2(R`fb8o7Kb0hmV8I>YAy|c}*X~Zp-s?0;4j{**B!z;!{PJ zV5z~yvr*|C*#fE6##h8l`GYnL&iPPZpZab!k##R5IN0r*y}pCST-|uz*q4SueKXYV zu6fCdx0mVZxaDt5uTnKW>DKLxZ$b9erUw7_q_d_xbDP#z*OBe_}2zva*;y%I5h1#MFRc>drW`AW{kp zn1zc|`UQE#N7W7TS3*laZP%8QVDWwyLQ2X0DWd;R(8d293c+m%7bUPEzXO#zBA|jh z2rfYOFNWclT?uB=sE$5bqA)wI28wWUgcpM6xpHnP{$+Hk-fmBwJnd4i!CWp`-vEDu zTXsD~^!k4|I6&cS7tAaJ&=SF44A+2Z0~ph*DO5ilqJLV5Zp%`80}~VjJtH$aU;*2l zZ?Jr0eVCT=$P(z7m;g56=F~E({aqk6z>+GoHVn?Q7gxeEigPa|=|f?(u%udNIZACM zB|1tM6RR^2L@2c~TGob5evZOK{*w;dbmmq#EMtwS;_h>&Qcr=ekljNhi3j}7_E@bM zbRUfuAo%rSVlb#je(92^m-aaDBHTaux(|K?A6JVzrmhDe8f=C9XJ&tqVEq(=U-cBV zb8R^6*%pM-iz+2Io2FSZiC}r~m;@RkqCkM%qfD+c&9WdHrT@50jb%ds4 zkv8bH#$m!C0T~(Y z#~Ypx)hguhkW_1}-f&p?H@g!tL z);lCZ*_ObHuzc}f$^PnlXPXS)MQ+|eg5As^ybIP9;k&)WukXSiR78yh;S`n~Gh5N= zVM)C@7z}gpeDOz@14zM}L&wV+AvZh}9~$M%B=7)@`#cN9R4_@BosbdJZGF-)gm zvA$G(<~}OKUumxSRECH+|25V!z|~_l#mpSlQQ6QcdU+C9Kwabv?UFi9v=7^%IB*}m zlU5tN>S4phTP6bjCRB6&hx4yq|J1$zj7uz5sNR`hMOE)i%k#J6D1Yb8^0xb{v`&a@ zQ;tQ-e)ZVhK!R(^kbSmH&4gO#ezN@4ts33Xt{YH8ky0H&2$uFz9A%e#P>sa|z5W>! zgJgMrH%&`D!f@%_ZepK|IbPPy#(Xj%Z^k^~8797u=hyQ~{Ns+&UPA=#f}_6HFOF~sQ6}`BZyG8Z5^4odcrfjNq@(d?r@5Sdez=si1O#&e+kC549-w$nSVAW zH$$bNW77gJF2bgU2PasoG)0OcKA7->BzPMO^{*8gzKj=WEuP^4&>VG?I~J+kx6gd*7Dq)gxz5hRk!2sfDp%To zA+Ko0vEG~@jMQ2AM^DT^KW``RnX&RCsDv(q3x|V-*L>)Twwqf+HjN(J1APpB!-^k& zM-&14;~&AcpTVeK!+pQFy1yX1pAn?SV%q?(AF;{*VX*_)@JP_;Bcuok0@ZZjPqFQV$Sx>T%OuGyDEpgk^GO%~`B;F> z00F4Itpu_5xjwL6(kAYNr>4?NR(r>dfweEuMsc>^u{&)-HO;8Ct$&v6zK zzI}Rl*qhN!r63_Uf*30U;@xd0MF1oKi&4@egbzx|)HUeax;5*ls^(UWUY@kytfv0& zD9i3RDsVcLcJJoX!uAPBkW{>26aYvx*6Y@m?DP=D(BCtM2h))w3$&a~th9y;jF;t% zBGoJE@Vk=7LUyf<6-y&WR@6PMczy z8&5j3)tBEoV&;BXMlxgo{x){9wP}^DxtiA(ZRVNgLHBHSWio%iMoOcXg{fcHus#dS zxl~S6D=KT&HvUm3qiyX1nCT6Z5isVubIlWZ*_|utP@kq{byxm5ujFtyfR3k@`8)uA ztRuRLj!$wp9j4#PhkEL$E6Hk1??9nG&qbU{5-1{k(MImd5j*#0>$lM4y{Soxf|S4= z$!Uiy!D`#eB4dg>Y>_$dH3y;zv;5l#Kd&^pmnsNYR34?i;Cw#j)ute3^npQL zL`9p8GD+TwWwJbX-;w-SkW(PN-7K0kNwDqWpFOaa$c2?Mf)_?(#1HpQp;CQqe$jhR zjCpTkRE`3rl;T;Gja@DMNi&F{YDmpCEgcJE(~v0bhVbI2;IJMqOam>P!2F!rM770L z#bHr)t$PX~CWEp!kmdO2t2(S}EB#SvS#ks!9*C-F<&0IEF|{7QP?eP$sEv3O1sPy0 zUA{^>y`}jPr(DwJ1X1RgKF~AmqoISc1&HfsJT=695)L+1QNt9iPK7!dn1Bv5h2b_?$5&^#{nY#&^xoP~0OdtVRC zd|T@=k`)Ioe>}$r%ZPwK>CjbSa!PbS;c%wcflXUpW0_92f9Of3v{Gu=FeU)7>|JV7H1WmGMWQD`W+NPG3 zE7TlLH5gLE>mVAY5d@)89)0l1ny`v1Etg?o0<)ipL0=3KkTdLWqFl{0eC%esN0zFd zG?|6Hj>Gw)9rgY5Az6zZRtEI>i^Hc5b(`hKyi0|-J~yB6UpbC|pt{L-qt(du#zx(x zvswe19Ik|q*W|VHO{mtlYN(8!QphMltrE1bQzlBP`qUcIoANqOP8%%tbz%}r29DjV zv^$oo6j<*VKvSbg6M|R5+->kguvrGDx+}cNSZ*T7DzyNx4~PxM@pM0v=QDamxg3E_QP-- z>*stK8Q|%ZP^6WN@H5wk*hT6{E_zIv)j#)!5c>M5hZfOq8l<2*a#3oPPDz@%8M=h z7P^^*Y+H?^R_ZX-N94`)X5cW-d&zG1B?e6fps8m*`9O)uIY=I@45{Xt`T&BQ&|^-& z1?j5$GcVep?X>ai?V*;DiPBXgI=fR3P*)q3L~98vQ+qys_F7|M=`(V)-||S;bXlKH zkon>D{Q_7nLNb;1q#|CG0vVTJGrb0HOk~(!7=@6Z-Kf=<9?SNW;8U=ZLzX*?M&_m> ztp2)kAI2ri(T2%?dUbh~lzvxpBaSus51FLg+{ni{_E&GC4ZtI_86Cr`eSHGX+@AbL zlgk8_b^EKjWD9zqCd&Ve_ST{lZP5VS7|f`!H9ub46cfVaH*EV|1d6RxRmXQSsrL-;;!85V^LzPsByU;R z4}=9Z&m(qADA#<5T@MZmT?(HkPY)FAU1XKcy^2qio4c3B#D3(<9!Lx&at$Y(yr0d8 zjH;Blh5Gn%uLX0aPXF@1l3(x)+qr*~?uWB#^KRfFzOT2{{5}TSdR+jSK$CL=C$PL=jG$n+t!r81g3v0tlPs#*!mo3$-!~= zx1}QEbd0K`;qvQIApZP4cvcN$!KOM^hC!Z7SrVQ~-q{Pcttu&7-2qC=rg1r(W}^?7 zP!Q0GCz3LTxF}at#cy$+2i-zl`uS#X6X74c^W%dz&eMDeDHiYJ6NLQl3EIkj&%TOj zUWs7h#%_0rz^3Y_9K^?Uz`u2`#O`48{sP)c7>Ehty99P`|aiD)u4NS*lq5|t}Fd`e_aHK z3+Hxurd8Mp+9T4ua@s*4FGD;PnfN|4Ch6VsCkqmXIyseL^b{ISRry_-b$ID-f`wgO zsD+hagnZL9(n%lz#sFd~A109GNR^_76(}QoSwDRQF}y0p$e~`vJpi1&9Kw;zWlATC zq#J@VFZ(OmxKNLfIYi5Unh!g={T@=?GutPWPYrw`u?(3^|F+V8`GI4{?D=mr>6fsx z1sgZ@XYZM45%D*^UnY)jchTc28Hui5A^gx&Mg8~IeoDn*XZb%jX9-<)RDKrw)kG2I zS5*uGZ7k-zDPUBok|;;Ec3nq^^ZKZUYDHCz_1ZkPlDm$z1(vhXa?00NeV73r=}$GL zYeyL7{Vm5fC38Z7zhm4)6x9b&uP)E?Hx@K&o4hQ|6A_bYsVa6eMp4$$lZS6MiG$^T3aLKGmtmQQfsaC}r5TfumsT4o3 z4~Hs}auCvYKy9&R6NF7JSEoJ9pRSOWRV9PWy_XH7Ny}9m(zd)IDOj0S_hJ4%)jMHr zSH3Olfpy~OBI-4U5PL#ym#Tv8zMz{RFjV_9^VOeb@!o&!$|ElPvsZO7%P0unle~R% zT+Rrcg8)<-FKpl)LucL0%0|?Nb=yCyb{`bqd;263q^5_{BXu_f;^c7`gqV49F(aL7 zr8IkKu9@*I$q}||po>-CGM2{1#xNp#i#fQZ$$XoDGOQ}i@{zI^QELB}#G_lb-c@N; zW7JqGC@n#YS2GEeD$#TMjTKRkGSPCDrso(Tl&iWkTZf@&(cDy`Ef5i=;6RJYv=>_U z9V*dMZ;+8Ww?#>a&Oga6g-r&P_@ zvaDC%nl!fvCdtrKr3|?r3{ev1%`ewTL{|5_P5<`ThE^Hcq#Gq`LgLS(qS8ax-}su!onC;e{zdQ$&4*ah&cjCM zLd0aex}XO*5bY}{CW5k+**TXBSDkaP<||FP1v&oOdRm%=TTYB7WGyPI7cov|88>a` zx$$hiQD#!kFc90{kEE2; z|A?Tdj_z+qB86@$s9=h!2H!Q6HqN;07~SHzV3?NV@?=J#Khew=bT#tQ*%0Dbp_U00 zQ^DSgZmFYn(Py@GQIo4n{j+2U7Gy0(otq17Tth37L&5g{4 z_nL&wgWm91)xWz=!{ysRDotm}>eT*fW?z>Q@Nrf8QEm*zUNKkui#0}E;+P~zA~>2IVKewij%5+2>{$E>I2e@`R6EltQ|I>;f}Q8jgWCAL7KV#4 z&U1qqt!#F$yv#13 zpkI2Y@}ng3Mcq-x>-1Fsc(nk44R;&YE<_OtKh*Jy;r4Y6;gc{jsdJ?W^w18Wac~O-UPP#!`q{-pv$kIsElfFDp*s8 zm}Yk;s|4ceR(W#axEG{Vl9G7YwX?XS0}RK zZxlQG=)HyZ*xs6+O%haLEjrG~mLC%+?H`3G*L&O8k08L<{1rw27LM~`B=PVDM4BQ* z82aRy{h6O`)57*A@0J}`x$d=k7rXuU(ZT}*Im6dvi0<4WGUGa%Z8=^oB)w*Cwo%tU zcKyx+T2879lLX4T9K)Gfcq;<%>e6?{s(RF}S+gE%Xle@y-S7`7_?iJCo}NV@wZ=P` zUa%OUPzhPPDeUkhPG`eGh%A0`snTb!ccS9*i&cqGdZm45j1mS+Mq@!2MNUxWGmWB7 z5XqKrJt>gkqYwy3*CN~llZ`ipkR(*9WM)9t8|OUs$00E7jy)Q$1VeW{SS~D^JlkDf z*wzrqcU7s_uk*$75joqG+gL0=T64SglS! ztp=^KGOaV05PIUM1gwix$Lgx#!4@>!zbP`n<%5&9zQ#0)=P{KY-CYW-9dp5`u51TcvE=WA2%0M%}r$dj0cD&G5hR~dRoo&*oHzL14quq2 zM~<>XsGXL<5eyd(boP{B=VygbcoQJ#Rn5lz;o3KLq)UHi4LhCibk{Qs|Mz+ks#t5q zA?;@-_6@7zjn zqr{oR7g-;0xOkO0i&(EOI2~jyXlBEF;D)(cQ%O! z#C`kHBp_b;)b31Gn7k9#e{9{_W#n&idF(n7O&`T&;F(6SE@>T>xz5T=QYy}JNjEWk z&+_3-hUZcObhwGYoXg<1g|YE1nN4S2L=w?+AM2R7%at+b$*d*SbkF!QVvA?wSC_zl zW757)^|Z$mLVa0qHuI0yfW^aM53}0{R9r+^&3m!c*R8%cKr# zVFM50#n-t?URh0V6O*rw*Tno06!T>Kud6c5bs}7($SZuDxMcTkX!}Deha+h|i2dPcfmh_|x$oymWaa9-)Xz~`GZ8X+5sSPr_Lp}q#RyJs|x?)+P@;Hd@Ss1X#s53gAZ7Z;$vajVeFNpWt+fG zOC3xlY~m>T+>uusOjkD?;NEXJ!HqQ?@zp#ceVLHxM~t{7O)rkPiOpZ#K>6eAefWZ> zcueL|6%;)vggQch6G0B`nTwzs3_B%$kIQS`ljyB>zwj?C&<4G=kc&`sZ`<37~20}NdPCazzULvQb@EAIa#G0BJ39;|f zX#5fMK7GXa^BE2XzLHXJWX027)10gYxpShM3ZK03zh)D#7mN}3v{_eCTg1#~bNX+4 zrI;7zSm)WqL2@dt)@|A!&X}1`Ni-tphJXB!%6~2i3Ks1p@3`pPOGMP2B+FfF=ry;l zvmhTUn4V&O5sD5BC%IbHd{g?F2PY3jJ+;_jZaOR(eko{f77(bn?CRIPFuk%!Ea=Mg z4=h9agP8LRr4pg=o`S&Z^-7eXeAZ4sh1lN7v=~o8u(7t zE7>-oc2JV`UuxZ=SdQ1_+Q)*2{8S+~0=)aQ7k#26Ll5OP{i(b^!CMs&9n{HQA+Rm8 z>imO+r$7+CP0d<)403edBh6)}H(E<|&5Ow_9@wQQnFt9*BdH zM`Z&OnoKi?d(?P|DyFq_?c%eRQGS*Fscm~+2J4vMeg?~4!80Rs@*bYe+~j=mSshG< ze{5=HOXmV5H zgEtKZ7-mb@2|^Q`Bn{S=)sGJ*CPxApOfOtboRF6W@l&;Ji`1AqATOm^(TXPR*I#Vf zM3y@$0ek{+#X|3NCO}Vcj0cNcaRDN7Jr8jR+RyhmM>lvAXLHc^DSEwCTtQI<_hk{C z>(I2u%}~B?8h`O{UjUcYH-PKYfP~~$A$-`@`l-QV0!*%&V1q9knzrR}Xo*RsHRwsxToWYj?6LlwGXOgHRFBUMZ@c1n zO)nGB0ktbdl$~$?xem`@kmv{&AXF-D+Q=QA_8%aU&5Bn!!CmN)b+etz!pw_n zZc{VNkyxmsd0Pu$ulJVUdjZu@``=1@|BbuHC&44eEy-G3X7Q=oy8KhVVH_0e9&@R7 z(MmKL8Wr>dD3DP^&|sZsj)B4`y}^cva@~Pm_`y>sIthlv*VW4Jzm$LXPGw=rIapW1 zW1PNhWp?yrSxry5c97vZzGJdIiB(@6*IJG(Dez(TzohHIS@W#=ovyfos49h_VW#!E z2k)XYq8xW8Xn~LcC^|9bm2=yvMCb?}!}eonlK`NPVCH^d|A}!epQhxRvk!#WHCCjk z9`r=Wf-}#@rxnMm0Vq&@arND-2+S(eGHI(duGuv$qU4-NMMV_K4Uf=veJ391e!qPe z&Z&O1ID_V+z0yZ~A5nM;JLEqs^2ee#{?hqJLfK;!Nd>E7LvI-yS%53JI%<|wJK0^)oRMyPb3oe!b*;B_ z=dja#DS^7NlNhl>`DjH-WR-%Aezbs{^yBIaoyFyqa?N8_H&*wW8&;SMZI@}ZZD}oq zOYR7`Sh1(hP3*X@LXIoQe@=D?0Ws4e>09qmW zg06bqG%GBmxKRJd&WxpUNl=v5tsnee!Q{YoUZ$)jmJR#_G>Lo4Vl%W{w)<+=GiBh)JYPJsc`bur<4|%c+^1k-k0$E(tbNGRS-FihITKf7_18V&6vj#O5E&(^^L0FX$3R1X5ew?-RAqUs539o*Z0*sO^54kS9z(F%X!Ld$#j(T6OD5$F zLYbn3mSB(hgkG{eQj|T$yh!zRf6)4Yo?YGHp-GRaywu|KtK8`i6W-B=B!Zh4EPYQ* zD2!0DJ;z>lFL`-3EB;MUu##}bmIc&mUHi=wnXlhTgubp|3hIao$h`!x?^sDUvE(a# z#DNb$r@+IH>yI|dF@mUu{3hbMH%%WmY*AC5WA{D~@1w#3sjQ+h)b;p`feja&h&NB4 z^j&Z|fq|idkP-=6rB07zWj-CZFG%oi-JFnIIGZ1zRV8>lR=-8}^wpQwv3^o6zw+Tj zU;g#M?0)ix0Ja^8boWC2%DodK*8n5Eqy@5O_fch`Y}uY~5cn^JSxH9@)P}H!;I3K) z`s})zu*9a!L|LzyLyv0sJI*cjrdO3DX#{M652Dd^bS)dCE!sv@kG-mHR-FTi1thhJ zl|iBh()W{C6%6E}!*oD@)PfZ0X6U=Jms(1DF2iqW%Jdp<*ANn{{xQ)Bv)qHqqtqA0 z^c>!KRh3Z6Ct{$y`9Dj@2AA9`=$3G z_|@@xk1e~f;f;hqWM`q{oi;n$7j=_wFIid77I#>+N$`uxtT^1h2`?s|C!VqX1&e`a z2ZuWVX{KIfj(4>FXr<- zGF^fmTwNbiqqoV=L^OKr*M)qYS2^8~zVCoF2(c{{gVpG(OltzAL-ey9v4f4#2C|p?%N;h#UaSR82YMDV+aBdFi$-)BFPM_}Y2w zNJSomilMfR(E3A~4B!N}NCrGvo6?5aUL^q_Hq_i>0E$hM0m(<)<}Sc{gp2!NoQhgb zpJ&jCOceMl#Mt0x8y;ReSV75wP>UHEUC)7-+?pcrWNmstgyXi&oG}2ka)2l&;}m+L r`U8(fGg!0xoS|1L*DhyztobCi5cUl-LnC`88|pJQv@j^wcfa<3C`S|N literal 0 HcmV?d00001 diff --git a/docs/images/search-head-distributed-search-menu.png b/docs/images/search-head-distributed-search-menu.png new file mode 100644 index 0000000000000000000000000000000000000000..e06c1eb282415e9dd03b7af7fd87ea40e39bceeb GIT binary patch literal 65425 zcma&O1z6PU);_F=A|jvyBGS?=-5>%YFm$)l9nvw3iqhRfjYtfQq%LrVxqGeZds zHNf!yp?jaR&-^T3k5Uj1ZSelo>x%zaz-E>xdSX#Tv z+*sFcm{Nk!eH!@Po8ruT`ZZdND_{$kH}M}{xO}?z^SM6NlRIpmxEx>X(<}4cq`;4~ ze8GTkNk3FO^&F?7LdsEe^}M32en&#Wp{%BLV%mS8zHGj(^Wjm`+Ic{~D6C_mDb=C$ zI>E*E{AbR-%76bVMpcg57$jT$`|^vDF8{v zQ5qdV(uW*SJ@&AIBmQx6Uz+g+M*3_Kg82nGt$>`77|fwUMJh7pVAv^Q%M-gERoFjn zO%|+|I!jNPS=}fSY0g;Y6y=&iR{dMdzDnlrBOJQc6vazvD~h%M7J0lClP-PG2U!Z@ zz@l87jyX75-`<>LgeCzJ(~E=M>BPZ*KW-ofyMQ>Wg6zG4e050v%%0tPK#WD28Tp;R z)e%?f;J#JKoNRSazlk1rQ?!hpMY9OE&d~L#>75=*pQ9XDwy80%lK)no0})zH>K9Mo z?or@wt0T5XJ3@MYzxIqh_u?FO@#Er99Fkn`4`uzp>0oQ1E8V9$-;dsbECgMk&9F0^ zQ%dLS=w{3`zSs$7NzL+P8%cZK1v~DEIh$!c;<<23-iZ%oTRdNOt{h6l6WCA}Xu->i!{hD#q2 zT%5$0Hq!BcUu1w71OX$llAfo z%v$AY!FbZ6lk|(Fa85hLj55J%5RbNCmG5P(VI-+rnGN<;&Z2kj_j{NCLnsL>m z!`05VYc60Hl>){6mT;c$h*E3^1WhY`mVgNC9{lS)*aL+N6Khn>h}s#dwRc)o!`tz+ zcj**n#{WyfK#J_TL4H!Lbkk`tVS1%y(cyKFg`s!)Xeo^6d;o@78S8G`__9IHjqS)z zumRpUP~qL8*0ebnSA9kB;tAeb6hQ@YP+Bbk*06e{=-hk}Ct#;o5*6aLy|V0zsvayi zfoSO_gkyXdaw}9T7mFhJhnm8bl3MDgTb(Ri{6_qg46hl)@4Lzy@sxXW`}vcE`@X^# z=^S#w#&F~}+KNg$al5@o563`OE7h=b^VkYnwS?ARUoS9#Woyq_eAlLsr-1ilNcir3 zd%x3)-W#6TsdLzBkPbMgAz2re+8bWWg1j+tX_Zv{!rW0f>b*0R!Z!2y0=dpUAO{LT zgD%h{6EuyQ@EG&pIt&C`CIkU|uI40_tC98i7jhaX|drq43L7i&?ppcz$-A5eGU zZbBO2@ToFwtyYWNwnO6hYM!4oHRsLV`N#=G3bqqZ8rt9ksXI-&5IlS3NF(O!h1lh< zU>j!Kc-My>8f=c)IMN0W(dez)Ph%c1k+uQG~sGs&1WA1leY~q^EB9(kek1sdhS7YA6g3&1|i4r=+Pg`*0@mXo>kzKg%6L#3;C+dSl7CuZaEp=1um z3QT2-W!v-l_zoVZ`p4zdd&e(?_NaqkMH(T0WyEo}^FFf+WdERS>#=|9v3KAZt&lj_ z_D0Nsn}c^(ZMka-b~4K)|0vuNeS7RM#M`~`fp^o7$5o2)7(&V&M&>qCb23)NPu4$U z?wt2!gxeH;{HgW*OzPbB<_XW{$9R>4{0bi{^L_;rjdFb9?+HIV)?f)TxJ4QilCeG8 z7ShKKtukxS2DIFW*?FmSPh^v}e>BX_3u7Da`Rxo!A3~e3e8*$2N8uTHv^&{a6S`jj z29ZO=jag~BXWC+&^gYEYP$h|FZKRz`;gSrHj%nk%-)*{|^9nG+?P z1Z>CLU|^1^?j&t5%(+-shreYebxrn&GA!+hEwjrn$q!n54#mHkW9bsIS%eICPZe`D zRYZXkYezi4o076@#W*+RRr3w>uPA+3+w{4MSF9YPq{o+jOXLarlzgy7U=;rI~;OYj*YoYQwExtsCi6gUpc0k6KXG&DJANRboX6Yk>9%v z(@P&%-H4IqHGvaPl%2|MfsrdY6~Y-(ha;lle7PaWWFf~!^ss1dfCPsElOS!DPgbaiDUiyMq-_u-sC2F*8~LWWI;ijxB10Y?d};3%{yys752bUi!uN2`q9B~^ zV9id|>^jiX4P@fq8@hNHctY&mTDf)%1ybnz8PX)pGSl@&>Zk2VhPF6%1T)?s{ktwX zsJUv~V5&K_#r_Fgags_P_w^OGB&3pWT0)F6C`-3!?G?!o%bWN_JDfs+9(1(=3pIJd zOU~6c`dq!_u#Sb|;2aAgD(ZxnI~ND@$hbDQ- z^~YM+m=`{X(>qKqvy^*-lg2mm4CLr@cKE8zqhd=gtVts)mFzSinHa-qSnu>xwit%o^v@Vsg z61<;3G6UY=GtKSZ6`PgHVC&U80;<)Mgd=WOMnv9tbo0B~qc#C^t&hxt6k1w*)T+ev z@xwU*_c};(rKi5ST59qS|5g6P3NES-Qw)85ai_TDz}1=Ib)ymfhR){oCS%Rqyxy;S zl{b5FIvSMa8phSGIX@gd?PQI{2_7P}DVmHhm%4XUuxakxgd(~x58lt18p{+F9Jr>4 zMo>##%P!an<|9{|c0cRqaLJ_gUpvJeknVj`sVV{!b1h5DFQVJ~(GOq6u>l?4I{EbL zY2F%)|8C4>;$3u5x-X0OuWO^2C zq!;8~doT5h9_+jJ?IOFBGE1CWiP<8m*FQe_F06ILy^^a+Yr`Wc5bwq{67e=v&{vmv zgMW`vnYic`W(!ero=1Ff#Ch@=ve^ZgtY!<6XaU4(wadlmj*w5y?rcC|3VFPu_ug_3 zQVd*rxTjPSgEp=Eb$%S&V$Fpahhbcz)Q0U7K4?py#6i-1eOU)A{SWHQs#q;}WH5Cw zAQ5ZEDQ32eQGi00?wHpB$$i)z!fva(&-!;hzAGpWer|21kRi2=wsd{|g9Fvc)5tI9 z)|*f6Eg!$!wly^ z(xn#mz6I_vTnLTMJDh>={KIlW1QNE+hdPNJ_!DRvEyxdw61zF4ycE-9K%AbK5tD(0 z>@}Ftd4vFcE6~a)U8m9$6H|ii{WXo05EY?E8=W$ww$eV5 z?V>xi11a@fAR|07I5)|4v4qk^fw0h;Zu}70ZySe7y zs9fCp1y^3w*HsvryLbhraVQJoalA3G(!+HdOY=f5FznqLX;Yw5b$7{jHtyvX1#gi% zc^=I3w4z8_{kJZY*hN53o-%jy;u4JF1qpZ)5?B^BC48Yu+u*(4wp&Eq3RR z@Ps{)*Q7%IXX`8i92Ym{?#TSuefB}bnP*8=ZJ~ z^>Pk2dsm1v3QS%!jDYjYz|oVrW{wP2Ggo|~CF(x;i;BRJZanMSvt=?`1?>165m zjK89%SaD9sGd@1%`<81fb+O#W3gWrd)9ubo@pO%UfWhSEji{QX8DUI!oR~%?L@xYk+ovb&@nzbO+oTFiVH+gn|VPOOAvoc=+ z1=o55$~KZ7 z5rAR-sOiggn9ripSlN4Wk3W)wY|*dApod-kiRoJSYsGk=loLf~e-4a}gKA058WqxFdcOg-lgF7Xi`>rbd#aF>=b zptZX-P&Jyu=5LRP*ZdcV#$F0D*mZ~2q_CeqFCXv2%wL=!RO}Bmo)}EH1|GNs9JoYRS&Y|m(vC9}wv76*3(Yet3fDo6FMo`0J*QRBV>QVE8v|XQZq<3J?tg=I z`#F~g+8f7TI);#ac;Jakz^??z!DsApdCA$WM=z>QSVVwXBQ~=|RNX}sjB%DqT;ci$ zo>-y;pkY)6pELdgWGqgu{4M2wK#`s%wAg_@$R_QDTynJ-t11tRsIscE7v`U^U`fwG z`9&KK7H)P0G&+e zQ-%HcYCfLt`La<+EBNE&#C;12!OKfl^wSQ^5m}OhEvhr1*1{Ux>8>!Wza~lk2*Z9|Sx!&Daa`TL{fS z%SfoSA=IyzT)s2)B*#b1>+S!%_U?}_XYxU`s;X4BId3U?*RR1Am?GKrWsJ?RTcuFV^fd@gfyG%z$&c zmAfKt0AG6wAvsyXgY_-%lP2)cDqdy{IA{8I~Y14qqOYlo1Hn-^l0oDR_k z2VjKSZu&7G()|tt_rA*2Cud<2`-jKx3CII~1<`hIa?B<3=eh38A*e}6XLh;(_f+AY zE9*$_ztmhlPuxHkxNme`?A5R1LOh~YPXvKYtprcAmCjRRK5nX%^11>*`3+yNK_RV2 z%{!UWkQN4OvxPY(Qs#MFd7-brj}r%98VKo*UF5+oE_Otaa~uDhmnWtQbU68r2z+sT zhLG^d&fYOfx|0$~(6z$BUBug&%Ke45m)~YEV8?%cDTWy$c5=;dGxhF!e_@%IJIyfj zdE9?I8zjA-(^>9%_7hK9#Cx0Sg1ceuJwNRODadN(PV?;0@zJ2+-)EN<|8;f(i(1S1 z;mq0avf3IaBvW>Ew))dQ{0&0^_BcA7zrY@~97$qLs#i|4_qR2%L=C0fFPE z@yF>#5${HYrKFtUyQeS;sPmxUkLTvY7VfVA%3MRh*05hy z%{+fQ`|1^}dJ6_s?9#M*a`{0SM5v<1AJ=Fcs! z0l!D(a@V8xejSvx+T~`60Qd}xNa(eO1@uf;#JKs9r%0lhLyuogM`A+;J@AY;?t-e z@#U*iMPExN3VLI<8;)d%_G%kjOL$Z${cOD(QY4^2OP)~)94L#syU<%)cEagzS9gdZ z#I;wY8pv7ro)w^*RMCf0n|*bvJAv;9+*(4*g#T@)>e5V|5BN>~L%__;mScguK>RmP z+(^4yFJ+9`oP+D9PZzIUT^atA@{sJ^6x_sU2ZFv7Lge6TY0Eu=$YRgZe)Y>oLN==Dc-4ISGQK$f}w-K7s}TvL))9njX3- z8@$mo*`MkwJFE6<+}h^R^6f!G)W?ew^lt;i&}C@zQn#y`Ndo!*fyJc*PD~&p5XxoE zfo-Ta2k}zRegX_3IZ*$ilnL}A7U6H`%;D8Ful!5E~NoYvIc5!wJeju9WUjj{iGOyKxsWIzz_ygklrqaz*m^%T{|8nNP+MGgJ1gg zQMrNVJ-v%J)M|l%DqNZlh>}$r3MSr&H)60W$t7$+%t5VlDEVp6cm^C`=Jk0~$A+))Ho;bqg6Uwj!! z2SL_5IHQXHHGK0jrNqIy<$sm-f94juyS3xc_LU=*f^G6Fw8b3kvWD+CZ#xa<&^n>sT)ye`YA5m(5WWm^ zzQMN@XzrpRK(N|@jF91J-Xx)-TXcP-MXK^FMg$Bz?V(AuwtRQSKNVm*^n z(?0L{JfDGS%9|hQ=-fB9j)vfjTFffF6T>CzUMJ%Y%jX)3@hV&9e#<$u(z|+gBgH)< zi|irgcqJT%@rgafe7E#j!jr!5*$Ul?f^q}Zz8EKs67GUp9rl2dS0N*WUCi72$HaY6 z9%L|N`T&XV{svkGPx{mmXj@z^Bh+&ODUO|9-wT89Kf%tX)dk6l5PcDG?h3BoYqxOGQ=4c(N?wEbRGQRh5|sLzwmy(s9;D$a<2_}o5rpng zJ#$I1-d8I+%;hiQV%dZqe!?+;ayGeUL_sP3NN5J%IWA_Id_Urnl7kN&@NPM3E%ITS zJ8z$ZxBA9DG0C&mEu2FCY>O#89_f?X?MN5S3%p}e=>E)-oZU;H!SFM-li1`HTj|Z| zy632~UNsXf#}paDk0jR0d0F<$tl_gNHq59Rd|n-=&cf$wJ!eZ1s7d7zWRC_hX-XiJ zx}zX!RKch{aV&;N6k{XhSVVHzDUm$@?T>!Tk;H6dVx{uB5?v(EG42| z?>7fn7%d89%4{Mr@T-*;*ZtK;f(z;0*wH2J#2zpMY}%EMA=q5h&2oFXmU@_;0?Jou zmo^h$?>Aoa$}6@hy@WH8W?WA5BSff&Ux$p2A|n6e`lI`lgyxFx()%kdXNA04@cat_ zb(t*{2)bA9LU+;Ees+S$f!0Ll>OlD@o|&TrE%|jd$Ua>f0X zq`3c~u{-ZA>F4|P=t{N6xH6H&5+6nV$>5#Fy{qCo8dnDj?Ur%`)tJ*2K~Ma(=D9dh z(b@&Cb*C-q$g21DrgyHBRg2*gl85`&N+(Qd*w!Y{q+$BY(hLhj>bA#Xzt=T&=4n(+ z1Le%(veBUeGO#*cW=kGnqY7exjiRMziG&uJ2ht@-FC@g{Q569%6b(_9w~4oKSH)!M zO#MiX^h;h>>Zt~u?6)0TKicHW#RCWHR@fO4<_<<`Y=1gDn-Md)_2R+Ym_IB%+GHmSbw`J)C)(U zd7U%D*VWV6WB2nIo@)Gvyp>8%$ZvJs?dGdd?JxD=4l-X!5sXgb?|dsc4%|m&`^sJ+ zb+kCBd92!b-Cy9_kr#+2#1Q0SNBw|A23AIhffdX|E4GSboTvH52r!-e2&>TzLC-^| z6prZ3VBAFE#JmTN!o>73;pvRJ)fzJz@V)?}kw#d)B|J zr^d>_z?QZAc5DED*|pT+Y`v(2Dc6M7uT_Kfn<698s6r#INnAgO7aD9o-al2f#;T6U z9xK)iM%rl!AQ=1eS1~0YPP8*5JPk{$DXwRzWrl2q@{QGM+sTOK^{e-(N`d^C1r_}M~X|d;!J9)lbAb^gdx20HVpo6)gnr(=YVF+Y&czYzB|qZav0+xLn(A&VBIj# zJTdD-$v;(d1a*v;%mX4R^e0eYQq%%;h4)pKle)p9BwmR~dMOLGM( zOj)0_Wc^~(_$w_&7-i5rcs2v=Jg=a2bnP&5dfv@<38Jt>@*leSOoU_(h9M2-om zb1*APF|x4MP%Dc{?WzQzmSstZ%k2`_3PIh?BMX-Nc4dfLH$OUk&<)r5^0Id_&12R6 z6i8IOw)xd`LT^$*AjS0O=^qA!Y~ocGH(8YukUE2^@1GmF4Yql%{1U~dO5v6R#bdOK z5Fo`%e|hdA2Bs8pG4Wn<0^BBUWlf%CUc$YN%e$-*S<5-E1(Xv!9wFnV#|nw>mZDrF z843q%9>NezLCGwwOIQ8Q*x3&P%p_Fvn6p_(e_Z$msP89nSfkN@CjG(&XIa ze(NSFUne^+iTehZ@<}%`+-iWX5gFD(RN^7(s|;(gf8`KRT%9LB7sdb@tuS+ z4aHinUd;>CvKJDhRC|;uiwqcJ--qXJBCCYDp-=f@Ncowz$R3)6Bn;%%OL5SJ*1j=h z)0JV}2c>Hm2(=}y;$$wQ#tX#>$)r0CGG4ttrIE-yT2ZM*U#UyQDch}+SeIz4}SoZ-f9*(Wen~^3()6Fw1Z5YM+CfU zr!^%|SpQ6x4~i!zgNCN5*dVgBGQf;lv}`(`^Y(}9w1mMA3aa&UHY|$5p;=z|gt=`! z)+5F+vc#-gHJT+j?LP!!X)GMyhgVVL3y`lnb|qGaRpTdQ^^D}Os^sg5ij#e;CR<0@ z%HM4->XvH0tni^qB4F>?qYoa(>$|H1qQ6Hy-WR{4&(|9>sCqVdEvcQ)HVsmgWYYVN zi&d73KV2K)FgBWW%km;=P@!j&UIb<2EBkN-D9lO(=pN(T+(k4)bt4N6h9fgf3RDz? zWBn+I@0I{-X*F9nT?cz?b`RA^m3H{F*90;h4N9hYAMaH5%BxInnvAeY%8Hb|u($uH zzomZ|h_`u7e0Yos5*frWkbb#|1|;e)f7>=mi5rAjzu%pDI&=z1ry^IPLTajME%d%k zUdE8;f2qAIwkE?&w53Me6E}}yW~B9PQhz~`gP3nFz1EM+)F^Uuo)g@h z98)CF&Jp3b8Bvv#0&mV!BA6BdXE=?!dMK&-F)PPBRZLsAv?uA%85~S{-l%!?;9;WP z0bK}hfb6Zwh%q7VWB^?V%)h5P-}I-sy@V9VhR(#me*IgrDaH>G0dJbxJ#XDwz+gr(`yP(0p$yp!ul$Hb=0(x%bf@Ya!;YB;Zl z=Y)@f`W0yb%;Tnd#o{UswT749wHhuR!=X-O5IWZ`@zACc&6?=wo>b+|G*Tu|uqhFi z0F|mqDZM2JM%rCY-!7BL^zh#x!qwje*mDM%&IC>8-@}@1I$g6Og>#RSY83xkn$BU% zUfQ{^elmm{#}$AUq7|jJXqy#m1#RNBB$6r2R;&eV_gC(qsK{n6hrrC1!arca?>DQz z&uFpF9(B;NW7j@n2Rh-xt6rG=NB=OL7pCEzYB}&Jz{>!@Pr@AT!u}hKxUo8qG&=Ua zXt6Tb8edYK2a3GG!RhzQzO}-HI#tO2fLAj?bGG=h(Yx`lx4b#=#-Kq_Rt8REOMm7x zkY2^8FxhXcq2kC4SvyS*(|c~WSRV>3uLr7DY<-Dt9=dPuqUk(AO2>Sy)-Mdqe>px9WHl~!wl zbwkMS((pH2gj9j=R7oC2P!aD;_a#K!?*hJ)kOGzo+aZ)VicSk#(8ReU@vAf}?E`J-J5fum%6n!i)GMAn{Avo>k z6DbuDrAntzIr+Gz?RRkgjc93qLpE--;N`U`#0a|#zQJ@MjYK_OOeLRpJX@lupbqH@ zkBZhbfx7@VC<|?~39Y^>JoVNpC(ZP%Yrx%Llw4RM=jNvQ0WBM`&i9YfUy~ohFKVnE z(Ejace==1knm@@EGntqrB{I?^iia|S^H>4LMc{dJ>sKUw|CG?lV@&nK({i}s<(@z! zOKGy>4|iKfiAXqb`^VA}*?M~WM%RNwbdSv9`eUggX!J;D3Wb=@Q(DOhjmNMz3wJRJ z$e%?^K!U5d3B(p-;X z#uf7~8gsM)=d--2=Y2Q$c(!wjfYsv1uWVNJEd1h1v;fZaWs11khjDs~g|LPC5Q{K^ zyRr0YUy7~!mPG|r$z}Ya)RFbKSe1D^IBy%?P3Y$)k+hZDOA883=&6bBQ(*xGzb0Z^ zthbZH`phKdJk0J|K zp(383^qf_nrGQGP5Syf)jA6!hlv|F`*F~Ozt`+5dPU1ynqBQ8q8+#|`!IpBU$MXDy{JmXd} zQK6c@1^+XRs2AktRS_Sa3%;nTm*TQuzNSKp;(X7~JgNZKp3Sd%k7i_LFn{!L4DDD(tjt}?LJ~sp z*d~52D=iyemXtDVR;VN44gidb5O+M|YcA;byIEN_vUD#Y3vi|&tLcts*NEteV(IQX zWvJcys95YymfL}xdm!9E#(6v<;pFLD)%1eAuTU74CNTQ#zlsa=qd|Y=!T8RQM{Q!m z*KBcRqvi!d1M2+8LL$hCZstZSPABV4y(~4p_e@Ud?TwKxeuf;45zAQ5zGVx)+tdfQ z$;+s&6X>~oM;EB=i+MdK4pIG9Yr*%j09jbU$!2@cm zEE~@}>YHYmhRB=haZyVbpNM`fn+J;x=}H!Gm)hR^mj<){%7mAbys9WTO})G?NzJ2_ z>E^>t(1)f=?@Ejwj<7$>Ka7o(@ETS;=Hb2bDAYoYID}&49Zo*|_prh7)_yuKL1~h% zp6u84Y&Vq)#ubNfeZ~z2s2-8Ut}%W{HPuee>a2cZ%j3=}*(QlIx^zXBO3&|R11{AE z)x<#?zu)hin=BTYRo3ez8B)(2axymdTQx>D722po>Y2xr#(ux0;VyWY|Ne{96_H0% zQH$<5A)`iJto;4uGGAfZeU^4VZ+;b!$!hNC#Lerm&ey+@_N0RM>b_#a7-$%Pnti;U z2CE`jpMa4Scmg1CMpa>?JKag0?T|#&q56-&hY9zq#l9p~zn)_*-H}lut~z;GBdzE3 zAmg#6viM8ePIe*Y51ggB)}1-&rfvU4sG1Q1g=ptfR1V}<2M;e)8&c`JA)MvQ&5`8| zfKtV{Kuyin9jvwu{8Sut8}nIrLtX^j`NT{Fe5$(LxKK~Y?SEFuIe*t`^izrR|Jj{5 zqdSqGg`7@a>HDW|WA`$Tq&{tN#N0dks`7sK=)`CzV4-`sWI>{cIJ0Hy#Zo6I6C7pc zz$OHmA0=0v@1SiylI9@FkowhyIN$BcI@YiCPX13XYDS`|!7J@R?{m6IJ74*7e?rA5 zxS_Op{!I7w`5p%gnreQ{rQUsqf8HKjw=E14uSRZv!^@?c5jXq8DP2Cu<>Kd-`CDL% zdlPBn;NBp7-WZgI&;{xp)$By~tj-)JDa=5a=I3l$ z#CJQ+kOWw<=Ofyt>n?F`)8_#JOz<&e+@C2vHCePWZ{a?sg>8UfD z%9F}~!j_XC^iVJlViX>!^@kJsz?0FUMXpLl0;)UCiQvidbz549>T7A?EQTfjFHvEc zF=op{7JiV*6GWwi`S-TQLu*BJ_jYqsVW4OqqWKT6H3TU6V)~+$CSdEUH+PE`h<^bO zvKy2#7ib5Z%^%pplOAm4`J2!JT5`mHv`Ah`u+|mTPOkGzLNKpca^jf%9PP$$n#uiA zr|UV5(hYlsNoL@K;!FL~HmB1r5JS*ydUL)j6SAMVA?CgluA2YpJ-~S9sH8?qWjD7O zY8tqLOPwq=6avgPjfYYLWv8@rnJa7hf7rEkayXC2fpFPeV8H3dnwiVt>CZ{=E-Xy; z0>P4XCO1(ORcQy3zhs1roae(QOk3$^#$`%r^kG&?o>NIMYi5Am;q41qXVIzsTzm=P zSAph#v!0hNHXw#O9hfNPJ10+#8^-dkX6(Q36^E-~mgm&wj(Wjet=>(k$ETuVfoNrg z7CDuPBJC*w=5emiF6Yw;h&ivLlwpR(BT0a31Xw8#-O;;lc2%G%UE&fOKHzpYfX?BA zIhM;wgI=v?&xYdXaI5Gqp0Votp9dFGJ%xp8X_Tk}5JhJy7HCu%;XCOF>hS))@{9+U zc|=Xf#mdF;BRa)*>HyE|Ow(~N;$Ku{pa&**e(F@*yE)){+~*k5QHV58OzYW23;LpL zvhk5a5?lH+e-p12xaiWQg1X;TjJv6HFkiAkf^PuA@{)DhzBR0dVV$2irOnfE^fE?P zkCKe9Emo6mjQnQY0jiP(S=fwL#w6P1Rck^gGsyo%T%K>B6+bF})3mE+S?_$`NGG0e0}pRr``r5LjJ)Mw^>etaq6iTG25v=;4--&j{Nc4)Y~54++v~m2hZP#B?{<1qmlrK1JLq(9D zaYyy7d3a7s;Nor4J^-Hp2GL8io%mzgFYBzHi&>>xO!bS7i8l*zhr;{7v_?oRq2bt1 z-(MPP_}K1EA?{R~TuG1le830Kj`X*5#;x@s*`j0}&%RH(`IHQt7M#yDe4|wo2SW<2 z%*?!I-)sPxTAfNgsEQn6ZB=*~e-7pIu6j#IAqst^N?(J$N$TqhEv3$9q@7GDrcz@* zzoPnqV2KKTb%hN6aX)lPrb$~M03e|+eS+$lfukMaN7`GpN>saQtdD*)k0?4@8Q)jz?3|;FCW3GB@#;Gw= zPfe6-QiDZd_xc+VOp4XBXXo&bw7mkil9cRMEuT6TIf-$b>j@zC@(wC4oAG2c1rzvUw80o$bJE9hpfG(!Eiyw3xHT>~o z)2gQI7dlGJ<*c7d`&C_$g%c{rynSQt)_E$w!(77@ElXEu?o|<=F7BA+i!{nXk0ssb zf5dy$%FX!8dgML-?C}gcGI!=^4C=Sr>>w@trM%kQg{dUKpF|Sh?Ob#mRV`koP#w(K z!-syhpEuddZ~QEjcE?N&>ExkOT*YGex}N^D0ah_)e{ObEeW$4tIxPoNnjAzGXGxuS4A)&}aEVe+ z7Ib7_{vr_G+39ih{v=n3GjyUdgM8QY=av>|8qMp4dFl^4xxbVwHPKZzLVSqgZ{5cZ zn*b|(#NDwhKRpW;f+K~q4rb2AcyUa_>O)wb{XlFm!+PHre{TIQ^@cBAfPPhQ@p5`k zU09Z)dz(s}BNzC>$5O_;E>;h8$BlGoKRY<&Te}Bc{!`bU>Mu_XUjXXAdQigJs~=@p z@#G#`z9~V>Ya)Do`U=$tZU8QDs~Rvt9>*Q|nFo0~ZLb56r|*?eJ;hJ9AEfUF(ocMd z+G}M@7rhR8(s=Wct|RhPCa_12(Nj|M%PYDQ*i9~Qr;WMf0YYo`yly=6TR(cVZ$k*tEo-?-(As}&4zQs z)_R6CE8J{u@^D zQ$NKjyGx;*3L`!kXitx9N0 zi(p#JO+&IS)^@j%#i0?=#6c+C4_Ves_Z49K=RyojJF{Og6a8ZXrRS}Hh;|mQ-SR#< zcb;I^5{gpv?AtPGoj4AbVry~UiSKk#0m|XL`ch6~Tx;=ewuvDdt0$(+K48g|wdI2Q z);GZCDX29O+@?tAck8N{z;7M08YDsX-xe?$JPa`=ySG1}lH_pHa#3W@QBnA6C^Wrj z*jNswOEbgX0g25A{glqsZ3cMEck@QBU6Zm7F9NChBVf+hD~1(n3>tmk=Gba`sx4))4^d8`e`TY22+vV0XCyvShZ}s-U=GA3-Z|vPuzkI_=$s z{h80xv#AU*`E2lV|E^`@s=SFO=Dsk^Ji~(rH1x^oA6{Gf9Z605ybEb=XmhC*8Zlq2 ze&SX|{)M?`HDHYYQR7p`_(+`b$3{XaPE$Pm-P)lef>TX2lVhGSS2`(M(`CNc{{Wyn zE6$YIgAX`3y6=-WK86v`RTkC|4qWSK2&bctdvYQ~7^J(CQq4ysok=EeL~KWRJw5*U?}{MAvq}$zV#C8FsjlNkQDt3!Rm7bcTRqZGN|L z`31mkm7_iE{Yc2tQ=tALe|1dThFd{xKiXWe$zPRO=}n@!`7v;0L5WheXv1aN7J!FG z@6z~f(PQ@m0bP>LI8pdIyj!e6lyTJ>J-KS76~L{?9Z74>H!Dkw)>$E01d)+Z=9>X{ zCvm0^cyqzTpI@&`dHQsq)nfx_ec$!BAm;tnfO)KJYUgy-Jw(XKcgNw>uWMCy)*VwP zx<+G)*t-*{7BH^&qYdu8W4Rdj=(!74-moN#EXX{50C7Lgaqx2yahigfG@V`1)BUt} zx*P9an_o9KSmM~y?&q^kU@Fp4GSCmaLulb7yZ@x3?9p=tM%x;`baKn$BV|L15VcRQ zD%X~#5ypwDGo)Rte%orRg;?>}?abW_4uyG9FwAF<#GAJHbbO~7(?)y#Db@4a#+qsC z#!92^rb%3leU9Tp;OF8*hnS*h8BBqu7U(Q}FB{{|aVF0k8~RmgpSx}s#7^!spd##a!68-%bB036TL+lt@%+TOExbkjQ+3nRvdB>!+1+e?Kky zX{7lea&AO)BU^p|Dy6(;EQ;wyHtzLs?1=gi3#&qQx6MfRGk=CiV-~y-;G@BmowF^; z*36nTpahnnEjnf=fWiGykKjGFPAXQ+y3OX#ssYQp~RA z7vNeTy&CK1GbJyFQ0MWw`61=1leujJYSa+{LlW+pw1Q!upDi98@4Hzc%z)MA?^K*WvZ-wS*_|j*?#4(VaV-ueFg9=I7K0_6aDFM!6N?@Sx z|KWPLI3;e{Vj?h?L+D4H9+a3$@Eu#Ep=xH16+Gm0? z4>?#;S1>OV#|V_66Q}YV^^>U&ONl-SNOx56@&ond(`d@@uWdgBQrxZ9^}SXgdOOC{ z?=(-`v|-6Yt$%1K;qRF}wO$5Rkr@>peXsH@(tZSSos$1rbwhYm7TmB((ByJ6OTY#w zo7Ul+GnJ6_pJCuA7pSpB9RLL>wMe~e+LhaiZnMa^YDzw_sQ2mg8}bxu7SNjd6Bp=j z9L1XKl4)Rxe`BEignnr|N#3SxweTP;D=8&@>0ZJ&0o(4xa3>3~uE>;?CiT*(H15Ba zI6>vSeybT$YtiVJlTwxdQPEesxpv#q?7F%M0B!i6;<=EM1RTw}G@q18Q=BAF1kjps z{A-?f55l&YI)V~(of?PXyj8h|%6%@l0K@h7q9gkKsQ0eI4p{Tt$R%)N9|6HG`AcPO zW#;`uEf+6&gz^=OYiHL-Qw=mr^Hzl40%YLd8@_-HGv2S}*I*ZCRxxJDE8-u4gfmVE z%%RrKLy*acD7%p&Ct-|$b+WdD-AUAoFaO&9eBI)TX#j?@|9{_oMI2nEBSZ*n?gA4w zzwo;BW=E%h-FPh}_#wY?QBC#Pv&S#~we|WMz_Hl>22G%pXxc+_i?nL{nJB3!DATy1 zVIaeUe{cDI`6nvZPlzG*ui#Z#+<96U{?U#vy|%MD`+sT;AQJzD&jWt*M?q&MtU4M3 zD%PVDsY14Pnaw`6liN=JUsC1Ztpor1!}RaEUtK2Yx)ot#%Bd;YL%B9zw=%>9I!N%B zHpm6FUhdTWLCXHi)BZjLh`B!6R%3#adw!VZ(T*{d-ycII{yj-+Q9q>QIi%pH{lpBf zxml%q?!In>CC?B5(f9rS|`zQ_G%Q zzv|~Cl`phD+UNi?IR*O6aP9KFAqQgK@!}RYoeC!m*c93!`* zZ0&*7l~JvK(W&mT<)RMFLbO_x)zxPaRQXRYm&6-TXs19FP_7=TEpW|Ln(>~N< zOe!%;@hK7mU20D(i*DAFbRM+gig+mcr^dQBMO z-_g2UEz`JAPKfg+c6X^&#>kQ*)`-)@1k+^7M6hPA?UfqeKW}}{Uv>qga!)SK$1Fh2 zL->J%Cbjm%!)Cd+uU;)*yNV{5-tj`MM?6=cTux{JUB$fBMPKlYIFURnKhIhdif_yQ zKCu`SgZkP$X7Pq$Y*%muCB4-cN`=+P2H!9bupnE(xRnP}uUpFxFN6!oo=|1I;jHQ| zYIY~uKmub0kEWsryGEp~3HDV^oypE`W%Oj38LundtTWt=OvNghaUS5eMl(0iM2TU% zI)0KR;hzepi}sMw-aTDrbcE#lIkF~hX7C-$a}R$QzW*2X@5b^^@qk(}`Z#9#K1Ph1 zN88UbQ?Le#y}F8m_-Xc3CED0;DDdE&jFVl~xtSWe0}{$A*6UWrk?SSzSam6_t{19e zg}=S06LQ2nZk{xc%)Yd*LiOsa+S`|zU7T$o2?@RsRf}X;+>ASK z{2sBPe=Z@QOKN2JW@g*3RKOH|7yYdleNa-Gp9^301(TY>?NPy#6RP*sj-~CEw-Ici zmbA8=jYNAo;#CM@(~)t{nHNRP-8TVlQpiq6rj|k4$!q%Yagin&-3gFak38l~`%P;B zOBW#sa<@L1nX2Kwg+65L8t_0F96)>n0I8Fw-FA&cks*W4c@QnSD|Im;giW(YCC=Z z7KP-xoKbg<uba*@40x_-x?O-_BiS! z|C+!JB>0+KqBm%dM%XcHu65N}i?fd%>E6wgs?3>AaQwSdj$o@@xBI!U0QTN->i{}I zWwI9g!M47GLUtx&2qm9$J>V?-lMMi#w%gSxi$>uS`z#f91RZs8FlhbjLHLI$$c4TX z=wA(h$$~c00L)6)uyFywrow7QSC~}EQ*}3y_ov2kXUDg%oI_6BVA**Q1oWOB^>H8e z`>ssPoIE{w!iZDszJ&tQT|YX!P$OI^ITl$4&5UAszIc%AcbZCC8)R z?+47*slKumKvRhpWtYc&L1ubuUi>=TI^m*00?xXZl{Sb@C`!ZNLX&4Nmd|ci&G>%j zXA=Y>8S{UlIxO&L6_Kb3{&S$;ltC?_glxWd82^4i(IfN@yR!mxIBKzfZx~*&8=4#z z>EA6~-8zw}jJli+(P?*lP-+|hdAOo!b?6wS)~^wRjHKejz6~M3mWZ2kyB&l>S+;rM z?9FQBS_X@!j%dlGwNNm9RcxBOM2kg`4jUJ6r zJ$d*Eg=c&-dGoOS@Ukc)_r!5Z!@@W4P-9~z6Wg@^=H;YvO?)`)P<08nBbBd{T4vtP zSr)jn61wGTDN+H2>Q{-=6kGJib3Ofjlwr|&zGVGXBH+kT?tKx58zLs<2cIGDFJ68Nb|9(>A{H4i=tg*;lQ+Jw)siZ$*vG2Qmy2bc@6InGU<08;TNk8y*GPB z#M}?)QIIM7?iCN;+DcVZ6!!lDaY`F`nJTsOfUoc@_kj6pVC_ik`rgHXD~_IW;?fh| z39rm0U)0sgqT?a)Wj{9Z7|W%xNUuX_3 z_&V^r2jV`5VAJ*EY_Jca3bSH(tsmIzPzvH-alCdfeynY0!i4`y7Z-<2hk%o2?EQeD zD)ZxRp=|B%;1_{1qC|73h?)vVu}UAfqKynZesTyx;%*TW2I=$s;=ZduM1_}eP>){U zKhRRszaGlAh4i*5?e%gp_Q4F`{ejL8Awm;@4XDv}XMzW&kc@N~(E8@LoN}~T*)oZ* zGN*8|=@wV<=R~G+D3gotUTMNaRo~0I$;w1CaCXtoFWCVS#CIUevLpQ#l}4a2mZ@sU zkkJ!kGXCZ3G{Cs!^|+y1jel?GzrXj$kWL!^awg)cTjo<)+4}SAF{hs4W1mmw4zFd5 zqM!f%gi=Qn58?mCT+$D^-me{eCJ+VQCdqG_Er-n;wXG7c({iq56sSaSAa9OOn|6=* zB=z;`xjrDf-lhDibi)7=-8f@E{N!HaZa<)pSqs$i4v>6nen0+!*wc~ek+3}f4XaT= z^@2U@TkP_)w|rdSdm#(RKED$guj^pPl5{kGHCS-IsV4Mz`)%0vPq4#sHw>kE;iK+6 zYzC0p9fWbQ+j{@Rq}PoX?8VF%V41jsrTI=0X_V?)arC<7(EnNRI0`Q#+wsX-Hsji% zYV;v?fs1g!PTa^eWyj^*$OqO8lCyaq*& z6jZl{&$YFf0jX>+%U)#vFP0yAH=(I_u~h&On^LSPp)QGzo9)TkOmQed!%zK8WqVam zobA#XLGOYTpjpwY5(*?|P|Y(qXD!t~<`;Ri?of9_BzC9t*S7uQ=8V?RslvkkbQ@c{m+pNl zHE);=bWW0LT&E)2Fy|<>h+TArqC=x(vNs1~EgBmiZD0C9ixIGwWau4pEeVr?%|ZWt z4ZNaNECJzOs$G`q39U@ux|%eRY}dae>?Vyc72Y=}PI;z+Ay^`ZnW>KfWiqG<)eUQn z$rkAw@Ai6goB3Ox_N;SY2>V3nz*yorMsTX1gok6}{6OKe5_ z4fZX1)aFcQ5=RX*TPwkCTjR2$1e9UyllsN6_dOT2J@1c*i&b?mJSS!!b6&9Y>}Uhb zN6hA+>3|jh1L!Bssc{IBZ8@wBeX|m9vfZiSo>kyI(ql+e;;Aw&hmvt-<@SW!C#_?* zBp)iIFA|z#(=^?&eo*nmjy;5+$6s;a>m2`*7EvE%h5BV#`1Ljqt*E@OBv|X$Yef{p z5DPOynNx8=agqAR=H4>k-G2~ZC_`z-9rbELwaR}Aw;GD_P{DI)Mm@VRwHKaf?HF^> zWsv0dJ0G>)+`Xi_wE%L%-`vksE^U$GF-^|2m~r%L^C#|s)-I$fuRbXI@km0E-Ct$S zWuY0RuUpMunZk=9w5~l(8waOZ4G4B4jbB;0$>Z{RFRYup(sf3W!D1EHI&p7y^Cq(x z$V%53Jie-Ga)`0|*!TG^Nq->VrqDLM`2sO{U$n%qQyL(Ra;0!F%A7ndT?_Uat=J?B z%ON9{3(!K5X$;Mjy@rd}n8|12D^jI|(ynfX&?|BFv$%Rs{QCudod;Pauj&-}Kw81n zgO;>`k7Vk)s8mHITJ5m97Kp$T>#h(M+9!c$8bB)tQ)k~dTXELR0JO%^?1g_14&zu^ zfzgRcWN>Kh(o9CB(JBm8u2x-&umRPX$`aO>1Epmq`eyYBs{XKjYo>&2Q^-l|ix!N{t*gUc0OPmvqG9 zzF&22zzBh`9tevSF&T^392tubxEEpIz_u<{7p3pbogp1^Z7m>bTInP^PB4rQ3!S}r z5t{^vOw$n;kh&3SE%;LLnA5gV$p73WRrAxhl1c;Jd07O`54OpF~Hm#+Z}#GAB;K-GDrJLLmtYISnvWw)wvoffet zCYM7uHppuXvFHV|F>nkto_J8ZtSw6O9&vbA_$X+PN#&*$C_}@)%6kboUM`R@6i$sB z70H^f?d?lk(K<@@AyM4Ibo?1i=kl3@7|UAcnkYHv z*zA-va~m3_(hKqgxUpIaq5h8osd0CuqvYc=GDOJCO`KI1Q_oo$HqWe| z#MuzBbuGEK(2_A%b*t!96|zs-&*5wv-+|%uw1kKyLvM_$^b&jK3m23qBn(bYzN}>8 zyySFS{**pX=iF-)u`rpuNp`1}-0fj-{Zk@)Flvlt49B8t!1 zyCXTxo<9_O8yxBwCS8Wl>UvOz#99ZEyedG-37eUMKkv|Vhw?*9@<&Lf;d zGj_m1a~uf}2*^se{gvo6i%tYz5#`^o%wld^z`ZN!_cKH2qS7v-8l4r}Uq3qCp0*pm z!@a0oP!!evn!tPA*ISJn?Iw`!UrZ26(c$>a0RK+)h&>duX$*}w{8Nuz<-Haetuel^ zLWTQq7`G8r|3*rnUYKIYdEB;Ec)z~E_o=ThNbJ5eEs`5O|6QU0sVY$J2mVbeM_fJn z&mRFv^IqwXvii(T)!AFeJx>lE`>8aTiH&TH?Vn!%2NwP3jidynYbLJ$^-ARS+}Ukk zXWBqwS*Ce3+6J1Z-_ba(-ErXYmr}O}CnwV#=6eoSUwwUbb5+uj{q}L{K&$h|P5=On z-?tM~xh=%2B~(M}g>?5KYn8pH1ae#|i`kEik80T^)dNkkG|g~t9lx_mw>@k8$wX>|8Jo;YHDwG1dd-^`m15xSZT7=p?QL6Y_JhX2?kSQfhl)|B308S5i*4!qqtg*;EqRt_>!=fK=bu2bB+u3MEWb?AhcK;Z1H3ylv#g; zL^{vW$MC@DchM}LHQkYv|IE+lFqp=&m;;-J#Vfg#2hj8S@3jUR%YbGD3=cl`Kky#0 zx9tUPSuMbr0M~cAjR4KUsx$jI*)zquWYe2EN;i}{vyC}&XY>PM?_`3|XvY_@wkraB zT%Hu9JX22)KVql1i}`2bfDeNYYEzoe69xPx7$QIYwu@K>HVdb~RU$ln{@{X_{D`Ff z5$a7bEpP2gzhVuPsqW-LaV@`nQcJ4lK_}Ytz?v@DAm_U+KCYtdU|y(%V<)b_Q`BUo zfuDJVfC1w-l?N};o)ZWv6totZ(P?+($2esG**xB+WZi%UYedn|gM5SBGOLc26FVuCaRX=+e@W1p; zSMSk$Q_SrBJw}93u(!(Wt*{X=fw$oV|9t%SXey9r!4#fqWpX-uSOPbqrQ*xP^dv%; zR+}U70E{D}*^*yRA~~`OSa-D6T{H3ST%x2L!-ZuGOUr#=7|;z0R~Lbnr1}Uy^Ev|N z2c&$2ZLA8snDgr!$Qtq%lzL{^?;)Vq0$7EjCtdkSS-07-XXuX!#$uzfEY6*I{{Hhh z-{F(P{ZQWf13ShZ1C8zv+E<$?z*J&cDeLPh$+ksJi^D(NiTj)rAoE^ZlTdXJ!=elU#6{_PmRTYMPQ z<;M9FHA{e-^D_;bn;#iac5^ksW2Ny)k9QU;;OOiFwae7&8jmATHk9U)CMAEYAEe|X zt*3n%jrozZ<(g%QRTv zMviWnvjBu^1_ADs%qmfsAqwTaJijih7KI^hJ!7~kM&ic%n>EPbiNdFrJbAzJ?!a$l z_|;b7yKJGQKPauae)p!xYiA&kmMBkey-@L1(*Gv z0S>U6pec1f!m`@aOByTr3X|a}OdE9^K$-+t^efK_4uIMPT|t%rg%14@&~pIfUzy#! zPO(195pXPR69cJV7530GS_UCz+W@h!TolAYxUn^qKUvu6c>*TKVzMkYi){VWl1?!< zR7>h|{=V z2xe8mmqA53uask`r9Zano73}!)co$if#m?y5L0UC7zLe`eurxV*+w7)OlWhgKrtsD ztyo685DkDuoJl8;SOCbgQcPNy7C?_6$S`N+!@Lm_R- zsgzJV^X9eD5BnbagjQbS^GO81Nrm5z>N3arNfNy>&b2qOLf5LgccOXK)v)s_hre4D zkELV3$WJNJU;2e|{1U!djOaa>PUD?HiU&NB?L^!lkSV7UrCnplY`@1Lm;N>XiJe`6 zAh{|&t6dX4#>Z3+z7I?{G(9H6-BHh8sBr8W3mDfpycGiG^PAwoQX@chgiRWgz2p#_ z+J?DKK5^AT6Qq0T*k}rDo#r={ilbL(Yzf#4fc}Y7(Q5N((g!kt-W11zG92(sNN)}; zhN}?yncotU$ZUiRT}+bk*y*5`%*SJjKKNDz7QofeDyh z+Af_+XV#>O6uJ>57^ufct!KmS8Lra9w)R8jE;;3fc<>)|1x?P(0mlyCuRz!MfKa8; z#c?1#P%t4pw*;R95Xx>*_Nw8D52i>gU_WfD>4kY`xGF?j2K35A+i&DCv6EGt7MUdj zKcJji$WWj-yjWzMF`%f5T(n?@%#ZtTG!IRD{pY&_**?OaneGRF-a<4;uoOSM?iGq* zrHSQ6)Nu6lsu6v>Ib`>x`_@iG^^%b_qS-c4rDsyHT%(>=m(tbpvD^>2FxL3tQw76{ zk59^kZs@`w47Z)0JhTvw)mD~BAbDfT*YS5ggVrvB%0@uf!_0p06WFT3S_S=Ni+a~o zUh@+dtM^5aYdB;C2R65=02_-%Q|AP#zJJrY=o)*Z_wCVJ&rf6!>jqEOXRitg#^7X)cQ=7AI&t*1y~Wv&nyv z2HyNXq>ezEg0{&5xP%dPQNL2_<@Z*@5Mlq*%#SuTW(sA#m_v(enVv?i2Q0=l{ACHCt$ z{!>&Adl@GS2LKbBYZ(L*-)Df>xZ3$EvAauLBhm|Q;LZZyMTEVa$giCA8W!unox+WEhR zdJWyxNuM@P0B;q7C^mlT5mlV>CkOe+C0R z14r`0Wn=H!<4<4=AtYBS>eDtNHdH{yy6(}PuRs)+q_3^ASD2luk(AD9ayF z5}e(Ycky^DP_P@x{P2BHt6)#X64C77bkVAmGqA^6ZId-M{)`!~b|Y6m8o~ZQpIlqI zg0?6MWG!zSF4c{;in}Wvx6$>WKV4BGII27+Y9_<`#>7K4Ww}I%T)?taU?Nc-7uw<|0ZYBUQfZJi~^1>KGGt0 zoxt{aIG?JWx&)Z0wBU{ZR?AM!*y(-hroPm{7L9geTy|?``D2Rt3$Uh$pAd>4P)sC_-?Zg=(?ku0S$jEV8(^Y+ zWCrS@$M_N+yt`0H=pLyy?7FPJ9o<0U?DZCg>nmB4qTck_Nv19IYCwTD&0=AggY)oY z{Nk{T)tBd$knfXMZ#W5p+fX_ntXP-(%&69%5xEoJWY^85-uu~6*C8h=Qs5tN&h~0%@nn2 zcy!6iXH4XJhtmN70WdG~S`PwtPmorXR|3iy`{{^?n%#D8M@v)HKmEfIrM008AQ9Eb z7Uk^XS_Ae*D#zokFV#v$3~`c6ZjdKwaLc+BOT6NN7f#&|)-P66u~#VDM7Y;cbxs0? z&#!YS5>P#yL8?&=&UmY}MPGvG=tE&K1IVz*x0oC-2+f*@sGI*|>)%yl^+uud0U#I$ z;CJ}5kyDWQP~N7VAU47T^p9l5Yc0>8jR2t6@h$l2HxDTQDc@ch9%iFqF$l<8CL*n& zKZLwK%b{kn$ZlU|cL!W6WD%)(Gt{q8O*z;ICUYa%4B3R1a_jFoyk|V=rqN;M_=H^S z-sYJj#PZd(cXIz=mk@2L2Gbv|v1T+&>842w8)kP-0K7Q^boJFm1>i z-@_`4MvL9Z4x(2p^??@g;gs2f^j$cN%)8ZJuDQ| zeA@4mNLbRMDu2mysd2@uw2-w;DRWz228$ww>Mh+TS zHb7tVr%6XE5J7cf@0MaCX(s&(H9^Oj-Kf&?OGi5kTgs5l|shrMyBTYBD zT0zhnFPt6mq6H$2boC&9>WRe}y@3mXTH0q7wWpm^_UfU_x5ki;1FU20?9sS9L#zgO zZj?+SuFREEUqe>-IVMQJq0&sE*eP8yK3aX{Q$79N|biK4S{4(4)Y6nmx15go2pEKtCkjP)=_Ls!~&SIctfFL zSVsnV_UXiDFNaa&WLJiy%7_ZtU2?w=zuVgoc(M+3J|z<C@>GP60I*8{)oglK1AA%aT&jw;y{xO z&X#E(!v2nm4Baj;J;95CZYi~ zY3aTzySC&#EQ|WT{%eMehtxLriz&}6{OLCeNdsL-Dgdqjg1Y~z1y~gjl{=-4mH#@x z{whd{Zx^et^Z#M> zZHM+vquJuV-=~OsdNaGW!9mor-~Nr}$yp7=YGn9vX?>ncP5ft&Gd5796Hk>}Eq_Z} zCZ2II$!gZw31EA6#fH4z;!VZqO#P@0W$LAu4O32;SD5ZVmr^e0dqxtveWssEPcuvL zlkBAq>bW;`3}~Id;_{ap@1NA(&fId}3?y=}`=+i_20t#mdwR=P4w}P@-h)gp4L2W- zwmwUn2YIi-9=mm~ZlS)Nru)^(?~?*iqvOBa8SPH-lp~DgAME){W{C%}A~V(fPu)|& z%a}scF5|oGcy2G1Y!eyfl!tLIwU*3q}n%S-NN&gbf7i(47<1|TD{tCzl_}7swe88Nyy?cEo z%50=3+2Frt7{fVs{?laX_8uquk6RNYmK49tA^8s|=Osh<)=FM24Hs9gCg(I4C42KC zh`bN8J19d(z3fe)J0=rtx)Tij6n4t>emLcSjrFC^(%9#{Wg@uA44h5EZ-*bQn!}q> zzdu~5x}Sp5`y}}(T&PDcI}0M8BODNaUEnZMt?<9%XSntK+&r)(1WtpFVl&B0wb|nS zuE$wls|^Wy`bUj`2jOFu(D}{!ho|nuKgK1iN>>6+HFpMRwAEEMky!jTUZSsGKT#fG zEGi9F*!O>v`pmG~$mzB@b;YV(cCawNv|1a~A@ux~c9)_huSa0gFmQz_s9}le;tnvV zsekwEe4J2zYeB;TR3F>GfA8%_I`*rPww~j!xwN30v+|~)FKb~Ex^Eb({CLxZqp4VB zyVvV(U{c6rc~bK~C|ubVHp0N?G#wKqHId(ouA5||abL2+Bi!Z>9yR|cry8ts1Zi-} zFo%vl`6k3IT@IU3eKwh?4mH3tOf)8X!*RFmBggF#!fj@<)Q^|Qdu2)y{VlY)LO#h{ zf?2PG;~XfNjTI{x;|wKnCgY5@5}A1JX3==VB;6+;@Q&i{GHPIL^Y;$M`l^(DXYaEx z{T7z<6F8UWJYCCAnVv_yB-r1vZbej9!jnEp6N2SOi)6w2cl!v>e_Ze_|2;4)DDIDF9!;gt?=nMV?1vsoszkK zYQ{_#sq&hkf=9%dZGR`ecNev;*Plv=+s(3GLZ|Ufd5r`WQP(F`AKl7@kx0`NVsLrCy^xG6^#wlPt?#!!5Jd;G85&0bDSp13k5&jyJqo&**hN1DSgD zjKU11yxfYpqwc2AhSxMsMT<38ppV-vU3hrygH*kKSht!~;_K||+qn1eob;sJcw7~i zuvkfU_a-<4$Yvvw%NeXlocMVXb_%9UBWMkH7oG5`*<)(_=6+l%HXMrJBW5P9f4nN$ z`GCP}+2DM)lIHth2!UtI(c)n{Fw4HWnm!r|Qd<1z=v$P;zyt~Uy|c&4`lDBM*)wwd z1JO?B8W*5f{F5P|7XW;}406p?ckNZO|EJ-Yhlv;meT^Nqi5dI{d5!@4b)8y0;L3f9 zwSX#3j*A5}r12}sNM+ejc)(*dH?BbBsp4}* z%yL0U0B1L z)Hg7!8kI7cTYLOE`FtPQo-Uq*e1%Yo2B6drXg~!j z)!fc!2mGNxzDq($3~<=Dx=eE*xkeg5>Ys^_OiZGw;vhS(Pj{6Cu2;XkS^?&`iS;qt z)xtY=a6iq}c!1E|O^wPbkukYG?-`|u>+7bLO{VCKW1U@<d=+S?Wv+G?!1 z6?>O9>M*RLlkq69RWE1NrKy)pX%`g0Ux}+Q6UEtFv+72yvgi$P#k}y49SO6TGsQ_$ zf`!D$catkQ(~7UxON57xmyRXXhe|0*Yc=b^sB72m<^b?FWWX~zGP?Kejo6ZNCGTF7 zjS!?)gn`SI%D3tDj+B?xP@8u@No^Y(N(iXk(m$3O@l@TVOV5Oe?e;b4{G7N~aoFFI zOGWL`fJ<|>NTA>s}?aSFbFqM+k&xJWXK5=l4hOF-K@7yG;AMEfr zN|I=6`A(cuS_A)zEfm0-5I!dz;BEli{RP)j4 zVQ|vkzFJUv-^6vMR~zu4XA!J9)ZADU@n-93QmD#98eu1V$wV%79|~iCQR|AMg*^BC z&i%pm;tpf$;=>mVib9LxU*=nUpQeq>Og(tuh(L{|o@y+Ecm!@=wZNMA6cCc$0i-qo zl!9)+)+zzmt2c%j&9?u1f?$QP~BSIRYD8=0IJww&aw@HX0|325JR}!uTO%G#KfU`ozIlH7cUPhWN)3&@+S@7q9gTd&QrQ@5fh^}&xsE)1D`*4qo*SAVsCiq`qCyIjFu;J}v&OwDAtx&4Q3f*pg2FbL~7;!mwefW*tPGohauloqb#s3hWpKKM1>L zb03nx4Fp{>@=k533P&r`-r-8a>zO<-^H8^!^)Ge<+Xa-~4ZtSnwg4+hNMcuP zee7Orbvh`a8z3b)A-RZ;8#_*lhZe0`$6(+UKXKgJOO7wD1)ZB2`C+bJ_1%r-5}KYz zU+27Bqj+5YSi$jeSD&s58kGaAbfNaq(;>Xu^j&wn7vw#y6}lSVt~Ce>T+^AAt?EE=^8;)ckVuV|-d%)VD6=LAqm^Cy7vWD;uFl^<=lUu2dUS;vGX) z5|W8-B9F7?iYX&R`F0#emQYh<`a>!c6-PH#mRrr=;fN}s7Dq~Fd;(I{do$Ts^7AS@3r%uJmaZN*a6k`O>uUEwd4O0H3Y z>8EtkN1#8LAR#>Woq?MpV&jqNib7fF%6oj?>vkeH-?N8m@@EuL3)pbX3ZEWVuy#qeRhM8TW4gz-bF z{5uKRb>_&QTAq=@{>=xOWJ~wi9Fl*+?)W}+A5fI2+XO9lBp0|-hLj0_1KJYkO$u}o zz+pt=0&oQklrl}pjcsOc6p56m>$<781~ZPF;1+1QJ-Rf&z>BQg`w>efQ#KmSQ-t>i zlZKKVeC!lRz1%F0zpe6ayTX!NeSIUM@ujOIu}@)zox-;!f&5uAO5NNajLiGd4aUbX zXo9XJAzNLYXa$3cqi4`r6;%~n+-$0F>P7Y-n@jtkuDzfO)`+QDcark7QJJ$D^eW6z zvsnpd#e>MR8ZQt1S-{feoN>jmV_I#n;d+K}%R$8v3VBe6o%8Lq#t?nNp?h^{&P<&M z0E%pa&gV%r^$FNM;EaqpTn`$e9D#X*sOJ5k`hC#x;$tKZ!XYV$W8Gi4Z9VsAukNi6 z&e(r!-m6D)!EPwmi@dagOsl*ZW3Euvnkn%VD#ZR9i#QdKxNQpIN1vFW8gB($1VE9~ zngzBYh(r(RlBTQRDod67ZfnR1AJ9AL;R%BUnt1Rm? z)hrbN8^OW-K$93Fm9i)HIT6<3^iKCGMg_X8)_x?N!e`Sct#`m)@|!gMA8oxU&?&n0 zX9EC#|GU}ve@ko7d;ty6e>Y$L13mjU*o`jz|LUv#t7Ps?U0UCp^<)T(v0*zM;T$dq z7Y&NpT`&3WOQ-A#ZVosX?Tw;N3q?>P?l%1DJO0-I5$X!~cUC%J=<5UYdfIsbu8O|H zphscrF)9N)O#yI|sGpqihyn_HM&$lgwF_Vz+YE|vBE^ZlE2BJF;x_P*f)wG*_QSxh z-T+_K`mcf$j89I(qJ{_Sjhh?RXey{xS@Ja8K^JKTbWx~GP;bzkBeF#1)US#=Mc$k0 zq{`eiIsXIfFBAjamNzpFV(#^>KcXYwE&BchsDJP~f;4w2!DTm~?WSfX7U}Ycs^@*rGxO{sbR5QwlR<_J}^b z#Zw$?bwu(!S&jFVL#C8qL~_Rg>ce5X1VCg2VRr?K2t+RC9Ej3NR`>+}_IXX!X}q#- zUNhq`#ZesjgwxLbFq9z1t!Y=Vckon2hKk6df9J@%pA2Ro@4NKGroOf zf;SoYn0+8#JAr9kz)zGeoSgTepn$_1V-}#Xc=)h6$dk9x*(v=jb(2`v$urGW^BiCI zmbo2H;Vpo8%Ed1Pe2|Iwcmyf$-o-AI@(;qu+EGc&mbEg|!Z5or%Iu%K4sk#0W-OV; z(#K;~7awQS&~83+L&2kI&MRW)5oOU{5z!@h(~F;rfmDLktZiow+=3B)#7!-t5^A{G z(%=$Hv7?y{<#V|^p`|V}*}p?Cg;N_0Zn-GNq7NP2(LQDgS9|rnb0j0ftYLG4A&sm~ z+0FUm(z8gtE2#DFgj%_E1%Zq{;-0yU$A#~_I7YMabrTC{k}v;opupTyQH)}s|G1>b zXgbo`WF)JH^{3rXM7j{&H^L|s)~r2w$J_d+zx$PvjA3QB#e5yY-Iy#>g966!dnh8r z_Fe*VQjJ1U3mzOM(&;ncSc zf0WT?N{l8$t>pv}m^}Pfc<`)H4|NZyZ71a<<3s{j6bkHZt*WjjC^e)vX%JcI!iPp> z|Iwt?2UFTD3WdgAYIPd&y)2k+lx&S63WA;GSSBJvKSTomP|XwR$e2L zzg7*DtyULj;^{G6iVmtsiTOGYy>-v!n>My_qtUdRuSV;Txhg-)^c~YR@v9#RKZy~? zNGQA&Z=1_5Q#h*cm3lhNIrtOx6aUFMJHex$02aLpPVRCMe!=#`vu}Gx0MYxPL>45*9h^r`=cFREp-I$DIBT?*Z2M|s-Z#S~a?|D`Gr#?_;itEfv0@AqRGBR+hPW9d<%y!%nxGGgP6PxmmaJOupYcC4SN=SI5W>nW^l?VwbF84u8hdPirBE zXIC8s*OgXq2`T@Hj5D41UewP7F7|v-;K>lqCtG6`Y;ZWT`O`^19fl>P^YiX=VMC8c z&o4rh-!C=N6WZSw-(Sf4eyZQGYmaiu2mPsZKmh{2*8*=(foHOGPcI1&QF?8XYNXVM zfzA*BJy-+-dc4&yQmFE(D@U{McYulOMhEySpi#COfId(<0 zw6Dz$T5~Q9C7U{_4%$~n4sIv&h$g%&HnO9tvdN>te}(#L(*BLBk2?~PLmb%B~WPh?~HA=78ER#zM zWqpemUwWA@yl%1COP^!Y1V#y^tXlf6vG;oU4zhn;IZ|8|)E~chFr%A#6~{MLy2J)! zjdk1Kwhn*Ic3MPDNp_ktbZ;-RiKv=9Y|I%^KLYubB*@K3nSjZanZ+$u#c#=TJD7^frxrhT*2{U-Al)5vroBTO@;QMbR@*}P`6TvMN>x@)_b0v zdm`2z2_lK2hI^~HeSW#gqon@%*sm-yU4k1|Td1ENg{VqALLoC2BtauK$jjJ%0LaHc zrVex{_wI@56cimI)!((J)rWyL)z;St89s~Wo+SNr37n*(6Knoom%-f;;M2WY=OeaI zN||!tL%xXM9(qalI63HrO>~KiU>MA`PCdPhhJ*$YO+l+!G~*B#6SE%EGoDUB91}?5 zSxwYBt-6{^^!y{gM5QY4eKKj#FKUI+StAJb)ZTMp9H~Y5>Ch-+wT3D+q%~mTwxawlzt!W6z ze+~$rRas?)DtJ4b`_8@#?r3WfbEHS%fL2|f#Kq;MpS!1VyO&=rA zWyJZg5fcUBxSZuc(&P1JO5P1~(qVj?FN<#2lDsZL@6w~yR6#6g3+sTLPrsLjZN4_X zz?Y&+c7>s>Fq@s9O-fq|g!W8r$UH(w?x43QBWa{5fbbcgWEh@K)15!>plTc+@YRe0*uyJl8?KgP3+4-#>FHn% z$1$nhx6?O)u*q$ziNnuOt+x_24-+O6ePsyXtQyX+5pbv0gTRyY>NKlx2#1w8i!ZqU z$xtY8Po{pS!AqB)8SWPe@gh}mOD;6;lB%N4x3K)^z6pf!Ui2m+ zJ__61j=)TShT~q&J%e073cCYG^R)7Jf+?XJBfBIim6qa3WcF7^9*NuB@HgS(D4gOQ zWf3=6_|lx+trb&jqlW$*GEgs;A?eCw&%_g`sBa@^dbb9U_s4h(cwk9jzcjMO{u* z6tQfCxVs9j(5_T)+zyFSDbWPskUUoyZM^%6--gics;2u z!hushY(asxe<%p`!Sfy5?LQMkj)Pt0sxr^&-MHV2dx}Ncvf(|&itJY-Uy3MH(BW=n zg|2s)9Lop?@a0Ztwp&-lNO*pJ0mRy)M~sRwR3izxdY*2&(~!B*mw-BO0}!}@l0~Z( z1SUWi+3>5PZAjh&C-u@vZ87)AjlbZy zUsK+3z7%AVb+m7Lf0NwHvLkM=M;ivb5tPF_2W~6G9nk1 zn1W47**{#kEJ_+~b*(toP{Afq+MBkhlHcF{&K8)NE`{>Tp6r-+GQ<;@ws6_hlEn zIUhqS!9-OcE|;l)^PMjWgY8x&m&BwaxTo)Lb>SJ6XC82P zBOBJYs}Ms~_-tK&x;(lMsicEeej5XkKSDPMnP2HpiGAhmY&&s+qbb&kjO){Fo~e$& zBmNVceqAZCwb_OmzKJ&dH3*2Ba920ehU<3RPx;ZSv7 zwz17!X3el^pS>yV!F4!Vc)xK%y99<^NGuQ=4DM`RPj1`4e-3-)e;wA)st~plMjc*K zz$s1$rv!K1Q0qUKCiifFJOKz*?Y<6~VBk}Rw=f?nYKEo);JgAHcs5YB8Z;S5vJ10Z zf_<1i3SmZ@FX1;OoSc7a(tbxxIXn!k7tizV*v|^)l@Gpu#u7N%E80c^gB+imE^rMk;eZLk_!87t z^ySlzv42u*a61k$5Ly(`q(gp2>+QK5-!+!EL4}z6pn$=H%$b8Da7Oh9HW#5IWtGN5 zWy3AQ1q`l&h)KB&T?FG?QC6-y%0XT{!|SN9x9Z9~dSDcP`+0yXSrcA|Fq;Ile4lij zLT~ec8&0#}{X7`We4ph#ZTrd0`#nMrY*UM3+jyNFK<}e`e;@>3rse ztOknp3c|}7#>|(0yy5&YE_SLwESJk#s6j(sbZ0FTE(EmtRC>dGlfdM+ZUU@;<;622 z9{TN1Ye9Vf&B_2b`KW?)-&m|s7k}<|3aJ&OWaY?;thtD?y_0s`It z6Kxz$0B={koc<1IYyfl`34W9Bo>;BJqB}|4tk9Rs^I-EDR3Yx(gDq9hcOI!K-&cN} zeAGJFpZIWk#+dde7iWK{QkH~yGQYt8hBJo~z%OvkHZs>cEPe*S@|*y4lgj_Zx-mHT z9%8-ZI@<}tWUi7*G}mmU&$b||U|i+gK}qUeH*m)(!omqoO_oSdYs)^R$xsBCgM0dA>>N?7x<{csl>!=2N3$ ztO`*1Vu4*}=t3<+dv zNJnPY5e=FG@o`Vj4xitrF;rfx=+7T=^%1*5DIy zkz^hV_;!5PA@TOX!YcZ_=TAllF78hF(i`gth<(G7U;L)>{l3foKjz*#EXpnF z8@3QcDWy{cq(Qnty1S83lt$@hKv7b<8)1N9XauD}X%Hj^q@<)vB>Gz|nI&dYs`Ft*fb%1Ouk+o*qm@I!hP(z4hxc$7j?JTeF!r)-2SfW{TlBg z#`a)BmQt$Re&E{Y`>Yw|b0QTAx0kr|_x-sp1W*zt@^Q!l@S5z948w^e(Q-%fHQ_`A zpCX|Qt*Dz`GiLx)I5g3qN!5n`AI&q1XopckUr9$A>p#%5aF1hE%dO?fzRnvm@5zo* zOY~^FztKh3#~_eXYIX#Wi~rh&bK6rLKF3!f(&78`n{A$oP-)D1ib=r_Xwz%G;3#-R zoPz7M4&96cmrlgibQmGmA6nHvEEwa6n+81jiqp*Q~uJ zn)o3GI(laXpZbKBbxv6*MlM%bZ=FRvQ84D3;(U`k7PsYu!&aL^d>8Z^=D^{i?wS@i zqEeM~JDcj)iatv|NUI?k#Bnec2?;WYwEuRT^{=r32#(klJ8%-tOkgG!QV2x1xnSE< z$Y3f6@--UG@aZ6O;xO20es-z*+~n1ZgEnoELWLmk;nUj^=J#P!FWR$r zJ``VBDN9(sEGxct38ZYE6-y2Y^laf?w~IGfi6m*jrru`4D*_GiiBfW$nSnc&Xk=H{ zzXbZf9qEjUKOW9XXbQ+p*Gwjjv};jloznP__eBtvjaS0L@~klQCXpKpXHlf_z_~b9 zmhwVVjaw`^8%qpO&NL4Pb?=G|d#~1$vGf*JkFxK# zxALPR&nMg=dZzRCex5}pXm%1xeRiEwmcr5aiJgAI9MMMu?u@pUtkk(?zeTzdrM|0| znyM~cT2u>^kD664o6)&gW!Vq=KowBPF1K8|4LwJv1jAtBW7pGI#4a0FlnKE}F!D*7d0EDbTn<0rv z<3zdyen?T8;1Pf`>chGf|GXQs8`(;T0$1c7-=((|qKF&82! zEbr(1D45M+wT)-}F;fEsn{rKMZF}3L0ldW%0cJeBHajp7Hhh5NJijcgb(}C%GDk4s z&cWr>vi>G&ai=)P__Lha`P?u3wM?jrGK^b06G`)m;fi5wqtvM_?X`y z6VjJd7HUg{-tE3j?%|}7P3{)?`hslX{%7}D3p^!?_ecZwc0k48X{TcU?)k3@_7t&Y zuJ-8MJgM=cy}RrJCUlr-#%eY`H@SEvxb=HXiMv!PZMU6$`Y7)+Y%-YKVoitX>Ol;9bEK{{>OZNf23Yf_kcPMj*WhKM)9K*ET5SM#oO7-P18bHtj`* zcr+Mc+hYJX>htF>?evd38qlPfLclPvt3~PkNpujgpgA_u7Zii0#OJxt>3RZ&u`g}t zX0vxY-mb}YxUATkC0s+u!D=fyy>Du3;kb932EPT@LVdzgn7ULj#)4Mi&2y{30g}8C z$4kGMx$0L=(UM$m73l)05bjIsD>T@#IIWpBZczUqiu~&bhKS(ig`oT3!Uc$1=aw5H zTMV0k7DX|cz6I@6wM$tB4u;`zbtZBn&UN&M89ubR zmR|EY7T$To7_3&@5Mj5vl|U}KoHp>$r$2H2&5#-YPw)Q2r>zJgbY=OcsV@?0h{S53g=r20Yi{=K+M|E)#Q6 zo^ZKgixDG?Rd`9hgj7h^!@UlxdGMPr!k_Tgp#-sM_JcKK2IZeUhGz>8LimFtCadsj z1RO8dWdA+f3oq^($c)DFLpak{fcv_{g}&u!w4&AxN3<@0_mIPH>(?X6`fG+6>4T_K z!j$_q9jDf_689aP3;2on?90mLdrGvW0eJGb#vgwIfQBrK{!~-`XG`&CJIntv@%{g) zC9~fbBr`xCM#>TZuPU(-zJCGuIDhK-$zyYR0ICgucYp6EP{rS!YVhT&0nay3OyInh&frcCTpevGdNl*nkC)jwo^KaFnoc!_ zq81|t$yu~&DLeoen=alzMyH*2DgQ_bK)AtNOdN@Kk3Hj(3H%=FOFakx-Y>9U@`rjY z7DPG&fO+DipUq=2y9L~NB%;>U%Q!C{3fvKFXr>Ww1dYF~#HJ3Q+oYL6lg*Y; zyP+OgyJ!v9t~;`(*D_QzSIWOInL=0^)a%4sb!lbby(OBveA3{xU#>R*WI@`tD*#)- z=bp>gDa7dZ`>z5JU^U|lg{ATlm`bz;K73Y)`N$MY8wr`JWgugEL*AFBImbdS*ja7l<&dS2gmY(^`XQkk+bq%0ps^C5U?wBw*z!S3CB#AgWNN> zrA}~en6q~#qz?p*FJ$(9t;HnLZl>NY)W}zV&&IwdwW?q$Pt;6m-Q<{*im^{En}5R2 zIfCaO^$ELJ78_O=`-?U6qqEsR-yejO9LkFXJSR=bal&DD+oM6Vaz(pQk86BDg`&Or zmjpOC93nApe}zlj1ABL;*Kb`Q!k-zISDYER@(c|jdcMfsHYf0kgm{(M@ZCGx!(tXC zi@eEh1wq(x&*i0F=a|1UWqP_b(#}d%3Qkg6?h|1%`ctP{+M#}W9Kmh5J>zrFD!u^J zT_HNEq5dRaAJ@T5iIbr1Cl`DI67aYjKQeO3SxShS%n#6tLgTAHQju zl*%~CxwMt-FOGebxu^HGoeE#IgrLa>S`Zz8qY*wiM22aUXx zg2)zA{nKE;g>G!QSL*Kri|1M*@TBDhdOaoLaW4fcDWv7>RnlU-c>T;ZW#2lGKKzY@ z|Du9|+0^IQ!g3~}LADE%a(1<7Gs-1iGuK~dXxx2={s0ZVqQkCv+J_q}6SKYa+z?(6 z3e?9mComAF6`PHeBlE`NTxGmWGE0KExKZPQy$=EV(`f)KE^#K zx)n8N75Jwci4QvA@{@NTO@KB?U)oz2eV&fGKADTThK!YBRio%e#$OY4q-ij^NhIWN z^v+P%>DER8KV|q0+JN>}78=Cc-YG{jFqqYO*gHGVb|Yz!B<{W{Lfo>7#ZDB3AmT%& zG5+$BTDG@x?JAtUxt4S z+T#329y`k1DHy)2!Qy$MU73K{&_3wf#@oO9wX!*6 zV)!OnDHlsl_*MMz8_Um(o8OI?Mp5EMvoO2Q?OWm&I_2NmAWp$~BfsZ}lAU>jDwNWg z7lYaiqgfS3rUn;m%}VFH75y=&y{G${seJNB6}F22#yjn{C813Y-8r8Hed?dVJGBIQ61mo$@yVRq?? zG)q}kEa;ICsap#>>0xM~iFuaLqs;a~i}^J){8s}gRfUL=%1(;@ zRgyHrYmF~Sjse)|kUUMbD~6TztM$@KIloGLz%3sEw>)?k!sCS-LoB2mJ=cx|C2W_b zg})KS@URejW*H5Oj5k=)$9R@V|4|Er$e_sL8QW$XC_!{9e=QL)PTY+7FT>?8Y=upK z04wv*r?}6wJ0mbmC#Y|VT`tYz79tr}J&jph+2le?CsDp7WP@NaT?3)}Cnn(%3+rFC z5`>n4K-8C+R<#f|BtFyc+VE4rdW-g@B_f&&B6rP#6Quw2tly2HGsum9mA?I7sm%-E z$u-f9HPO|YSXw?v9j*NS?xC_EN6jXQwdvak0BBPlhFr}#Z@QDiyfClXh@wsDD3O%I z^RwONhq5V!kH+zo#vkPjfvAom%eX;Nh}ZmRt0CWE-v`zj*M)oC^|q7ux`jNx-2<-x z|BhbSkn>iYB-nU8oH%a%F4$iGl6|x-H#sOt6&QU60LBVS=&)_j`RkXk+urHW5*P|P?qILjJ42{ph#OegV>;b_@$AB(lX@4*yk8Rb6VTVg}9cW}@D60mGe*Q zOj-~0^S=8g<3aHll$HYHEGVQM2|*2!I#DYrx)L7hg*7{^yfS>U#c|j> zqfG04caJ0S=s}7GApCJhUJ+OUS%Qmi6b})@Tfl))FL{>WJQMEI{fmPWyn88wty1*| zAgJXzh$IhFo^s~N@ZJX4kLzy0X*m-SS2hcPU5czS1!f<}1y>^5%&UXx_wB@xm5@a0 zD+#jBhr{9ss&D=q@S_7P;qQW{L}~;?;)f%j?qW#caTF58zJ^X~!>(ZsIyr9>*z}i= zlZzaEN>I0{bK2NSS_n~xF`pjMzQn$5V;-$k7`X>P!~E-r*kM@6L|BFUL0yZPwKPax zBfANJ0V_5KIuAgy)%}`ES{WIz#yUYt+wJl3%40@Ym@1(=m_D`xGGs=|I30^n@eN{C zw;tOXHE~fv4VlO}N3k3H8hsiB$0}Z%@7_m<`|m;9)0B>%ZkTZ**FGbd?7qqTFXD{? zl&;QQ0h?N(&~d@dw`bSoWMS)`S;g|C;cSeyQ7Jp3wR!7rA zvNP@%#&IErje9O{^C;E18~6Vt@8wZ`2#C#l8coOXHyAzSc+4)moZD+`h7 zzI*}l8Wfr}qFqAirF>>B8jxTOx<8o2)Jb;5_dZ{xV)Z^CL>_uOh01ZTskaX8fYCk{ z#^1*scOq$ZDpy2a3WV@<*BrIL5wvxi1}D`yml*&e5d7+M6Q#7jCT{^q=SVmO7-yL* zZ2F-PkOO$A%~A~@pwF2Zb6aI;>-^*GYxhS2^|GG9F~H57Y8Iam-a-HS{U>CpRlkU$ zlb4^)E`RJP>IIUe+sqlciQAG8t@p1are(?>@v^T6lXE7y7bFY2gGrGJc8>9UkZWWh zu>@S}mR1i%p|kMI&y9RQW*|<*$K@L^8&FUV88kc`Z}z$J0c&fL{5_b&2}U$%uy2p3 zJ!CPT-fE@;$Lk9`Q}+O@1-?10rLD!lhMYlyLwat!vncp6LBW|+1P#?7HNau1U_f}* zSWbDgBw1qfMVcF=K^|4L8v%fS%of1&;E6alieC~(@7ra>Acxf_D=lcD0{|$+eSLsX zG-$itr_```5rQ7C)z9H30MTqc4Y&XPqKP}>yYEAcA6|%@dVd~t=kPEuRQ4x9%gat= z6V@*&6rH90exu?~h@ctoUOl928|Z$G47LN_|LMRVvg)1PYTZ+?4AcIa{P%>?NM0`^@L?ovv7RNviCcjzzlr3SP3rx4Ye{pErPi1R zl<{6K~5sU-_V}r9kM9bni`2 zt8j&l3m%UwK#U+WpGMaxWs47&xZFEzTw4bLAikQ1Y@O>2-5#h#g-s1R%nwVHWk|8f zCb*A8_rpAEU8z+H!nqY&BNjjDvKtk}Xy|u7O#Bb-3Q(nRk&?}1%RTUPx-Y|RV2q- zpxgmOMd#{@gvI8-%F`>h#Ov(WgF>$=e}bAC6{RT zQ^|Qf2EA^Bb0u{kjSkRF)ol2nM`8FNP_VovR}-?*M*cD?o>j+;Ec`m3J^+4%Z) z@!=NHI7kr$c8^9rh@wsaC8NsB^=hy%O!0_Ey!;QMN(v2~9>ZzP`I~D5AbpNUb)Ac+ z!(PFtjsd@?_<6z$drq^q+gwR?1`DwPibG{Z(Z;mzhHr zW@dVZm;W0V;wKAk&mj-Ks%6?~@%zHqo5unPyT#1OLM~q5{OfHu=fLJfAMC{NLu&kP z$=+=Qd{7S#!x2vwf#Ke?7?u6?I|er&j#%%D_hNtcJF;=5Y_Mj$$MO|$0K{7lEgA{_F)BQJt$Us zjp7?D<^$qSFszo9S}@@z^*~aTfTX@MJ#Eo-?%n1{jHV@rSE%@>2mN=jpVbwxTAB09WAQ`OJnC(V zI~VVP1p7FC^`raia`vLrvOGd8sIONgi2bj|x|{jD?o_|{WzL-)P_C4y5BpMLWI%~p zqS!QnZcZx4K5kgiyNIc5s_QHjY0FSAO*^h?_i#(EzM_0AC={x`H5#)Sz_d zvStRL9IJDg?Y^3%8Va)MAmPZYO0*j+jj>)CQ@f-Wz@C)mKtsA`xRdljk0_JAL4Hd= zru?++dr;*e>@}6q@mkQ%K`3F1zUJu#h^bbSPF9ok=oY^6Nfs359~FXJSGQ7h0@0s| zIE*CX76JE2l$S%=qKV}sGDb*e#T3l!-2N^otjO;k>ZNs@!G7Ya1i^2&@Vn0;xvQj2 z;-2Aj^-hkmh(^*|n()0g1%Ua~1fRZ*q)T~!Gr$gIQj&D%#m%J3-Q<-Ltxc&5{V$Dx zobIUS=4lL~sX##Z#d3N1Weo95A=e@EO1a*T5ms9wdyj@v|IUaS2zk8&>RMxi*pTER zv-Kh9B`gnp2I}tSSGIcf26_ZX`qDQvmgZez2ntN^jgS;kFRB>F1tA*G19Sqz0m`Dq zivH2X<+JHvzw5@t1yNX0Z7Yuf7&alt)|l4bYFwVzNxK$g-n9 z;>&q37Fe4GnV52a^S1{+5l~kHh(A3MOzR0EpJ+W^u@LGobCL+-Iub1TtNZ*G5fcm0iQoAbBgW!U`2yRuz4rD<3H7`y50WDdP3rV z*dy5oWiH6i{|W;BL5%|dIq>;k6+D0VoKpa@v#S6QypgW@Z}tfSq6X_GPg}h4XYt?S zNWq8vxzT?vZ)h6K9{wW<9PyE}ksQAvhn#~TGB=2$L=+H{O5%V4Li2yNT0TYt6?uj; z)(w6IB4b9tV*~;p@4y|)Q~&^TIUt9facElyvyq(vTK(I2;#UV1m^#R@;_F|lL8TB7 zw~XBGVIUX`(gQHQ%ch1Bz{cbI^L9CC9QM^f(xKMXb{^?-(P-I&Xgs7pPOB_LaD`V; zD)l}9iU4K)AgoPw0aCaFs$bcVgS~k=POj@kJi57mt+CL}(HRFZ50Z4`#CuPgW(F!P zIfF*n8>P(FklnDs8T5;EGVDB-oSGNBFAWh!{h6{U^kD4-KxcxY9MD8+7x9?z@l1?r zNL_<+;b%aQh#4-YEA7i}?~u5`%~G#)$k^p9F)tkTsNj=SKYAAvs)Rw+u}cCu@NAlK z8`y+cwy{L+-+!Im#OSt@>sO=DzJ(pYmBH3>=~NgkE!CS(2yz@BMm(HwUmp#=MZczK zI>)`wrCEY)l52q~WwxTCK3&S2raU$Aw=SFvGu>*Skn9Tyl>X zCVMj$Djn`D!|t^2hz5@5nm3sDuB%m)mv@o@nQCM7uR9vC9^X5)Ky?jbPTLQYdX<2Q zPnYLe1xSD#8l9IJ@9Fx;$NlkjP^=o=TGyiP)Qi3NpsMq^d^+WGH7VN8XV+qYC{BrP z8K!GWBtKsr{elYtVOGk$GxE9O!5V8E>Y%*XQN#_d+wMx5yw%pg^94%)yyVJH&+421AQx8mt z<;Tka<_Wk7W}up`FJp#r6I8YJ&f5Y&T|vgA;76wZU=gB?TQ7G4EHbpF_D#t3@3L{J zChG-tK{w?hubEf~!V##TW|RMJWQhCa}%k@ITHEtTbI=Em3G&Q1hob+6$^ z|%9F$Cx*~@~!KJLj)t|>_EaB$7LQ@A!{NN9=2>LGp88;sLrNf`8 zC_Md;u4qWFQeLChUWja1R5W0}Ev}$#cMR3UI-~i&xi19;_*#D>c>*t0`_VF{^oR)R zJ!W=o#!e`3CRn$h%XE04X9RLLwpVTMcmQ{4wY`PPA}jf^;MB)?5R|9zMW0HPaVj&go5JEG-q>9d(=h!ak1Kr@*1| z>thd);XmMM8bj5PC`19-ekpaSG@D86-3x$gw#~_9_Y^PnPkbMcre+wR-ttZ2S?=XV zhBW}=Md^a_^5_J}2KE&?Xu5C(@r`g*ne$L{zhRAMaytN!ddAG+6*!c*0Xzt|+&I;8 zu3J=PGh2qa(!24tsNj!Dv`qaqL-C0Sm_wm!*9b`;>v>QxPZyd_rDCX(-5B<4Ay#21 zAS5^SN4DrpP?8`gU};&4j3A$cGebOY)2(Qskh>HOhtCYwF7xu078A zBx(@)xS?JOih`kstm#h+HI!fN_fdnIME}CAUCI*SXY#KU=kU2|EZwgWqh1#_<%JYn zX5WUd$TT zlULpIx$Li=W-?gFD9{ocgp~&7=j|k6U&JZn_xxhr;Nu?IEcJT$aM2)z&5(~o1~FNd zY0|{@%yD6>^D1!*%!P}>-Si1Rv*p0^Q-$$I0m=ci+%Bm51WjDzgyfVguQ8IsYS?ol zVB8hUXwATql!_eer=e!0cntbzkPzjve_22117J=W9YPW0i52mX9=THdH8&~R+p;${ zYAhq0R*a*F4T-cN*>=2;Mb(80+@w9RClSI19zd*eg{&n}ow!afZ>I8nI~;CdwGZ#7 zeL!FLW`&mC)uhOpX;>{9GBwvVb8@np()9#ab||az>JuN2N%9Jm9T_U;#_L_hB<%-= z#m4WAnK((TIMKG?C&kt05g{dGoGoMAW#^yUd5g(d&#BNJdi6$ZKMV?5>dc>CP^G`M z5yC_Dy04=X7)95d-)tDAyF(Jbgyf?4oZGODWY4jL%B2xUa$j*${q9+klzGIU6B5Dg zQmwJ$C`iakS=Mm1G$&gd@s!fcp6T84P~d)gJnDTy@z&q4-p#7K?XdeK zW;~gMdCnWl>wT^muXM+KBUxrcVN+{dJvq%X8RF-PWr9h!sM3Y0l876>q0^^xyCuge z3Ux__xP3Ps9GNlDk5bJD#1&;y#?p@Rzcj*r#eCN)cdo??`wH>^5hyN-WmR9#LtomD*%Y59| z1w=*u&Yd=<=IUG@46dT2m!V>sTAIm+d|HgypVHbua?M|%Rhj3_SoC*yGywfrf8My zbm@^DUeofuN_#SIkPcp0G^rk`BL%zGoG8r5^j1uKIw>SKSJjt3xz5Vq%N<<=4(oIfw3Fx0V4w~u`K1!e67IF$UjOz4~;+~D6Ag|nXx#ge{r{0Sm zA2b-&tBV@7(Af~uf6!PGjZy7fp-enxLw)=lm}_a@4~s z49be7&yN}yYm|v`5ph^FWjOK}5!o-Usf%OC8M91{;`d!4m>B2ht#_2xgygOi1chxX z8f^jDgU;*ncov8wo+sp_($l!K+bLfDeO)hkK7ApGX3#hEa^2}*wsSIR49TN?k|>NO$)&j=bT z^TbGsNJC2uLuwTrv)*(eh`AMPQU!{9cTU_+;p>Y`Ya?Sqq9!}MDMo1>MAA1Y6!KZs z<3wLiy^rj3CkWCuqH(Fd5Dklm&)6*?ls;w1w)Pms_S!LC6OcD~lk>{ed(AR%O|0+1 z;CXG)2j~HfFM9~C{P7N?Xo2h5%{r#rW$47vZ@k=e?{UPC35nzW=O>$zNx1h z2{Pe*yyo@9LcQBCz5~6^_2KGLAP1ouD@|ps)1<3rW0C566B8sUoinMOZ9f<0j%qqr zOMi7GaSKv?%3YaXK7fw>I-%_kK6 z>aypTMoCwF+RRe2iyRdEZ*}UDv2ax}!SnI)aMxH3(vGiRq_BiY^QST}7Sz+fP-0CM zeu}BG9U41o0vO+%?}x0*@-9qcw=8kWXz+S_X>DVp@s1o|R&7*6!(FDS8kq;CvTnK& zI5*VfQ@IZ%)50B+{bug8uU`ZL%7Cu>oQ#}b%?;1L!yJx4Z zyRx-oMlKG(lmtnFiCv-M+*# zr{WiBwy22Y|mspXwpbvb?;26-!iGHmo*E$)pn zYL8xqLVaEmHKX}|)aVEsx*&(jAyTuWygFe(c3AE=lB*m;hHVr(a~}nbY&>IdFH6A9 z^o0@?@-W|#F@ux*TWd9FmH<*wpL9=W7MFZ{ggH47gMm7K9Cx7sy%UlL=ro~0bQr+p zl?kUF&+IOxl^>@L>2R}NZDubdv=t_l9oQTWa}(by)WmF*L5Uk6eBQg2QYu4E=6_j! zFSu}GH1Hz3W44-ClZv|CD=B)d%~`dg^tW7M)2HGJh~^C`%wIT5^;1$o-t>C`&W{-5 z_OH5iB;VB3%}Z)JenFbZ`!h~tMOJ=dOf-_vw`pj0>pHwf9kHrVpqu2^{W&fN2e z{v5(>^wK^xg%v#$EFHD?CKys=k8irawq%NwZcTsxWN@gg9dWv*>q-=2t2jTz^(s49 zMH%Ut8nR+AdV)_p5^r_*DG(_w6KeS=JKtmgUiI*VW)_GGq)Lq(?9NoSpjsXJM(|il zp`~-5>W9fKpn-nqPV)&oB_jf-^_G#1{nYH6A6dr&vm(&acdq_XPOMe~>!K;_o&YVz zxX2vdSPF{ROZwjr?A8nHT+o|vb}4!6!J_YeI5QxB(O;igfd2aJlXJ2xK9u1fAPr?6bpRgS*}GRfn~pY zUf1)7Hfod;syN;D%(xAU;sxM%@1jnI;)6H*ur6Q&ePgSo+D{C2=L8()`V`+}K8Ae) ziWM46IO|xAK3`bi$_f;OISgnWUQ-2^vZusrTVvz=J$ukxVa=US;FSb6`Eb>Fon-9~ z%N}CGWwHb5WH^bZn?VZ6U(N%m!aC;OuP4a!z;uQO55oqSXs}?c-?8!1k|5A3C`!L8 zOc@r^jh~Vw3=I|WQkw>B@&TzF^9#6-NhekUdMy5Ezw}xRIBGVi=^9SFxR#Ew8?50K}Zf?59dA#*SAz=}Kvt&c1st)xD6Dg~r)ge@lXnX{kk^(rFx_eIp&B zwHlkr(e|(+od}qN_`E{yH6_ZFGzL0lFLW+}TW8YiSB6Q^^38i)<>6{toV~U?4Feik zLj^2)e3-GE^i_ejHaDrQ+ujs-d+%4Dx2Z-|)1iQnIn#77W%PsFRg5hxsRU+jy%Vbi z&)cBNt7Qr3+fvPZ7R~UC?gn$M8l@{vS3LRQLL$nEWH|gGNL%kWqpsKDP5-XsUO8XFuAkR+Lel`PK3>#bHyQK|haC6TxauTwgiG z$Jbd=qGkcB(<+2L{6rgEkaX2~*{}LkoT^AA@>D<%Fw2kI@l$V)3F#Y72msS5-VvB& zA2GcctVn2*D?Ud?v3PE##EpeqA)MVJ!!m4|5|UzNy`u35x1Ug!i3=aD((U+lL@wUN za18G7PBYCWvYP_Wv#bIzJOV6oVJNz z&%7rJq{>IPKXgZ_{*zDtt;{BhHwfn?$Kr zgxPq1`|#P5Oe<9+SgeRnLsWpj-mz7n?~~55|2{Khn&0iPcAj{EJa13RLPPpR%kScF zp-gXoeiW;Q+j4VqcXx(13NVbs*CytowUp|&83j{cD#uV<9Nz&(?Z8$_GY;mrRDaST z;Zp5C0zL49&a=5HYVke=4#mA6_VOal=hIBYk()s@+`XRl(Hgz0k zEMvj;BRk6AH=!dhdh&k=s9ztdlm|rR%VLHlASE=!#(IGWRJQ;=a}Vi{@BiYEfm`k9 z;(=cD$PHq1vLK#&NJ6~%@?&`RTm!h};ElxayC9o#W!atM(9Bb`|;eX;q6Ok=}^M^4(RS2r8i? zF`wSv6r=p3I(F3aMY!zaDH}3p-NDn)bZH(saEKJG?^bhjgD9gwf);Y_WU1-$X*z!c zZyQq8;a1WKmV@I`HO#7VYvR4S=4@Fes|j&G7h1M4IaIxqvCdd8y}h;{-`3|cpJH8HO*>2|L}A87k%`~hhFYCssDI?9rc(M?f3l(UHi0}tCN$Ap^*z5`Y}UL z+;vMqo?Wgd*jk|%nPQTzaODDasceRfrD8F4xIuB<`Wa0##c=$N@tVu;Td@jOd>Hnw zB`_-g*qujPPdZpR!%_3ucZd}bo7bqH$QBrEmnTXCV{Z&hv7jk)xrae zOk$cb2oqWtBFeJKKTB^$t2ZTIEIOAM9w)lH^)DVUFopG_B~4%1EDS$-uOW(--uvTs zl?IppWC#PL^M4j~s(_;W?*#Ba4fSMn?NvpMAZs3_n;D~!-SYICX_Khqs z$%zefliMyD8cxV>KPxP>&QaZz+x{wlL!Wf|I@0m^#YI{u>zj7p3_L>WiQH_yl?zT9 zzz1+ZeeCr88*l-bw_>FDAV}+O6)EB&_WPXg=lYuK(EsQ`omy;3mz#jMt7#Aj)Pmy6 zOO$!G`zu#R91oDwbbJ;J8OS)4yIzf`>u+9ld+AS5f3h7Kt+mQPF!u63hO+cs4?dU2 zlIIy(vzNa+_b=c`U8mK)>||H0hkL_cweQkH>8UUD@BG^i?5kZ0ifcST?KX(i{lXtW z19EmQj*9GKD@kL}ySZYc;q_f{qjc!eQvS3BAHz)fn1)nHQHBu1ni6ibL;bf?P9O?K z@L3+ExuPhuu3`4W2dornkFxi)8Ug2r*b#)DeGH}3npz6NO7hGj(;%K~`@TQJpxQul z_6nBLsvK{?ehrnAYW2m>5RKxumgr9gUHhM4DOIafyTkK$9R{_8rPHXjt1;!H2ZS)A ztE6?)7z8Tk7o2Hbo}$~8dHf6u{mbK7TpYVBQJ6P;J$-J2&SJa&gE#eTn52|abxj?u zhKgpbF~O3+!n*Dts(e(m++;x@32a-hI2Lg9*ZC5^=-}l!p+iKnH(LlCH;alJE$TsW+m+uNi${q<;9xXTBlc~ zswOCT#N5dr#moIQw%e0E9*s=TS`S;;?daKIS`E&lp0K8-beIpqTr4Gzjio;d-X5}G z220)CQAyP|L6z@S^*v-|!95>|9zkofR{LN69p|S-l6}FV7FNAuhoc#nia2FMM{EJj z_yawLY9VDB3^MAaye)%yGfBGgl0wYbO1Q1Z@~dG&FC(Ves94k!8v`9Dej7~;EWO!< zS(!L!b>{t)mR?DC;&iZsj#?yIfHN2|w=p#%k<|GkeIsV!+f;GXkLL``sLYY&2#DvA-O@|hV7u*l-Ula+06~nU-g!A zYxo#dv%7UTX+j1-eYKNYMpE>W_W)Dj_4(a^)9mDkCAahzJ{Te$JSQ>J?UE^DMvk|_ zmz(<_$H3%d5pLjZY^m{*hfi3!(Ecz*N?KN6J7SAGCKpYGa)Wos`(y1-G5%}ftzfI^ z$;DgRg5#`ajF7EGNo6-Er`KNh+$0|Q6OBw`jer!(sC!H?W2tM#CkxLzx z5(naAKeK)XNEK4)$RQn4X$Cu2wAE`i^thMT4!piyjsCIb`?s&E1Y#Qck1HGRGPJVP z__XImX@okz2tV=Jnx|sHGNei7esvb6`b9hI>E<!ThS!m6w5UJeFY(;81$nGqZSrLLx=?Z%0y#j@ zx9UIQYMp5f1P*Ur;;IKMS^pLBOdnqaZaeT0tw-)D0+-b9iqllmTHSbfpHkf5cl|mb zwH{P>y3dM(ScMtLqJKch!a4oG-BW|S0^V*vubp+G3~6JLAg?;9|Bn|oA_L@iyXidH zw5w&5R1$1(@NZ!M)0w!*3v0 zVM$z&RXzG3tE*{I{qn4A%zFwkh7`TMaK|05E;)YL=@LYo@+!F8N$GH5vAy%}7n8)! zPB7(1?(zOHZk>+m>ZQ%(3unnj^>!w!`4>MU+<;|JP~7gwxv{Cv#_zFu1wHNAeod_th|Q(*&wYxI)HfJbfvQm2^S1*o z=hxQ!)T_09*hl8;7KK)>TAQq!Gf7SS^vi%j8oIN*Ftw9Qb!LfVamSOb8pp`Im+U+z z3!GPh<=~u{c-cF(Bl#qd{%(k6ucPOPYsW|&?9SXI=lrZQ1(7oI&TP87G~1gxxxWt* zY2QBGgD%^6U17;hxu2?j#%7Lsi|2(E%0};@x_=ymR_B2@+ZMIAT+$U-QKX|rW2i3a z-sjQ@5KZgY2&~plz7o{?UiBNe)D5U|(oC3%K2CmE#v6 z1PztTcr85r+4(vb`dV-8p;?CA603~wT)2J@>_VbRh&rNd9Tpq!K}Y;BO3!)#-prPo zUp``~@xWnH&ys&N` z?rJwOg|A2~@QD~TKwX9AjSRhV3K%3(r=NX)z(Z+`W?_EaY_Q`toL%wts_3(i0W}GoR3OERFHPi(jQ=QJQmJv5H9#gv90w z(~#b$53DzK3SQ&ykjp4)45^HkW*fJ7M8Z!EnNAEPp@|vD5F=-5t`W=SFU5SxQGvZ0 z*@6#?$~o8X`AxKrp_dZ{wp}+dmJ=uhPYYtkv#>by}Jm)3o zkmU38(CvhhF9_AHQ9vs0e9P6S_1rMZWXAY(JS0&eTzuhi1fAMyc{yg8#dZ@$?` z6r6Tx8rAB-OS5FPRXwpUgt>}8qn4Bjq`z3oc}kauE!+RWqgUS=E<+qSH+!GUJ(R`6 zl~|dOlsIzVGEe0Z8yRgkvns82HCFxyxx5#`xln$0ez#!s-2M0ph+Sr*Nt|3?Nnb=T z71d`J_!zD1cwyrLAe6TW104+Ob>NN8^RbcUQRpKxVul|{#EeS4&t^qB@EK4*-QBF=v9<9~p9f znyR{MEa{|G<8ktR1iG5$H7xA;y>4i0yVDH)EPmHp6mAd$l$mo%gQIQr)k*~JawN;O z<8D@-5!@b*`T{l{xd#}*a<||HV_Z*%oa!`#cJ#TaGDy$6727kk>@}7KP|5}cJ0INs zNQ5cFYo{elM&qK}7Y(7?m|+k|!iACzu%(3}%`ziw5RSFjM-hf^uxhJSV=0XbZ^`7U zc*ano>eva>jr-OJat2lnF}=Mt+CvGyZ#1eloUnPHehyEKi{0wl((J{^^1Sdgz4Rdu z)zCTy+)XvjkglDfxGWK(E(7lZ__+Gt8saqW@N`cdx%Jyaa}INB-s3|euIiUOX`16- z{t)q7jE-)_&Nd*V;nzHOpDaPx0rfo!qkdommkO&Lw}-b6CtIL%t|5c8Xo#CBy^jOl zvE(I*Z>#Sc?rP)RBn=O1O41mjc*`!o2aStSZsqH$jM`Rrvya)tsS?b6cu59az#52X zCjEiNwZ)k&Hz%P3nj&RY3R1Gh1@jX zjae;C=T^@!#P0%SZ+*X*=a}BKc+p${#Q#r&4)G#Y$8&L$8T`>MMjHa3q0=Y&2eYMJ zuoN`WPD4trbrnh=xKtP(cMa~oh`GZM zIP%z2X3B-mVfU(9*?hY{`*4>~@QMWQ_ zlx1AC>pXH1O*xj0O6Q5g{Ab!!#npn@^CZ*kI+|sz;18Sb?Mc)~$GvnuTC}i~E9@4m z+?lQK@T7J#Qf!je%z0&5cEGzEz$ffe3*BX0{x9N;%yd33l%Ab0?Uaa-GuZ(-D^7i{M zGtCe#;Yzo8T5l3IU#nNSALdJWWKPL;q2ZG%>j9Zz73d7NHlq42n(w*BApI1bC6DcM zvgfSoHCeUHQOzE-v4x9YUSnX!apijQ;jT1qr)OlVkl zh(7#m036F)+cu6sPr2YG*%2D{+4sm&<4LC@;5`x zmsLySsv%k3!PN1M)_?*tkB3i&lep9PTsL=GQPZO620m!}_mY#6li3I#Z2BLNlu)7C ztgX~`ZCt`6)J$PME8Or(sS%{rRPxFu=st9B8~o(({Ee7dsnI6hoW>&+&lkQAxflY` za}CLAtTdAviq$n&ElX?&S1BI{)y|V?+PXPR(vIjl*rU#vCf^z>oZ7o-Zgk5yTH>J= z`8}^aN58_fj;Orku%21fGuO%d#fV3ICR#e5{Fw#t)3PebNZi~Qm~s&j`t<3b{`l>- zb$5hS8o~Ek##_z3>)ywlyS;_NNj77U@5gHgVQKu02oXbxgO|@6rIk}F4RQ_#lge+| z9GZB{4~TqU*ijuA_Bkz9Gl!6c8Gdne$56~@xl?Jsn&!SYKuBM@0qdZ)a1kHm)E$W? zaqG*8Q0^yi>d#RUL3z<*opqH4B#KAjKS~nkl&4f9u(XQ^Q9ww*&|3%rLJPTbqWc*3?)uzc_qp>cXC~*Iug^E%ypxn` zh4ALt3T5xv@uYzx3ui+T=|&&O>-!w6+No7a{dn3(?+7&bbFJA}R)tSDIw)qoDb|+E z^Pc;_ui*D4DZUFVGGisChQNAKSlt6j7tbv-n0G(YQZy zUub)ugKGB9Te3c6l9Jx*vxx&t+s+e@F83dKZwjZU1UI2j=E$FdwQySYf44+29Ew$c z4tzF*HE2>2H#FG(k+_)OweAsI7MD@?M|uwd^1iacF<~qM`)-K!J~FTVoSqF^=fD0% z1Q1S-W7)7N+w>tZDcfGpT>bC9{WUjbFM1IE9=%bIt6gG&M8<8msCG@u_+ zvNByuAvYwDSxDNXmCvNdvFl2fW>?eT^WS}Ifd&aVY7D_eCX?shKjuQC^q1>wgLW|B ziAE}V**#i%%W@p}kFSJo(mHXylG#7QtAWv5qeQn7bjei=U(0AJ)d!i^JGQ%hUZ$~$ z-@b_pb@+3bU{{_UWp1r*=`#hmO7^OK6#bI0a`<)beSK%VO)G3u*-$eLQW3nLuSoL&TOpA2dW9G=}}pQNksWa`+ZR);c3 zHK_&U_F|$8FZ^qG;c!fjTvFXZMVF3s)y0URPAHoLR0Jeemz@lQC2S zgefN9Fx10X)#VNcboVRYn^K^gb9H@jjyG|M+7ooc@oO=Psh|d< z@N6<4MT9_C%8wv-fC5fo7h`m$Dv7HgXrss8k-RVqMh}iPab1cS=tr(j_s(V@Dm^CO zK{Xb`g)zJJqV}J0&Cn478N9fpHB>9OEnyxX&(cE%2h6RulVXzqspT0P8_Uh3SZ7In z%*r#)QOpEX?N(DaY9lv&y$<^*{=1B&QVuAO%qb-t*9n}c)IaPI|j(+pf&9#8!guF0v8@s4E zdI|3AwbABk=(<#+heXV+K9GPptp^se=9P5cffvim%LPYt=WwvDTD0;f0xR6n5RK`B zRT+{~`_^ZdJ*foyx}i?Qmui<+C*^)SzTAkqxP?ACqpjO~*Vcyzs6a50#hB?>T~Plb zgp&3cpd|}796PLWHNm~|d;O60g}L$YqC9_(ovC-TvF8QSZf3?LVkv}ZjB6am9lTcX z@oV|jqbrLN8AYKTlA>TFAiW;T0M$L_vac$mweoIu=Dh`%TT-C3CDd8^+9Tx$ z4eG;$dc6^N;AW)_Js=4u6wLAD>`Agh@H!aKg+0O^$BBba zmBz%_s!bZECTd4OD_WJ7PEjHR>{RC8^avA8wsnn*0L_8H{a&QQM|>WN#dUEhi+HyH zK@KjkHwfiyeil4W^LusBDro$(POsq=K8bc(~COHA54IU4WlA&s~~= z`apa86bEzR7_nkjeLnU84T^6AwGRa7x>kD-x(4z#ss+a?B-ji?*UIi3OsC+ki?JmF zjYLXwaJ;(}a(}30auZ0~#w7rIpD~x9>&r7i*A?X*>@RJ3YYvR9l8b#N1?p)N;S@Yh zq>1e#&`9Pz4vEyif^-cvkGg{3t(8W9m;%)G`I%6c;BMgNPz&G(!kGPujogH;{Tn%5 z@n$3KuccQw4H*N}Qs<@|BWKMQsh`o3P}k>YLS5UUpli@Ri;-;#(B+%Qo0Rm$A)t{h zsXZJfAYTOn2h<{^*TaO^diY;i%KzslihbosB{(ej3%fe#Dhd!)= zW5svY3@7~3d&HEz)NO4O+tI93FMagn4iI*P--8{CBio72R33K+w!0wgs2H0l!fArQ zs`698`5G4+FP#DAQcjb8KiRC-a~15YKF~&>WHaSvdv1)kIH;Y25G9ckFis;?r-VR= z-I9!&qyhqSf`;bBh>77_KUzB?N=BULgBrxO_c*4+ZU?gqP&{mtjY39sa&2Yh0~ybp zxaCS0=nq3Or8`NjA6h8aB8PalUw9d^`0ko*s0L_U%rk`h^&t-(9lKHU z#ut>1=;Ou0PVr^;Rs1^#YtF9`Nt7dPr+>6{Mz@5khfwWmv(5=1ZsCwOO}cHlbuDMq zG8&e9D`4~Bxk<|r75i8p_9`$0l_cXmOypV@B?FaSxPwVrb-x77ryAS!sg9!S=m^)N4Y-qQ+AWDb0vd%8ydAnES9?^Eai%iD4fDL_pn;*Z`1rc3)P?Y9P+z#!F9z!ZJTwy`2LmJwypys+_9=T zDMs~O=d#w4dq-TQGLrm8{d*BBb_#ma?fG>^jUzO2-tRF_81wJq7EbuiV7NVks@`K^A1XkO>Zp6InPkPH=?b{~!4jtu; z6I78V2bP5VbJc69<;dmlhtuM4p|~e!ecy^b6ivSnmy*tt#FJWvGl)^C+)+AgUH+R# znmtUbJv3!J%cKu$lxv>%v%B1}=Pwd-4PpK*AcX9S=Af;sdhvUZXvs|P?{yY!sOg+d z{?OZCp+qq(SX!mkCVWat^Olcjs$|TUegZ@eiSIGdzMrl7OgFyrH*`v@P^myn-2aOq`Z9QAVu~g0f+?My7+7HY}>~7a03gk`H!t^&ikqT}~HldYfiA6FmOJ>?933 zE>g1BvF`qV1S586eH*c4N~$pnQNeBKghbzNi7uuj`uf*lcCDl6z2cr)_dsO2@mv?{ zmJ<~1VAFRmc8>|E)x!&`NP~@LZGCP#Yr)OZc|RfrzYOc#H;|57-a0K4Aj3ahFEB28 z3r8!Kx18PeyBrd; zT%?xW1P3G{uN2V&7#}kvSjx*(65zH^`-)SJA*%q+Xw(WX%d#q+8usEfeNU53!+E01 zy!Po1gwrU4#OEa3(zp!dFoneXC977NL8&k$Sub^iqpaNLbITPyGp`gzbdRD9Kjpuy zly5u{E_La!+Bp*qUY?R4+wEXWok34mwTQ{R6=GGs>Vn3jQTG!2C%P0L+0UYLvk$FFgrB zCT`W*(q-GJsdw?N+#-j|HLrCaznJCL#mhK89VGJ1+Stpw3F#T1FY|2POgBlY@kFLa z^H`SOw7F)zQLKr%ICX*hS9<+Cy_t2o=a4=R>4qLorMN5m)7}O}t9C95MDB-2sELMh zjZtl)V#$wiVvgZR{l2x9Rzq4tJbxxW6r8GjljX`W&5Q>XFT>J)VCSn^OYUSGa`f^f&RcBzjI{!;5R#gL4tPDC~s1jbMpVcPLL-2$JZDv$qVWg6;VTJPay`* N8RigHQ>VkvlK_8_D()5new=pJlz(z6uZwX7_~k6!GHI;q(`!et6?`OO7`zoS{Ub#yB`x-shf${tNpR2_Pk1vzP!EwuK ziG&YPt$i@ z_S6VfU^h2vY6FoDOae(<_=@MQz0vW4r-}PHQLlf?_x$bV&la z9oKaNBebJVpsxE@XW`ZRp54d=@bmTcUv?X>E3288sAM#4m&Rw=uVH1Mnls(+cV|Z| zS|c~%_~~7*N2>5n5R_V$uFps6qil+7^LePQ86wT zL?}}TG%@4!_?82&(C6uyV3eY;OI6b8lTIRzw#fGq+oGNxD?(jkwy`zlenrP!HQY; zyd|c+2s)f5$i6PASb5tMjn5~}a5a!8fN8lYsq{N+&y?0^$Kmc)u{6Q{z6oR!T_$%y zd97;d_iVy)g!1h&q75 zvGZ)m!$#!M2z-)I%7ve^Ha+kqBg}GRd){@Q^jAsOXLW-Yi`f}xCoGS>4#wPP_nXU5 z8agGBeOX^)v)~?_CCypF{V+k5YK*CAbOUr}3~jt6Xs9}~70-oWMxck`8e(>nJ|*Cww}XERi{vWm7^Pf?V;AZ zgvs{g0^CErkDt;k3ympZvMc_wtaDqo%`0~6`z+;rx-kJNM$E{Nh}|;8roHr1AIO!V z#@@44&%^=-Ek?&6_XA7Ul}Dy_-P$BLt2#He+p)H6w7g!!#_P3m?%U@Oa|QUE57d@? z4*e$tL(dI8Y}cNC`KO|1+lG234Tl3S`dAR|J>aoEc&^*DNHzA1AS8v(Df62J*jMIct=CvIF{pd4m z%HhUa1^i2s&5k{532WFzm~khxyhc#9Q(?QPoc2$=a15vuE)f=|Xdk^59m;dWWaWdyvU>H;e3ZCy6mNH~*ELzjMmrWUl>13wo?1RU-~ zG%mn?qwn3;Wd89ca?cg&8NKrHE;u*%K+{BYbagj<%ucj$Ab{OdHGJe<+5F|Z`0D&* zvl(s=##c{gXlXK~8S;*w=!#u3wHEVXgJtp9ZYwk|t7X?qGu=Ek!vdLBN5a1CcSGpK zif}{5(V}v{wrY2d*Yoc3mwZZ1@$KJduGeJtGMyHR;=da|%fPbw^K^}B@6#`AD$OI5 zPVcV$&^e=XX)=<8PKjCE?1k`};?*CR(+TaV()mZoDQ$7LXK$ZoC8glA@5?-f8bfG z%{;pD5oO6hIRThP`J;zoK0empPtq2iX6&4gK`6iCNO`OjuG`Z`n7M4rh}!BT9A@xU zmkat5O9pP2FejT(Xb};EFrOGhFX-^*2THq4?IM8OtRn*RRzZx^d`Z5iOqbVs_hx=^ z#L66ZgiOU_gt9x{WGoN2%J|a+713}Nz7&5V#gxH$a!vuxVmy*Qb;_qfxHxjaBwj2c zn{$v}N%PZfNd>3-5n9y<`VnDR-#%v(rnk8{;xBDd#I2zLOt=0vSQV*2_- z2fvf3hqTtkrDOo*pFTA&rdL_wnLbYtB15N*9`6*5+1(x0cRHj(;HpA7XLAMIXejx2 zd=13WX?tC*Rj-Bfs263)-k@ZXbui1Qp1{a!PIVn^|ObIjV z(kDr~O3hs$IZ;wEpO8DW@!(fWHsAu#vu(y8FnQO8`l+j9N8Hq$Aa->t#FKOZt-!>* zS6NcdM-`RVMZR4Dui8kwUrtHn*?yDH#2lC~uK5jSB*A2zBr7E*alQ4u42{1GFU^v^IMm9(gfDDtbLs! z=<9pG>w!kXn=>yS*i~dIyW}_<54KjWijN0%XM&ouWJ#D_>>t@A^}2XI2-R@-OuBUa zV(snSaYrYucQ4X|d#(8>%sOQyINm3AU5)t(8s!f%8ED$R$_LpigSZps+VhXb@*5C` z(hK?)=~Vc`eF;Q08`UPx79kv^cTeG zoWC%PJq6tVj!@9P@Ys5#YjMp>#$k?I@x&FWA39)N*JpV=*70JTF-pA?SBu8JKpfD) zZa3(v20ct({hFbHJ40P&U4?N7SR4pvGD~!0RF(8K02QwX@wO4USP}IlLC9Bgl%@cr zT8&ld%G=hC&BAdL628cUD>YMkYm+76cDn{$3$;sIC8ZEDyYW{CT_?7yKgnL%TXUJY zXNPO3E_I4c28EhGbtB8IQ3B2HtlV^dN+lLRb#2#YtM;bvb@rg{0Za3ho~y?)%{?nT!zPl!K?x?ZF@1)2zb%Doi0Zfn76u1l zFRSujcQLankF5W&VJ^~`RFm0v^&Uo0(Y=%juF-v)M$G5gH@$}Kj7gUpq_AYx9A8qi zhi5?6%i^l9IjK4@C6nYrbZKWXMw45~uTU0$kNg7h9`29R`7$i) zt6m?tT~tWlx^_KnT07%u{=uM!J5Sm;IMVqbl6=G3*0a=>+_Pq4w)W-dTsLSKMCoib z@~WAmnwUb)zD$ySjYTQkcvfoCZ5w3E86g)M5K?{rx_G#a_!A0Q5c*lDHRo-TOT!8o zN0m0@lU=fdJ+9MVL*j}4V3X1qyU5>U5(ofYMr7QL>qRdl3>3+k7Cm6%&TWkX6|_9A zr8nS7OY9k!FJQ9csHe00H+tL2)-}f3$#_BfhK^UX-aUyyG(N7X0CzikEd%B2P)vH~ zD(VP=3dRHJA_RM1bZfNiSeY5SS%SvyBx>_gDJ68;+t@>9Q7bv7_((&Rv%MgINiJ6} zEyO{>dAfTUO^ICq3YWJJFuq7e$}sEPGzp~=#!_TiTIeyCXM8t`tIH~QD+VxE}yJ@@D7lnCMKk$u#I-&Bec6%J2l4hbhYf(gEV#5q2 zydz|`FVuZdMkV3pDW_z|?Ju0Zu{h?ovtuBk5bm*IgOYA%cpac z9N}U;UT=b{^KK}LlI9!HVe5)G%(%UxZ@I7KOVcdVjR6O&QgU zU&o_r_7m*!UzFC6?U_bXbjU-Iqx`pF$hm?OTQrgQFNZfy;V(uP3kpJ(b-KTxz0@9d zGq-R1WUS+&ML@_mXu2xKMZSZQ){>s*p<@lZhS1gV(CKypJb;QazSFc{sqg;2_LYKD zl-o;JYq0(5Ys}<{t;>>2{%AGWu5tZ5KD2ZGszgnFhH3%{k!EkKUM&~f{XXmVC8!=^ z61<@yQN|DBADZPQW{qJh>bMe#i&ugVF7AxkZ@9KfJzN{`-qLMtH(%)T_i*ftjHWQ3 zuo^c~#EhlvxLvQInbIDQ8gvS37_jEKxUo2HZfm%r=C=1JYs3%=&h(ec7-wwCsQmF{ z8MGJEHL&@ugs?uv7cTZ`Rr(|9I=t`zsrIxRM20Xwj>d;=}tx*OU1C>SET<0u8W zX3sXBmD&(fa!F$oD6`l(2G7jmjc*IuOBI~UFFUpCz&xMlMW5D5RZdC?sov=)`}A}+ zj3ejUq%LAl0>RdbVD{`iWKJVnAZ{`Bp25U-TROwCx6m^Bt3TmeZ7EsB2H=4 zRY0KU>ZVQiwc9R1u1)a8%5Y{iJfe`9%YH^B&u8`ah;fL$pI^@O)GdqNlfPA%I9VGl1U)*uBs)I(I zj+g8KQMPV(E}_9oB3}Jd@TIl&fI4KKvqe&3m*_lpk%s>aKGm+6aF8m%`A09c$vc zfL%s6INA&8tI|=D~umnBd<+8l$CLVh1cnu-gLIS~8x?@`sgV3r~MxEPI zGdZc*$hZ5YjLfgW@$N7JEng&28R~iG|G6dhMLL@1{%>9DM#r!;4*lVR6m`g6GoU0D zn8YBkwo=RgQ7VX}p*MO(f^>-MA05ol@7F+o6{vVoqGq-8OV^|F^`A1rNT6+3_Hq;-Tjo97X_+vs~e*c%!;Q!ZQ%$E)W)FiRi z(Bnlq{0uo!STnd9P08w$wZdxsFLBT<$P~AAqv}D}_Y2A@A_lwv$d*OU*!dH$BBlGS zv9$v(VM5IRtW-ii$~d$nIqv(vJTWR(IS~4tcGA4_9}l*4^`=Fd=Pv)(h`c5DtY!ae zESD@61Fp)}*x-q>i<1jCxvia)@G5)5+!_=Y!^%~rxGC@6` zau~i*ur+!;xWRA}(w-1J`R*WN(~FRTmPdE-28c~|HC|(Mqhuo*$lysjI#k3|_X6TJ zx_r~O3krymf0W)T<*4W4U)8*}!%XozQPRgT!I2BcWckhYAcLTW6K05XNy&$_U4x6x zl?eg13v=+3w@c2+fN9}#mdAG0E0L)kiANK=y}N6Z?ndqn?WV38>rvH5MR_ga|HO}5 z3~!0ctq5%8(M+6~fn7RUiLk2#Cosdi^)~X3cXMvy>l+4poMPZB0r*HyRA@s#*3uN1 zw;1qIp?u^$j$)!2C$kKt9matXdhf#DelO1dC#KD#Ry38!LT!el@Jms*j>>s0+yGnP zv4q2ikuc@CEA82zt zu~Id}WK6Itp>$6OAcrb*!L7W*OS${rNAl7rst zB!q!Qrd-;sO`xsheC1z@*a5>ovORh=O;W~{UwQ7;($%v4sQLki(FHwi3Ziv{=|(M& z3(9a}TgaBw=~dbXEy>sKr>O zcr=OK>KsAi2POwP*gUQ{GZQA7y^Hx5hf7wjMD#omSNYceKuUj^)?zN~C$pT(b7e!> zsFf5aN)Cy^nBMk$kHeo8R&g@Ka2j(zHhEj;V{B>FLUaYz&;dE`#E^|j&ml9X?o1dip;(XpM(%2cV#wv8+dXD3DOCK8hKE>OZs>MWv6HKZ=t z2L`^x5!e`Zdvji#rHua__0*#(l>>d=+B;mMh2~Z2hu{Wd`$w&MQ@3DfCnbpNBk0J;ngxUQxv^s??x!n>z)wnFRQk(M zrf8R$eJ|pv7}4!pehtdJ2Af$((V~(nWcIf!T6CUJHcf+bR$*d?O?QIU?C5d+rYxyD zjSn6vC<3ad$6g6cEO|YXIOXJh2&IE?awj~t-r5^@;6<{40B^x zD$@F7-5iQiF=I#|{geO198&O-C3Kib@tRsyd7+^hvMcvcuiA&#LhGx5)DrvIGTIhE z@eZ)ZI{*ioi{m8}Uh$%eWyl_y#fLS<&3zPn?__gr@bR5qBXr;W@ zn!kLcW25%Scr$#mIx^YVx>28hK zH~hVUO75GsfOOY)6v#R^7GTS;(ea_3ITuU`;5X<(jFf2c0cdYE&YdShu{~;l(|$1Y zgI?mvhHW_nonyPzGUbj6Mc%MHuKdm@=?B?9*hw!kYtZ#go$kpHNUWF_U*B;jCg=~L zd$J=eXT8bQC|XCiV;bzfW#6_c-#b%QlJRHXN{)y&eJscwy0x#V9ik^`grl@&ur41gfTR+qw^GpijMBr|>CJ($9|=fx^=5BmilQsmY%k6S#Q3_5=93qhAB zrG^p_aSvBcQ{jY$!e2vffegvD#cdqB*6s;FBFvRp^I~g@Q}TF8Q_R*UZe?iBXr~9y zY&d;qG;uqk-8jJiS<7=`c3lcHRTyWf+4HTDj%pNU|6DKIkob1C-Nu-=ik#ZTC4~#%+Y*peC znhpbO8KHhTtk-%XpFiS^Z^P8x^(4^R$K517=Wyuyh@9%+exH zet_h^p93Agw^qivrMh&Cyzd(K9ZeyNtIVmT`|$lhMI@ zzZ;#He)yryHMqffCG^&f+~Q|-tLEfQ`yLh7o`2WUHiY%CF0K-~Nx@s+k1Mc;$`;3* zSr=(++K)}Q{fQz4pt`afTPX|?QMvdNvfmv*CSnDBxwr-}gH#nyQf@x!1C_EzkNwNu zqu2=d2g!@iUKCb#ad|L(rGq&wqXmk2FY(D~|v#No6UbD#T6$``fz0UYnZ zFvSwt2A074J8I0Gj~b=1jZ64VXA6p#R{zCR=e(P{5i@6y7_(uVew1Y>ZN1BVj{oA* z|Nn7)prsH6*j>$m)IeVXWO=*WB~nZ~OQQRs$B*lag6q304p=23eUsxDrFCM z{F*C^+h-F!rQMt&{?wF~D@2y4z*ljch4k1h=BuJj1aDV;a{>*c_D+G?i{}t9X6T9S zfqT;4O9I)Q`B0p808 z9h7C$F8)s}0=s!pEat~!frI1rRm|-Ppqrg9Ib_)P*4yni0%w4cx(_BP<0vJb9NWkU zLWsPc2nXWT+v$c~58swjMt%OLRZw}^8Y6X>hC)hkR0HciZd=>roD1XgqU-8D*`Rs_ z%fPR8n(mRKe_q9Hluc3{I$Q%OvdFfKuAx0n-6h@5_nl>yw0je9(J@DkuVxQn^#ieX z&@%_my2#;k#nZbXARqBD`&62jnZ)xOieh?IlM9dBkMy11aEyCVJFyz4=P&F_A8i42 zbt_8^dJP_tO0+hy`4EJAN*Mt~f`1BNGd;f;%QbS32-)VH9X;bup+)5s#a>zSO>uTJ zHV8|7uN(0G1U zC|Q2>W}Zul&vi~2_ZPM!VoztZp9dG##E0i5HnT-Vwg;Y3Z2v{eL?(9t-c}ECzj&Wj zYagI*uaTYZfIAO?5-Od=FV*WT4DF&?2vK_&sks0KYW}^+$cDZ!$CMj;B?zo0eHu$z z=GWLaN=WU7HWoClBr6zdKG!SIoJM>M~+DNN) zSKVXsVA+%V;tT+7x8#9WAnUSlhJUy$!^Um=iq6|+R}pn=j2c#~;BSt-IEq1lOx@Oi z7(QbWt*dl}XS8zPChB?)w|*SunKsq5K3_b26?)+`2oBzamA!n>c#U1v=csVwwe5RJ zKc!3)iYgKAaW`6vA2*08O)LrU$t>O@*9D#7d!|iGJq(G*7?4g#TNZ^Nq@jqODq-i|h$bH*7{ z{rsGU7d0l%k6tm<_bc;Mlh?`=>X6HG?=<09gNHPSJ3K*gCu;AMMf9tN;w#P(hVj|C zowF(|cgBk_#g*4tnqG?VR$(ue7agfsZv#vf$7$LG2q2IQs=I*cc92%JT5$Y#pzz0= zX3MUGy4V^>?J7-)0ai*pS@U`%qRG}dh?+YS?(!lVW}8m6lzkai8ulkh1sbmiKxDo8 zpQ9W-?ZZ~)2DG4imXsQytPLAE`}iCq%Blf3M955?EI;L^WM_TH69A=lPkRha@qJla%YmpW1wf9H<)hQU{XQw+p59GQrTrt~#g= z|3y;AM6=ZTq0du7*X7zv)w>JqQ%Y2Xdinb|)Z^c6t#3egX4Z3xdw$Q zGha-|GBQzu#O2S`>N>e5X#8Qs>7q5ta2uA0zsKJ~24AJC1vLVq%#i6Nnm-9e3;glV zE&qGuvHwjf-2d$`kzZG;mZpM@-wg^mtdZGSe<324_(RtAY=4u4cUv|fn+lwoRG=Ej z=#p%?o0NoSbhd-v$Gd+*k)*j3L%jD_u{HK0jX%KB)c`a#Owscwhc{Nyi|KTBT2j|r zeWJ3IA%!y_U#$RIFGn6sbur)jfVA_jLAq7n>MQTaz41H4^5>}%?S%pm(9MS@0~yje zxUT0c)sb;4DM@Bt7dC-1^=^igj<p-y}5F6YgFX9^MPp1_b@3otT1F)7Hp9NFnenaY$?K{{PMy!6~ zyY=L}Kb@nEQf^6&Wb|3lK#8a}^ZFGf`?G)t-XL)ze|ZseJTx_X(OEX@bQ>9z_cooT zUQ|vO=}xQ9eUjzywo^et*?$mlou(PLXQ!!}{|?6jC`(FlFFXMIe3;M9t6q&I_6?(9 z{)$eV40!-OI^)5Zxe82_T}Oir#u1UNX?w-iwuD`014y#RQLoV7)?cTiho~kZ6MGcH zgMPSLqG7F=ePDHP-%v+uEvH6r+E?@1R__OD*@Tu>51*<9h@KJu!pcL>3p&T? zVRiXW&?mgQK)5RpaYqBmJ!G+j2#QkHbqPX`)uWAL5t8v5ARAJ4@xlm6rPsuaF5Wx^NF$9#6_0XF9Lyhsfo~D~zWif*{qgP}u zya^Zz6Oxf8HbQDjdN1QsTvQt3FLFeX`x!EDLo`&OI``x0>Ka0juy|rb538+6T~SZ&hli7h z8_co(v2ay`6J8YsIPJTphO;O@G{f5EG9Moq*qxBiQP#LB*B7X0zY%|xt5pp_jJuy*3;gr zn!6+0xh0Dozbi8vAGOF!dfc}x!Q&~UG{T>8Id2L{5wAl?%33*>?T}p@3dj$>OTMu z;!df}v$s7Ft59ZEe@7Sd+Z{zuRb5Q^lsaspSF}`R{#wTdIPa`VBM52p_50JMgmgA4 zqx^tMH+ui?CQDHTut%oRf#JBpN|tw?N_uC6iTSt%T5$v!t~sdzC!4K+)BkQSI3@r6 zaDd(?2`Nm-+7xc;_J~9`@PyxPj%WWfZtDlyq&~1a>I8IjlNr9e8}`p(apJ_-+M3Ld zrFKGstCu9vM{AOP3rVn>oW`R}G0&-Qdd(M_W2BA_Gb*+8omOk%+p&K_Kup8Z@>t4) za7GWgYwWO}B;WqoYk2aY9xG{uZ2j)dOzsXBIV74y5Zhmft7-;8hJ%Zi^-LipVs$FOXfu^H zs3o_i$TLiTw;5afoL;2o&uyzg_OW!;+{nI!u$6W?oQY#^zWQn?>X2$93ZDl(@Z66ge> z;V>i^d{53I#llK<3;id?ze~f~Fc1u$jQI5L=zd&XE)?TmlRpe-9~x3zenU?93iz=v zxfgyGY(TY?x>|2vqEZNnT-ag=ee~B=KYgdEjNesUHLtW>e z0()*svG#RQ(|I>f`0b-s8g84GGz6I#ZSB&rDGVRc9sY=sisw7}LU_MZnv(}r?NPNFBC74y3Wm zY=v8XH|Nl(9q(=ko;;Uu`R~pwTU*C}ycf_9cGwG4Mse{TN8DR4C_}Aq0f{>WBvR|b zj4A5$_p{9K6x7NZ@wEr6NE9pK>px}?;CUUy5OH}Sf^yh@_gjl=1CW{ zu3bFT;$(RW8fw^7CPdh?^~O={;~T!{8DY3=E4PSgNld~c9v-;PH3B-lUubr(3vEP;P7nDMF`b#?x-sEz^h>MKD32w9uyW-Gofk%(@4ol+KY^R=`u{l!|P z{^f>{gS|!~gl(;P$qKk@Nd>f*R_{;byC0=$d#=_h;-`nCvz1Lnee8FAfYQrRb+_4o znsf93AzfK4LHjQ>Z|=tMSguNVz|sUD&Tp|=@J0dv2%qm9T`|RpABOYyXV^qDI?EnT zEFrgmo1G5{yXXEj4F%A#FSG*v8VjU|OQ!wIr0W4B3flyIyTL~|2jA8Dqy%i%7rk^! z=KAn2_)QgrNCd@5Sv36o3k!>{($PbTk2tM;Y`m1x~0pMK3wgSUgu{ z??2Fk6V}MOrJPP+=(RgqznjF!^ZzR4-MB%z$hc7=4eVydqM47Dn^pEX$l6ZqkSE>U z4+~uI>m47NE0?@x3;s{Vee``X1zLE~NjWl+cr(><+Xgd!8Mw>P{B#*)8PQclV~1Rm z>IeU>^cl4#7nh&99aLSCsRU*VY)|}QWOs@v|5^n&uJo@Ly#7~nr2n_WjB0cN2S7$? zDl2}yhZgdSFth~qErgmUtSqYjGOL^zU_oz~G{=p$C?s~F>&_hspMX<$dwzWeIQX-5 zGeqp3YNbPjR(e8+%#1B>M&RwTcF_~3vz0UxfMUME&imkwL=bR`1J*b>{sC9~T{Lx! z%xo%&j_wnQyRiCkBUJ_&yC}!~h4U^P<-pOAaSfx_Pu&>lPRmUnRy`Gaqbn*ubyooP zQ-L)5`zJR!N}sZdcmdxD-nsR5>Sav_;A~1+N_o%cbx~fDz}jthKc~L$4nfuO=9GS6 zwC7fNov|+ugrl^YzK&bOL&QjoFWLd;T-<2ru7@x+%f6=;#q(;Y#?p3$9DMG$?O0U* zXwo7`dVOlqsg2&LDzKPO{+m)AaCQY1H2dUk(OmiY`y|aMmNtdrda<2fE7zsZtm@c? zP5zIU(R%TWYm^wiz%#C$!>naPpbNq1%}Xi*oTHKOC;!qCGxUovriYQj6!) z#jm0UFTZUHG&8%|JBwLdsxWREjk?>DHoa(;ZZGec1dwl|v-I9`=qn4U1~ZKBf?F7` zuyI`)FkU=t*!&-R!`#QavYin+Qq#E*&Oh(Q05T1F6!jsl`;GZAewvC6{xFM!C^$iX^Jba0zWyy3LZN9^3#qO={4B$ z%M<5g97^;Gn=?s7*2<<4WpHU~Ai{cM+Psrtzp(?^IqZC#xm0_wbcSI=jZCj?wshJ< zt3mU)c=B++q@8iU=EDvDxXl8t2JfeywI9A0CcT@_cL*iiIGkZVk$zdR zEsvZ02qO(CRWEQBR%sCQn#PV8!Zi{xscf#1JZ5-cY5aEf$DQro6=s}td?JCX9}eDg zuot}$f6vCKHOfHsX=5m;de08>v#n1If5%}O*JuD1pYx7?eqWG8(A}>gW2E<54;yBadx@FxcVhN$xPE^JJ$5cOqd~SUH6Q4iun9_ zS^vgD#}PdD{z2~}S{wul=24%^8(D|q+5 zbJU2W1#zX~V_M%6Zhq#|7>5bVEV0hhs*=JMAEzVpzh&{fq(4 zsr3B@i>%XvpbCEw4Xx_y|As*aDE!+Off&Sxe> zP~wo)OS*TY>>9Uv4OL#C6YEBtZ-lEg<3rt4D~k;qLYM_f`|Gxf!s=$&po^x%Wo-$8+UruEwsR zC=RtQO5_U^$^-&CYuY#OQd%f?8>SyO(Uz2y+*Vl|In6SoA`%)%8DRJc_e_#)(jbH* zsN%fKfnM&p3zpn8Gu%=Y3v*$HAG zXi*Vjw~O=$68miEco&en|IgO=M;10!X~7M#`MrMU>c8DdwPUaUSj711r}RvCD~aW0 zGl>ds@v4OnZI0)xKFj#`GuC~TO4WN1&h8KT_BOB~ww-OAtW9jC>t>8t10wpU?5Hh+ z${{C?MvZ$wX8XAuJ=SSaTWE40?9#~r>v$va@j@sjtfAM3l=+bYRDIbhffOV9Gpx(` zwwTaya-8Gm!lqmc>Ci3(ceezwg|hrhZ)t<6E$GiNo!s>VjOX-Vkx#UCULcsgS1jT#({I#E4Eg55^r!BfdEQ7j72?)(oX&4R9R|&PYITwv_kEU6P z?-8s&EX%yNW_+~Hx=VMx3C?fM^m1a1Oge?kKwkgWR_h#tS$Yc1Yc>*}cRypsGD~l2 z$4~}x^EMpBIX!9({lpeg@Wg^8IXk?*Yko%orKuzC$FGGF4iVxNN)3zu!UQ*>_7F1* zJfov=In5&59;_)$%Ai&`CZ4iuAl|ji?(ibuj{IVDz$16)jLfrU)l<8EY@qGBpv3pV z&R{2K?q#_bi@YK2-Gih<$q%CyPlxx7>rk3aR*a+!?1+{OT%zN`_EW?kb$Fa#Ig|J% zXWf?BD$O=)r51KgV~kZaRoEpwR%@NUT{Vm55=X#|VWkv((GDL*7!mS1s^!Z&Vn=Ta zDW){|I88qd^ko2XwERd9ja zBe)(ALtr;L!Z<#opn06pH4w;JFf>T>qTQs)V0&C=96ia9V5vf_wRs z#*Lz{LXb998qII#u8YgnbVY1Br&{}8W2Hrp?rQU(-EZytZfm^40;Stg9l4bAC+B_N0IHkpWnM zJB7~mfhADf@9*B6$*yv=&eFKf#2emtHDsGx;$8=P)pS~>i~n53bXIdh^vH{x9w{(K z=&=NpAyhQxYNoPE?mh2@j^Tl)Ddv?|d4wv$zxb$O=&M@m#iU4!<1y;i>xzz%ntt)w z6|orE>24>zU4L-C<*fR7}Mv22jS4{@UYGGA&1On z<&c*hIcHLaDJAA&N>bKy&s@ApT|@I4Tr- z&nQ3br)HvXVPItZmV6ysh>?dX?Y{wjUbRCjPzsdv@sg}DwL>(yy*+4JJ5kD_Szwhx zj*g3c>H3JKe{XE@4)FTsmo~>a|J8^>p2pFccqe__8`p0(;BtK|1I5Llyrq+?#InI8 zxU_sP`d#pS52KUih$mnA1{`=2&vym+GF)1Epgk(4Rx`jXQ9L9Z?jcTi1>GS6XvQ<3 zOb^6jJ~RY6vnDeUlpmml**k6(*HY+&1;}L2UX^UJEAs86PSck4*;spOXa(eNwpgar zqX~66Yr9dZaG|qQp6}l5A2Wox-BI+8^%31VWj1Sd+qy34Vai#ITNVl9 z`6O;NTjoq;0xq1BW%?>Kd>=*MkXZ=eGkXM>8$QI4(3T>zLRLz@KR4K1!05}uO9C#< zznfe0fsw^NGhmczLF>r|qx_ik}g64LZe#(!xVoGv(JJ2!P9)+nld3o@CO^y1a;qYEwScwEu2uL- zW$Sfey@GXhPQGqij=+ZDh>@J^)ide^;3tO8&0gi)LN69CoxEB^Epox7x+v}YO3yt~ zV_{F}p3snJdYGaAL9Xmzz#zA$kd$0$50q`Tz>sNM7qD5Bc-OiSKv@d1hf=a9%PS+y zs07pbsFtKDuITSU6WnP(eq1#UdEYmMUcL}G_tYm|ib(jm+A*i8jp~}8>q@1#Nm+NU zKI0w=^J}mQQNxUQU;mHq&Km-UYmHvh*N&x-eC$vMxzS6Si0)kWm$Vy6xj(Sy)gWQ2 z@>Jrk5IIfO%D2Y-M)q)-wF}Dz*~>bT)H&Vpx$e4SxfUVETK?VaNq1mMIl~;>GIzB* z0gzSaOtm%~{DZOAqBZGRQ-I;@IEd!pwmZL zvT-Z_3om7$K6Y)$a(Q-QYEJ*vPg}s7i5?C)gCC`S*bY9`Hhe^}V5-fr%Dq(T*DIEm z?e;SNh~++e0F~myq{u1_OVvNjc?t2tLBInnkXzvv7*p3f<1g9N>-WC*{+zRw&A6f* z+{2Y^$M2>@q7eyGfV5(pEwZ%8oOPe7}xu-KxZF3=Es zmCEjchL(XksN_krTnfA59$Su)(9c7c#3ac1C&vn-m2TV{q;58|S6tfcO<^9GOO7F? zyt^Qz9X#1Cc|WgC@M>F@8%uD=`y}m2-=|NWWL8m7-Jo@9BdP}91^SzvWNJ^(j7Z&* z-xw%(k;JBNfPa17is`Ik$;()fxzFK;i)D#N_QD$@PpUo_Fy4R6K4Sf5`hI^W8>wK# zcX=V|v`3v!B#_*^8~1#jUQ3>qRH9`{p@I3u$Ez%bO{G0?nOIhim=#p~X20?f@=ZH0 zNb}vdQaLGWcKP`sHtn>{@D)+*x0WKban1P`-9;{SABJC+MD{9I=5KQ1-BHrJ#kl zB*!G^N0)q3i7!m$WQ-O9Mj@tyPO`;+SwUUv-z4;vg|h8_Iyd0o%VOJ-|fEPCHph);?|>!_)ZZT zu8kT{mUy2&R~i|p9`G#EcVFAPhRe0D$LPRIp*zPDw$YtQ2;uYB91N3joWCY}%>gTW ztI2=0S2nIVVY@}7zVGGPAf(c#8K2#*pG#N?_hm61x9lg!JvHS-6s*>GR?d7ansIgjIVuT_p3wwal(L~S=IDTP`vy1Bms`Np>I#MMV-Qm{^8 zuk09*%h~>j3Y?$!W+^z}lwLE}4HOU)%-?spmz(GJ;Kp=!Z_A zf6yDQ9;ujI8@q&1z-k^t&iTR4wkEqD=cdLm82M_FhfL|5Uc)9bOep6!H+0s55_j!b zr8*}MdG540nWp0q?d6o!wK*MmK#t8_lb94w%%-Cg4<15P>rzYDP0V+eaC?Pzuf_c* z>Q8Ly7mCeG%pvZXufD^g6XD-{))r6^GTs`)?S@Hs`Y8EO$N$d)72+#)hsc=sy5Jcj zo={SvWr*8`FpZmBdKo*|D|H>G<^QRL|BGrNK*DKt2!TK|3(0)X@SEQL>u|R``(WZC zW<01N5OX%?xO=a@7BWQS9uzey8U(n+Bt_#QdC;v@GDqYxEU^BiwE}@?Nfd-$;rlO# zgKQGAi1ApdqI;{n5mzZHV-vQzyJrx1{6R;g3 zzNu`t;o5cN|H2<%2qdNLOuTNq7#sOPc|h^yte(rMc@xHPQ$XKu3azM5NIUXPq9G_# zZ~SwD6x)Es+yzx-4aPjHY*=sSO<)B+m3>fqG9 z&=khmuoVp+4fLj%Rl|U6u{c}*n=P4ZeJYOsS@ltnOS~JCrM@ny_5T!GEMyF^V{yD zKkZ)w0zgh*j?_S}JrAJ|EMCRdx960y2Awc|ZaJ}W@_Fgi8T<9mIepuPEmOzavFM8x zU2t3roiq(!UO7Y3lIY3i%XQTZKvV-i4341)P#6PihDl)0LZ*(JdDL_!vVb{OW#Q+c zL3bm+4@Mx*p{@9T2C^=9UtjWmy_{zLEOB+F7{Gk4GD{@9k9J3A^)Q6@_RkYlf`iFH z#k<=R{+yo#s?6?Gp7Rbl2iL7}9GtL}z6ax)6+w2oLZqb$t+of0}mX!ms^sD!vY;!>0O8 zXoDBF(G@ABWsX`_DVlXu0!*HZ*d)czi7qGloO1a@5&IaT-0J*f7>sjWh0Z5segU@p zRV9}Qwy){ySKf-20UNl5ylG>!WP!2Zvygrt4C-D5xhO)}*>6ha?32^1vXK`3 zcV+>%?by6a%>l8Nc`vH&w>E2%`fLtCeLhW9wsVo{c3jtuh#HAm@l1`Levxf6Q$R# z&Z4*H3#spQ_{yp*wLW&TVYalJ=;$LuJ#UwN7DztC{(0}#N&ZB@u*|slTXup#UOi8X zteb9B^Q}f#p=&dd?|A%X{TSz6PQoinr^7R_ICLl7;rqJ&>QM1A#HHQgQX&>98Gg+A z0kRn@;Q;@vvGU&k&KTQ#?=bGRfhcTY?EC>eJ#=2K5{X2`f*D$Jh+gdoYsl$j_w-_` z;UR4&qj&QR59Xj9tq7(kt%W8OOV@4WIaNX8_}yyt_$7kLJtGNIeVnn5M!Q|FG0lun zn+v(1ysb9{f8MwCx{t%WV`c^{H0Akeu zz9m!B?w|EteRZ`DG*H6@Sqs|`{sS}X{s5PP&r6jxFD=~+zn7RC`ORkh1p4g$FJqlM z!kZqv_2H3rM*<6$WGb@6v!3`VQ`c)s-vKV&dN7Z}0g9B|Y=5v*VY;3N6yNPGE`Q|B zA>XeaLzlT+`uv2enNErBkrd7I1;|+@1+iie2~0!Qq?j-|G#bF5CmoQsz2@Fk?XPPW zVD#+nnYt$RmmIBDHC@_x-6I}fdn};=%Gz7GITLKN^{9t!>Fgh03cG$sW-sRod6g3G(7O zIkt9^7Q;ZHd@B2G$1SmGK$x3Qf`O2IM;C`t9VCTf1$iu@Nv0444U51Fce@s=W3VWc zqrs+&m)QVI@`Krhg`E9+yonpoF`hCNd(e*e_%Yj9-x<4^t7K0rB|A615x}*~`|)QG zrBhD*gJjety|L?8B&0A7_<)t*u&&!V4$tfRYRhQMMm$?qfesm6PJo?c758C>8C|Hn zc(gtloy`y|+h8hH5M=9KzQT@)qR`?4sbm@{S>UJAjpvgdDi2`(#pRFg>%cQC-*4c) zE2KVbEI zEK($5+MrA|(_j)w)M&i+M9CBcHgR>dR^~nz040@De991xr>F0!~>^G@^*bELCFKp2^n0jj8sGSP5}Wg z6gMS20tGrhyz~XqpUG`Im!kr=?(b=uJ{Ms_d2GHFS1gb*mEEZ6to^bU-;RIR=1-h- zOe`0#uJAK`R+Nu^sZ=yU7=GLF1ZAWc@~Zbmge<{9+VEq~XBszXz6si^f8KAYMd-7| zDU$JYX-+ik)OIGmbaFM&Ce25W9p_woClRtK&pbO;jG+qJH+0r0NzfWsK&2FZ8CH&m zNtE!3%WjrGuVh@UgzEf2bQcH3=9Q;dxOo`E0J>Nxb96z@SjD)4cYQgSEZ=fkhHjQI zQZ(~4F0=5>R3CjeHW8cI$D zYLYH4HM^gqsnSMLkhug5R@to(2WIslKbDoReV&e+URrM($OV(pH*=nN7Qg52Y2J@J3yM}#M8tm=3fHcSGJx+HM)5_?yb1+Z*xkN zNFd{r&O=`%jXGK$E*algh{HeltP#ot7Hu1<#mbAFWWtpRb znSUOt5DLI#CMkNJIeWX!qJMzs1uPa+@WNE$=Y6y_fmADu>1Dr~V9eq{NoEV#)e<@eRIP_^#iY((8$3yq=MWk0obpKLmC>$wA`iuf$l3zh}A zJiz*FTASd3Xg3ijs>=4;4lFeDohOJMWj0k#qCTyrn5J=6DLzhD7QI?ZNj`+aQ>Zw) zvVaBeiC}|5weO-FAJ&s3GA1GF+(}yM&I!{~L-H&F#(ZSOw(BIYyj2&c9#_zI5F}0* z{$)2EOVLAlbi{x(w#qz4CZy2tS-KF&8}}#rU>b?)G(-B(6OK+?HL}m|`DQZdIRywZ zHV*w}DWeP>>tb9Dh)Onq4MJDWU-(AIP#qiKe+3;T0hEGIqB-WojKU`u*uDgW%cbw z#Uk(u5f{7N89SZobbtYI3WV+f(tiKxlOxTjn_X?gY-s;)e!X&XVrq0yYD{%(D6Trj z_>!a0yRbwaS0*eOJ2F)BIXhXRRrWMt5k`rY$8y1Nq?zrpM(LvGv2w^zQu1ICXSo)4 z#*|RJ{Gbmt9sdId^fAIj422ug!?aP%o#&3h5ZEH7+ z;mVhawnC4kU$Fg3=%8G-0Fph68723OGWCE(MHp15&(Z%3r8rwcW+q~q#Kff7g1Ue5 zrx6D^5*V&p3E*HSEZQQbE&hf3dp`UOFvSgn+J!aw@3 zc)s9y_yVx~2hd#ZRXMer2K28uJ$fM>mJk-MF-v!*|5)5-oJUGiCt>v&(C_DG;x6Hj zz(TY=Gat@M9$e<37d96v3P!U&oKC4#MHOwx&{NwhMfq87sO7aM5!>RkCue|KpjJ(ScwhP^#B}j z11@DJF2|d1KJ(@T~F1Y~T#@!G8EO49)U`}_k2f(pgRoW*?bImO<;iaP_GNZq=d{sv5?BA=i6}6-pG$UB9R934OBI97*;>%x z94xZWa=&F}>?#(NVH>Q~4RuiLywh-ij7!Te5oTb$54WwkHg^ff%RyaxU@`lOTVw5W z@NL86j_411J1uk~BME=r%N!Tec&kRo9Iq75T;MOSyV&uv3YpDo7&4!l)Q)KhP?Clq z9+~96B($ZF$O(RGdzX!u8Dk)ESnE9nEA`uAIjg;6nU?ny_wFm;zb3f>j|*ho^r|KS zKTDgEj%jaIPLWC)s7_;`A}~E?7p8Z!wl7_Bwmvy+^hlwZsF+!z_@j+~5m$sOxrxv( zBOUbyO)&wuI3i)m<#M;_EM9`G)@^DY1L7f+GN>T)7 zUvYozNkqb7^ zhr>7kEwb43avfDDDWeAP`IGlF6<`&!%jmXVGGmN~8Zbk|xtq0WhtVU&_R6@Cp<|nE zH7Nn~z$~)GeumSOGt*ouK4`A8#$TrIi=cX@VSJ=xD}Bq^bk3KKn%z#Y2HRSV?_H{V zkJ}|3H*#BO?)ZyMF89p!L=63#z+nci-hj6SFXfXp1T{rHF=R+QtObR>ChpVzZ52p@ zjXZzg@a9ftC=Jqe@b0x2WAvAlNBP~p`4zd8cL%(zOHl=^zaJL}B+n}NfZEhO{BjGa z(-#Py39qsX6ylptDxvN9@EYzt?!X`Ml{fnGD}t+e&8&<@$m30Jp4{?MVLirK&wKUo znw%B+j2pCVWV3o~IRP!`s~M4^9esCCswoWV-;c#f(>m!|`SK;p6ol6-A%KY@h@oaG##?Lg0A)sTdzbq>2XD zfd^Hk+ih_1ajd0ZMbr+N6rw9{INO;cwyWmdf%2}Rt+=Xk%})^SNp1@{%ZC=WC)!C` z&2h{m*i1=db&v9&J|%b*TeDLa3NFE*sWYwF_|WG6)`OF4qW1@1+RnU}8xxroOL}y? zp{R^C?@x~0TE-yzkpUykRf9UsJ>w@K%s%6a6~nx7xD_dqp>*0Qa3DrSFD|DDZ|f)5 ztp*_-=L9{W>1PAwD<%FB%DdE55!>v}Pp8G#yAM#*3drY6KYs5!i@%>$Fux|&b+^PL z-Z39ycl}uP%wvTBnwktOH)lXo$&=H^FcDxTA+lLmOZ279pPxdL??_j;lo=gRnXAZ| z-8E`%Mp2K&c=oup>-a}dP?eFjz$(Y6NZ^~LZQRh$H*`X->h#B*dY?rkJIehdqep4l z6kMz+-bmH?A~B6jhdpI{R0WPu7>_of%7TZ|Xg=;FRI6VeDGJ;w32k)Yw_)hPdX$NU z-s7mm=|izgrjT5&Wvj6;Y*q#pfD*iHW5b{m$U5a(f*E5I5vuF^7)b^T3wMP{E<6#j z(@{sx*ZaIh11%|M5(jWgOm^XXYtV)TNBO4UB^jCJ=hH#8{tZe8tBPEVE$W%rX|zo&lx@n;%!fAP0=uD%4^Ae z%BCl1FT$5$iVXAv5G`YdnCn(o}^65g~rDq@46prqSbs8 zDgG{(Ck@{--IaoeTtRc4HSf3L{`m4-%6+Mm#8zADn``*-r#Fp3LucVv2}Ykto9)8R zA3h>Y8w_KH##(cB+#W7%0DM|6wxm4h=5ofMJ(CI_JP}t7!J-F&!(?PHoH2Fe}W-6$nDZCj0Ibtyl(1A*ek zUGoy^J>5HJ{!f$mBlM*KQEtfF{7&qxp`EuKt0C1e)oiV1$5^Pp$Ok2o-75(R!504>;Teg(2=PPC?|Hu#ub*(|_9{hKj zmx?yjrA5cuzhi~GzMinZ`jLmbKqX6K9Z4IK>|;uv-;njzrs^`2*B{uGF)eKwBCWL4 zK+F(4kCi>)O=shvOk4%(pV%= zT>$Gg80K;&MQ74xrM1xRlNTYceil7J^U7eXlH5w3oSRu`E5A56Y$zL+UE$4PR) z<9XmHl}w9iC-K&_J_jM{TfnxzZEyYfCV;m0@>Re~*8%g4dwQT2^AfR%SziBNj0gUU zKORUT0xo=s9|Gu0hT$~Ywj9qR0Iu*MqBLQMk^guK1eaJR?~^gku0VzYNk-;?g%3!N zgdt!|I_(@f08>^fff$#ld*6j80RUlQ-JX*L0uY592tEA!z(3+Sxx|>$vV*mQ;6MN_ zX9VIG{>MRYjc9vOfp&a;5eQs&;FD2RY9z5EH$?P7+HK`n^*AVl<~xhw**@X1!= z0feZ-1V}X{0W2S3VFwHVT%r7*`SMAS{?nz4<8>efqE@)|bo%D)?!}P|quBrgmAuPO zFTDf;KER-dya(y`aW;h##cIx9GLWlCsyx6-VSibc&hDYg0ZIE}I+z8UaxFsdxI!PG`kMg% zF}W=8mB4{eN2;tS&gLo|__?Hj&(wYoFf=nv0F_OP8N;0qy7^OyklZ_zJm3Qa_EOIM zp%ULbu#T>gax|{GzYXsU|#@NdP1Pu0gGB!2a!(Kd zBrf-WWaU?0iouY>yIUX@N5LhD{`Kz)L?F&)C{kgi=uv}c7-v*wJqw1TN5s?OXwo8F zrp(c*bydde_9bFLg?R-{_`o9iKk>-Q9bn(ilLL9vAwsecUixOhUJYjR{$;T_*ZE}! z;fAky$C(@oR~c$O_43R%zLrO`j;XiisLM&xS5ZUC2$mFHRe2a{cRCLxs&h>3Zw+wo zVQj=;E99ytFR7;mpD=QfusvFoilldeAchltYCb;jqABhDWM8O@YxL_{ac64MF)=f? zB9*LbkYA4#8jb6iMO)@dK+<*;>a}C45`cY=MQozacC1c`IZm4~ephW2r%-Qp&K$-s zanOUIT-~c<1u%&sf4AAcKcIMG$MrbI*%;ZJGWuY0W@-*CCEx73f$*=1RQiall&*-L95-`-#f%yqIcj&>=~~R z=^At#)*13;klxjV@4pX+@juFbl55{cxDq;MhFr3M-kmdfMm!lgUGm-s&6sMIM2g#UutbYW=bOVw= zPdcHoOCbVCq^--i*90TGRgBgE9?eFjei{2&6!CISB>x|7_E?+DvqPe1{PtNhLa<-f zD1ZKpHxh^RT-PZ zi0BeLKM%=#Typo14juYw($F)hb#wZG@kR!|BYd^yRVQE3aO7WAJdRn2gtVZtR;~9s z9hjJS`Q;kaW8zXoPW)g=^8iGjxl7CN`TLEFT@O*loGnG;_DM0k8)WFPnmn`A?eLCn zt^pJQK}O*<%|DRBiciuEtwwg#)q^6RYS6bVyIyL3Jys!DvpKPF#681@`|>FM1`A?DGH+W(-L|ZwaKTJXtHo?H1XT!r)D~%mxgpH0eASWsIr&UU;1yV~i zHLls%KC5EU+(n$L4do(e9HWew`4|hrd+PTNK3m)>W6#H^DW7y27h1iUrmN2u=ve5q zD_?=$Rv&q|ITPkWEN$5t=JD%WyJZlu=N3)P2i8$`&Y4vH7OBo~yrPA|5WAOx3Mj1a z+rjKqhaWYlr}+m2@_9MW$HT~NtuYIrFq~@J zcy>4dNQ#j$lP8<;=07^gOJ=zI0hlv41O*ydi1abO`GSk6{omq|J?9C8t`qb(I?_&1 z3k#aiJ|4D^PiVVRi2}hJw}3_p3}*T9Yz8eg#u9J;6Mdb*e39%$7?XY?|JZnLKxPC z&J~J9O8br;x@n*r*)2lSwxPuCDyN#j1SFMbzz0vVvUZX5oRG|P?$!`sZqiDhKmY55 zc7qQiN{3n^8k#`+C|YH$qmuq~&?1f`8daAI?U$3jF1JMX&6H&yN(`$fLt+fIF3#VV zwa;_cC5J8{{L-#zYGfdX@i>U#e%hn`w*((9h4eW&bVH~H3C%rw7L z4*C)UEePo9Gk2K;G*|mf4j>wItTuF9L7AnF(K?NBlj+4>!_=C|G3qE)RuF{%202(2 zlEOD!wGVjju(W@3nF1;VlCF~*-2>T z$mTBdQoxb0Vki8r84oyAF|e+^LlNe}AKhn*tZqUGNYzvlR8M-9R^jH|nco;uICI9- zLhba1TyyDG3ARhhKbb9`giAUqDLmBFWacxAjZqgk*NCB0F03~oozWSg5~{LdL{O23 zcc;i%q=B>i8wA4^$a{-j*%`no>?P5FIUzY)W(=}e4;0UgA`EGmV4H=TJ#>tOw*Zxw zyb{bM^CDM4d}!B`-D)-kWxcNm|FDkK?VHqweL?I)w4`c??VFddShialRyZN-0QQ&4 zBxTv+Q`lL&nV~)lpS52Wh0+j9J%`WKj3(*2y36%^VZ8|g5sl^|3 z8EosSg;A)M(DXAZKIk6KNIZCUK?s8TZ5FgYp-~XVf20~Y=H=q2o|km4(RNLsF-}qy zHI4N~B_p?d@0pYF8wsNTD9FMFr^Rz1%Syjm4R(w^IFV%aTvawR(%W#|g)F4TTM4x% zdVYs`xDF2kwmuQBeQpxK?pcQ&?H(@6jZr=cu9eiI9mPf=N{I0|C(WHUB6>FZ3qw80 zO&5$w{EkI18V& zKAaxcYX4#AxPXQzrmf0m4$}tL(OQ!ci^CoN28)Qi#A;jv@23Gl0hH2)c3Pft=hdCY zRZ3N+j)y4CFC^Fs>j;+Wf{QWp<_+{toA+E9=vI_kBoWN4u=Bj_xsOVStD|B^j_rC4 z+rxS0e0#q)ker2L*6ww70j=tHpFZWHlK5iVw>SOhKiftJIBk=oWJQ|{DqRjY`4c&E zP&CUUKBD44lt99FTDDCOO6YD~ibBwBZJTArAkMW*Lu=>&n*A6#hW>CXXxHwr97*BP z1BHhQ7OpN-sPC?SO`;fv|yE(;ky+l`!maF4$&mdwZ6FY-~pW`uyB zXh2Z^hCSjxU^K=2gL+`g{YUBn8E$aqOCIw0Vg(=m1evSpWfi>e^LUY|`P}(w)^v=7 zxQOKG&+k+}7H>R^(|{RTZX;Z-xYGdnmQ7w_8ELrB+Ye6mL&}B zSF^f{2Jl_e@SZZjGr^K{w-|ahPlD2&+658cp#HBk1&jOKzT)~=I%ob}9jnjOwuf(2JUIWVGWx!c z#pcEt)0Thg22RE}?6bHT@BB2yf;gOx#aJyHrhdY@b-w0{a#JSJAcnCR{g%$g zZu(IC7oj)Clgp?JU14u-^*aA~#HUg4()Z9WIuz13Tx&IVR`Xh>Pew4wN_zv?U6K#I z_rb5{=G=)R6hwq-FS1h2g`lt1kxoe?6w;DLM!jQHnd}eI1Ym&V2ZU3atEnGq{F!AW zwwTO0JpQfX_z+kHNJ&IlH}Gf%5Beu=eJ#-f&Lu(Bwsz4vq2eD}O+X7`;)V0q6_%e= zethnKF`1Al`B}qoPpO43g<|Icbc{dwBh0dbhGJRjzrr2-)zoj)t*o$KDNM{6YxG*z zKGPruZUk`I4OsSqV1zixa|0&8C}A14Jht+Xwbt<|#b-Err%c_1bw_SCN!O)`$+B=x zkHblRft9JNdcvraF7=iU1K0EgYFj7)ozDxlVFPZT1BhhToKKta;7PHvUYea^hy$}) zCoog=^5ML9&YPY@)rel5_gJt*2F!0m15q<3%1^T#%<)~hhsiq94QaGxai_Vrv=ppe z0yN89y)>+=9%&rp;9en^hm?nvRG+X!qs+s-5eLp@+$kyWQ(-TREO)B>%P64tNxkoV z8YvnXIbT-wV*4f)<1(Sx0$usi>slQYW~>rDv0{Z1(Rb?SJm6jP7nT`7fxDkyz zSX~p>w%f9g)%WK2-pABkGr@F2H-}pOr)o%q(|M{>s%Q*A#c7MU%2<4) z6}M|`MvXEG2%ZmCsLKOL4&li;lC62<}6%mAwa#{`HX*>MAt3N+4wWroW8<;}8YzStb##Ba&4LpC`wJ!o?_gi}TW+P8!C8W;C zKXhgKOE+MPR;3b<(T7EEJx+mW;;>qNmEvs_2%{q`aB8v@Db)L{@a`$2{!53+c6haI z7}?CnP*WxPlRRJImcafv&kfUsVQprQDTi&2>BLMpL97u`2!4iYiSh-5&J8nDUj1on zD7vpt7#@_MkiY^W88tOkpUkiduFILEdvKe-KBAk{nzDh7Y8pJPYnh;Hyz?O6G+Y(9}l6Vk;sKNLqB{z{e*T%m{O{ zEwz1^&(vos_vAE~rd(JV!d}Qe4v@kFDaQU|aa4!Mzkr80%>7-B#(?grSn(o34uyKs z8O}N|e^fW=9OC#XbfV*9SLa7belvN^aAZGXRheRnqI!PRba+I2xd}kqB3DmcAnbT! zsUpBts$rcb2iz9m3(hD+e~qjvOM{#5$5d1>jY04<5t*J^cBMPUs+<}&;LD`c(JJkA zLiyC{x*88;-$o8pcA`d_;yhcL z3tNuuIRiHA1O|HQPut&YDY#XULH4>W^+a=~aO ze@qLcPe17x7zCFmp@>*L^>73b2VZ6V6?s!O7Rj;})=Oq2j9(tJ?D}Z;e4}Z3Sk4_g z+QeO{(!Hv!eU?yFA9KySHdA>U40JNYcWlI4LcB!5z%?`f1RTVAui5#aFq+=7fDEDyMKs7?qLGX=lYpI0%EdRtCBG0t9~o+OV2y8gJopaxt3jY<4X-;;ps2JW(72%WqP$jstQA-lMp*RV<| z4>k;Jfuth+#WE0*I*(6`pW_b@z(QU+-5PCts2WD7<<%01WTtO1|A(mP|C1%zx!wNmnm8%25qiU6vJX38?hCoL(3PGIwKh57IIj z&;-C_Rz!Ti0ozBwdE^~0255)1O131k-nV?w?>j6#pUY5E!}ZY6ieEb9ra+icFv~$w zPIGE*#z5rm>I5$n|MyYT1q>Kmh2EXvh+YaFHCAwgHWOoo-@;p*IIyP@T{ z!%h5i(P|*th)m(whicj>4iOyRXl5d|;7m$B12XDT3cp;_*N}n`wY`GkwgDc!tt0&X z0yDyS-ts_zazHUZNLkuWXop`R2HQ1)SNwwWV`*R)OUEEX7G~XxW?ARpl|fj*skl-+ z*6xnx=d^z~3y86ESR23NFe4<}&c8zrCNidAgWlr`Q7}W@XJIv&nK%^A&4BY&+1s6A zoFhshwPxWTVfh6I`cznY>NN1KP6cya|I4Mj-;e3%iF6p&2E7A)Ry85S)DLq?(;wq@U|f zUnx`%Z0syoDh&QfJpR8KLZXk~<)AWc=ihmJ{cYD6{l(B^gMf7_E)yIK7vnWm6@}<0 z&CV$7EPROUp>-GM#6M0zF z;O$A~BrI#ptZQ_i>9{w6-Y_%?lXA(tBK99oun3oCe2?20^T!3eAIKN_@H}(@&>8C2 z)r!grab3%TyL33t%3f1Jn6c_S2F6TNf8Nbzi8{lT8-CnBNIrcVp5f&9zPJ3>N;wJh zx(%Eb-`!0biQ7{QZ*mk^uo4OBS#kWYF_Ud_JYH~Ib8IT#{pbfCZ>P|>)T0+EgH|cD z&oD$Hk+Rz&l#>txC?j zJinh41RCRC_|n_ZnFeVqTzj{09Fpl+%gDNH;k|J{nf?U0#nay@BbOe=YU$e=P&u>n zrCx>e+TPN9{^E^~$Qk|L(qD{z;kS7fheRP@vi3Oa z)7zwt6?V)1LQemyg5_IrT0#s%RleWAYx+z<&)%uEq@*+v&SG_%Q-@=xV^s|F$u+ub zuP+9^_HeCRy*=NC9xWcYz3J|v$00PDR+|?Bal0S=KtDTH`5I73ukm)}Vv-?b;kJW6 zhrsh1?ElPP1|-NsP-1%{7BbhJzf_Euy~~;F+%{$tPkJe3Wd=V}N21mBC)SD-h5E5Q zi!e~MbqvYWV6M9(=dPdl#Ks|OBQUiVj5Il?)Rd`-!riRP5l+_tpZ#JW0HhN`y)sx8IpduMu!J+?EfHoKo8d?%#0O zCnoZ&CH~>mH#=V-cEu~gs_uD zvHNff?2)JP-y)nVkN_%F zw6~ialLG-DIu50wxAwBAb!OdUB3|}oWg?d1S%j_kt1Zn~%x&Bd8X>!ZFu1lsZ;3Mf z6*qF_j~(j9czvyW8?>dPz_B11&ndD^f3-sAdWtI_C!29djc5*h%(y! zTjM~KJemT-BL-l0H<Jf>>E$GAeG{h}uv#%`kU3oj2}G2%4#Lyb7-DgZovASKFdQnlG6ZnE!_ug&7#wrPisG?KAr5?^VCu zCuV^&EFxev#~pCiBsk<)`_kx4ga(?XSHa7_Y*NLvzx+OzEMF6N9%u<Sf2e#YA zwQyw^*R|A<7L*M_dJDe&Hl*R`!5;AMLeV02JLKkMXgXi~$nn9s1+N`3X-w+@Sf-<& zIZZLRIL=_0pIUwf?x=m_{|3#W2r+ZhABY#U61U56V~tLoPqlQ|qb`$P8;=?^10Bex~xiiRr`kYas#WXP^e-=FAX;fT}SvEOh1!DY|X1+6LL?NPE za``-=&Rs*O9zN5WlEDE6rl5X51OQ?;H*lfIY9cJ`{o%gadEd#M;uJ%CU! zO6#mw1U6a14w_Z9BdsbsI7^B+zaCMnN{pL6hL+Qzs9g^FdRI^=&O97mdmlpqZS5Od zeI?t$hxV+&#zMy-9ftK8uOr%4Us0aWKL1~gCeBZNqwq>{&xVaGN{yoq1r<)yBb4fb zM85Kf?BmCsD=?B#8krKa$>3uqs*AwP^4&Wb>S&`T+f_n(Z#(Ay<~H$hILLXP9%>d; z8*dO4BK=^ShP%=Lx3pGW5m}-RRw^Yh${mpz1Uq#6KyCsQt-)^VV5&is38*^Y9iV&o zE-47ilo*M`@nG`1NGHOmBq@KA0CfL_7@$(VKfUGAwbL~;Pue1)dRV!^^*#fr_|Tp5 z=M(YtFC?XetG0EK(sRp+XCQ!?KvE4(xaxf3t|Z**ET`$0+Z(1DEu=ogk#-_3kL(zI zZ?TT1KT&GrWaPd)WRbEBvhByUq<3VvAG%eip6Rm&5BZICr)FsXcf7??7U41pp}amN zn&qtF-qP^*N28$SZnZy>bv-Gg!2|y90M^C$Ns@bX<@oXW!ljo?=I{#@@ zNB>nW*KEmPv0ewJA*fRRcnN(OXBhOmm{v!M*euW#xQFK?ayv{EEU3Es{2+oDz&KBD9Op}K`fv-u zduzb_$zTgJB(Z~1g%avg!3fX>wWlv{BZ6wFXZkh3L*8RRnAE?3mkq$JSl@n7Fy{_) zD_JOU`&NwKvk9<lfAo_2V@tR*42Yr-vsyAn6~Orls}Bxj;@lBA(F zZMkQ78xh7}o{bmL1sz!|t@`|R@<|X~=0!rQ-!`F@dv~vn^qak7Df#%;7F7qry=b)j zpQh#D$ByZwc7PQ?KW8HF%v@BG$nAj{VaX^%5>dM|&Z$ zp`)b)+B07krZ6w8>lk)T=m8dU`F9p02)}1B5>`pMFsW_(1@bfVH(V^c)L90Wzpu)) zv0t=3dQiNdUthaipI}QnmB?RLm-4Rmm&A!iq`H{|_92z5+EY14Bg(@U%h-!-@sdjNuHR=T zwP9-r=vwS*b`}s+B+Z8DA z83<8enPFr0xK_lEtaOFBZ84AYKr?7w#ly?v5&ov#f|m{Wuuqab^;$M6Q((XekcyI2 z-2GZjZ&#wi{8bTHW(FfkPX~-HG@Ls_DpAZ7HW@LLpnraTHPtt$M0vAjpUT|VS!@rl zGCzu{lZ42xjAao{ad9X_CD{6YNGdBE>~o`7=3bRJUr^G z2&s^7LxU!pwkFc;=b{`5qfwnWKhQ7tr4966t2Cxr)PUfsj5pE7a6|ta3 zhTN6p0`x4!N8?y-g)Y>Kh#=}rV&d_?f|}L%M1eq}X`eHj5HuZfz4H-awY^lL49|6? zky1;&jfYPKL1*ZBX9pS1?Ube+(fbObT#x+Jy%jvvlc@|iE%s5^4z;kSrmgE><>qe$ zf9^O4zAm4vY$&fy88i`Y8Y|^b+DY#ohG$+g4qF+5%E5$I4}GsD=s-5{l2IoeomNph zyS6hJ3dsI%9T+?wqu<`lX9kpXb4gnh^%r_*J(ZKmTn*xR`!u*$<{RLi^Sz4Ok#6)m zFyLlKPmjpRf6)_{3>D-U8xV6jdhRno>?`z(%}6GcV0-6ka4B%q6yZsak)UKH83PLFJT*=k@0ca#y_OeA^P_&s4h*tod0M@Q47U+ndjg_+|YEM z&YGhp(5_pu$>Ni(;TRz&n8&bB*#pe3*cGovxKF%F2lYJv@MATEPLmG**hGjV-!mH^ z&d#91-Mv*q7{9F-{}$9u-z^<_`5U2bEDLq=@IwzG=ak*P0aZ5LLNen(6G3Up zeeVY7FbH3?5cp1|5BW}M37#kuuth|cKQw2UuSHr;U;rqRTL@~UN(l>L<50! zLn*~_U`q_7+3xnWW1Rs0Nw#=Q^0vazo^LxJjY&{fld70A>z^XuSqrDJK|jH!FxJ1L zz|*(4f^hXJl+H|UhXe~t;f;nYwLoYfNPhvt0+CNfq4RWcK597-7K}r7TkNuIp!?sd zJM(ZT-+zxQWQ}ASdy?!DUt&ZumPi>}B3m(blC832Df<}NQ;4i%t1x3rwosNC`%adu zA!UiE&i$xw>imA^k8^(Ky3X%B*YlU_9``fz+;czo-0#o(_3i_udUL-?`Zc^--))Eo#WcP76Zn)Q^4;UZ(+f*Hg7SP?UUv|gf{4Mj z6&GMmDDHH7=jL|PDur~N^ry1T)~anGlfDD0;e_lJBQ+wK6_ zn8&?(J)v~cdLd4@YaY3urVic#mFKO$y)nGpOt8U?4YrmGK>=*=)@v&@AYg5Tdkh5k zfw;~K4xFwaXd8qV9~ePa>WP)z8JF={G3gMoF9+$5y;qsB4|V3W&cClA^jLfvOc|1; z<1lOuf?ejc>#A4iYB#)@=p+sb6irT)aX-s+&$&doT0e=m&=?6sK8ETKkqm*W41G%B z=&_p(^6n=$Zzkwjtm&M0ndu}VoNiGuy}6GuTd(}(d9eKJ-fso=qbri+91O|D>4#jo z8mhi23HBP*&#@Q#3w_^S{=O;3Q=TDp0RLu5&AZ&enSQo*!>_a_&X*=P8IgG9GBaRy z`BiS1rtl;EIHa7u*zUW+Nz(l8FG*kYH^Z;>@{fH73*}ybm|R((kG(fZS|qk`0|8-~ zd637!(ClWv{=tFAV380;?{1Iq8@ujz|Is~NrGxHan&FT+rKh`(1eVWiKQ0sDo98_e z&Z!$7oXe=dl_s}PcUYc|gDIk5UfcIeNjCRk#EKt?rPPIZT`5ooCP;HP1)0l&P+aXN z$E)URZL_IFBPF&AmLGpAGa&7ptgN$41fBe(k#ka8$T-K^s}ZxGZ+!|mt`zjqoZ^${ z2eeXI#b1>zlrE+&_h!F_DT5o!W+1FaD2OXsK;nBOQ-D#q2)P7o&wdS;%ZExYlW$+0;D*~h4iiN6mM$xdCTd0>1s zx9|#vMQYlwUwyf1BlwZLrNwNkr>wV=#i@3DrDxrsWa27k?y*PjF+$tf4KDn%$cmu% zL|?o4p7IY9%_9BLnVKnZy2PEC>o*f>f74_FiIXI@Pp{?3e$;vk>Op-!HGc4d?vq?- zPy@Szb&$}aq=NM|x)4 zI_&|aOUo&V1rgo3?R+ald`88vU+0r#Z8!dFJzvPyY+0?8_`FUk;5j6QxPbWTwyolK z)W2YNI=nq{>_r|*7JL;nd^Gn(+V+~1Nf9zDBMfg?tWu4pLH&D!z5Bpf}}Ek zfa~JvZgr$t&1a4Q^a*%LFWiM_I7v(AK4kwud9j_qHZPok+rRbvdjjYI$HMSs!^jRk2 zd9%dOckIL0$)EHmoH$c}2%{(MT6PNV%|6rNX~_gnc!}$9#_2xY)>8{NbYp`vc?ELw zeDUX)(i+@&q838Q=j@X$+aIWq7~B;J)91J2S5VQeZNrKsB1_N$E&&zc>{h}BXPeHb zjo1smQv&yP9n;xLiw}53N&f*OZ9@=`K6H&t_}i88jp7U|E&sD~&P%eiA6_Mikg6#w zoU#8jk!d;tL6_~g*q_fI6WA8 zM+z8mTv}%GRaENs!DQ}r*bylur?ByX8%@gZaV?^A+`X>h2=>X?qg2O*XP@nys9t}0 zmF%h1pL{N+(+5EP|50LC-+n;nvLbdE2al7coGfMj6snvv`eL)M)u=A^sdt_Iwu!++ zL&FKRH7_5Q)09%|$xnEPBDuKEZ^+qkrKn}l=V!&349#_yqHf9A@h2h_ZX4fJdq^12 z^&8w0O^FnQQ-dn3bHeH8OD}H-A`x-(GmL(8C;P~z!=JDkXbe;P5<1$!aPvPy9g;NZ zn5macZFyZ?F){4q)DgGWCZ!3UV~nS1ukUx1?SJ0}CU(}wBZnTp(w!8Rpp=#jt1JdU zE~N=3%~2GszPC5Qhz+@dR<2XIZv1K=jhFSYv}PL`W#1WKh9YO!pCoHd&2wC2L*=5- zeX2-|WTnJpR1Ae2}I)sc}!%!N|XgGFOl7yH{eOdI;= zPUSv>cev(i@mRcRV&lK!;n}jqa#0dF2vRhQB6pz2dr3|%b`Il5uYQdnwYbHc5%0*KPh7hiu;KC?aXwq%dGFactCl34aK=D=dG{I7rdysC z$BqlC8ZGZTeNuectP5k8i=IDr>M+Z~gbYWuM?XvIA)STjL${34FC)M%cUEc6LT^r5 z3?UR%I&+l%*=g_KQs%Cs+Cp@lhS{96puDdtki3ZHtYURr}VOJb~oe32M32c#l1~$)lKxs@>Jlp zoY|^wWZd$i>G3DXCTh=$M%YnENq8j*filF}BV~-0-`d{t7gtTaoZ6V!zk2DQiFYKe zW>NKWaRPSO?OTgdiiTBLPmeoez)R_LML*!B3}DzVYXxsnWLHK~yO(j~^W5lCyBJhw z>(t;cy4|DP4$LKGeV6Hm{WI59_{1(<#x#i`HBcvAa_jbespVbj$}(YBi=#FsxWa}4 z9e~sFKT)o3TjP-!E`Pddb*^*wnZ0=Od_;b^be4&yOoJKEPl}}yNoR}MP_{o zh=)^KuiL5|hn=pzCL8D1tSjkzxwzALLe$~}QCC@}zc3~5Q*Uy|ox3(A;}Bu%?lvTQ zfW@}4qM-KIUV*mGe^fpGOMgkYRmTw49;?OE{YLo^-&IqiS*3QHNIOZSOJx?SF5%Y@hLVW8;9f-h3c`(^Sas@UN>iZWBXHtIb_@N z?S0aGyN>XN^=L;EDX2ap~@rDYh9A$A~1$s_= z9ce}(XP%6p&0JC3q+K+Fb-AoTONSAQ-d!UJFSZ?L7LwV@`M$?|i-#+$j!Mwb^_%hC zjY;FeP@#i46ShQ1dk@#jT1`Yg&(3yWQXp3!9u>t%sOJY&z#

h(CDQHwI5TMv?~P z!Q-qH*GO_}e981-=)T~XN!3AY2(VEaB!8RgQ!{>V6dh)!sy3CtE_kJS+9(XMmS6>s z*|seSV9L2O&g9fso(fz8!B2uk{@`iR%4P~Hf+C_EHSRn)Ybiy+u%Feozu~kfrO$#v zzWC}Oh>2pg!`^=nJD7*XJ)sdxUX_f}<$ZXB7Uxe-gYlesmZT`t>X@V>8(#P9_dvdx%FxBI-JJ)5upSs4vvsy^jz+L^OhvGo6G+56QUt>%h$I@>nHHEO&nNY42f&N_gp2s1N>Z9_2b5yNW*#Wu~ zgg~KC)P@h3Sjf(w{=k2Giy%Un3y*ppzS4s&)&Co#r5p`6_^D)MrQWuCuIoJ@ho<{W zKT`L0_4cG5{0de-C~K&&(3k@E@tPqAY|S21?4*s<9k#{!;G-4-b$c{K*oaTyZ*leF z5qhvBjAWmI)P;)DIZ(MEZq~t1$eK=~8CF8Gti3F|B4JovP&*I06i_S1OEz9}I`8^6t-Z z2Joer%Uq^x3)Yzy(!2Pq5lMj0Dx_MM13zO~R4B_3Vne@dB!7~#XaK}$odVgSSXsKi zT5}*ymxw`%+#a5kaK^@Fx5`X9w3EXBxsXMPB`T%pwoN<6I4Gncb zv(cI{LePLb{gPwCNO2kQDFy(pWa8 z@TOr|bgJs5#&vFijTN*{(>W0#?iBVXhZdKWT_k}vQGHbA-5s841)CyTS#_d~>It#FNR1SOa5ccJmAfto%}ZLUlx`=# zjJ%UzJjJY>MG`+16*DZRrW_bp!Fc1MlYtn3vi(yzg7TRO<>MvtOaEK05!_QHEuNAD zHkAp94KQbUgUqbm#SR}ss4iIS=sA#6M`#4b-sfAn)?CtezjIoFIorZ4y=s#l_&IPV zf+286$til^8hLPi#pN~rAa$g!awgdes}xrTuBi6E7tR z{Y}TJ*rj6$ud7f&Zb@F!P^tB9XE62vJOC7RisWXtCjTZx0J~(|JcsMshN%9}ACz}B z2%~YNd7u3KqQjaVqm&KHDVE;pYIM5Y1$IitlI$*N$qjvYQH*>;o>_}cGE4^|)B!Z{Q6lm{N)#S=WT z+i&Hk7+}lga>+yTQOme1bnXL3U=-p4aMCU_){u<(&>zBsyyM}i+7^hclQNCuy!^f6 z>MiC~bqhC0bCAJc{o10Pvc8@|MC<%uVD&jA3L^GwA7m5!+B*Sbeb0UwKi-%)k8C^W zrRd-vtbfPF6>#?5+j-@PfKW(|Yn)pnBV0hLFdy5gel2DRz*hj16!iZP-4sZzZ$vff z9tvnqvVXFk^wU~2=duyteKr3b6b&3P>F(aDMm8W;+DK$K8Tt_&fK4qyNy>m}^%BIZ zyUlKjKxnHc!y+y4?)DV$pF>|?TCIR&7{6)}5HhWqcs|A>`;j~Ybo?MmL5)B&8H;S~ zpNZcpRvch1{yT8H_~8FE2z$2^hG?hSzca}H8{L4Ilx;M?q5XEAkN+hn?ftn}?WaBk z0!jAHzH@sqB){6WuxtDZAK7bb#J5|5fz^7;Y-sZQDHL3?cXqv=>@k9JF~Y3A%;oRK zmh8QfExvKE1gaIAw)xVfWA**=UjLB6M{T3qhLNfiYQS&vWn;TsVEg#qi=npcgW8Xm z-n_&@AV{8?ZYc3(@5~Y2o-dL9e$m|OtU4sb{W?+2s2dvv&`np7^bP&TYr^hcQ*6uH zpKryL40@k{E4SAL=+5ETFI?PjJw!q=20wf_dskEty_X#Gt8JY0Znc~x3ZTk<9#$9r z&j%0W9Q%1Vl0x6Cp9g;5Z#nYA{t%AsUm2tSRW~w^YrgD!r$0>fk@{Rkn+yp!G*mCD J6e(K-{s$S{>hAym literal 0 HcmV?d00001 diff --git a/docs/partner_editable/_settings.adoc b/docs/partner_editable/_settings.adoc index 9554272..c8dbb62 100644 --- a/docs/partner_editable/_settings.adoc +++ b/docs/partner_editable/_settings.adoc @@ -5,7 +5,7 @@ :doc-year: 2021 :partner-contributors: Bill Bartlett, {partner-company-name} :quickstart-contributors: Shivansh Singh, Amazon Web Services -:deployment_time: 30 minutes +:deployment_time: 25 minutes :default_deployment_region: us-east-1 // Uncomment these two attributes if you are leveraging // - an AWS Marketplace listing. diff --git a/docs/partner_editable/additional_info.adoc b/docs/partner_editable/additional_info.adoc index 886bad6..847c02f 100644 --- a/docs/partner_editable/additional_info.adoc +++ b/docs/partner_editable/additional_info.adoc @@ -1,3 +1,35 @@ // Add steps as necessary for accessing the software, post-configuration, and testing. Don’t include full usage instructions for your software, but add links to your product documentation for that information. //Should any sections not be applicable, remove them +== Post deployment steps +// If steps are required to test the deployment, add them here. If not, remove the heading + +After the Quick Start has successfully completed, you can log into your {partner-product-name} deployment from a web browser and verify configuration. + +==== Verify Distributed Search +. Begin by logging into {partner-product-name} search head to verify all of the indexers are available for search. To log into the {partner-product-name} search head, navigate your browser to the URL shown in the CloudFormation Outputs labeled "SearchHeadURL" with the credentials of "admin" and the password configured with the "SplunkAdminPassword" parameter when launching the Quick Start. +. Navigate to Settings -> 'Distributed search' menu item as shown below + +image:../images/search-head-distributed-search-menu.png[distributed_search_menu,width=850,height=294,link="../docs/images/search-head-distributed-search-menu.png"] +[start=3] +. Click on "Search peers" + +. A screen similar to the screenshot below indicates that distributed search in good standing. (This example was created with a 4 node indexer cluster.) + +image:../images/search-head-distributed-search-success.png[distributed_search_success,width=850,height=202,link="../docs/images/search-head-distributed-search-success.png"] + +==== Verify Indexer Replication Status +. Begin by logging into {partner-product-name} cluster master to verify all of the indexers are successfully replicating buckets across the cluster. To log into the {partner-product-name} cluster master, navigate your browser to the URL shown in the CloudFormation Outputs labeled "ClusterMasterURL" with the credentials of "admin" and the password configured with the "SplunkAdminPassword" parameter when launching the Quick Start. +. Navigate to Settings -> 'Indexer clustering' menu item as shown below + +image:../images/indexer-clustering-menu.png[indexer_clustering_menu,width=850,height=294,link="../docs/images/indexer-clustering-menu.png"] +[start=3] +. A screen similar to the screenshot below indicates that both the search factor and replication factor are in good standing. (This example was created with a 4 node indexer cluster across 2 AZ) +.. _Please note that it will likely take a few minutes after the Quick Start has successfully launched before the buckets are replicated and this status window shows both search factor and replication factor being met._ + +image:../images/cluster-master-sfrf-met.png[indexer_clustering_success,width=850,height=202,link="../docs/images/cluster-master-sfrf-met.png"] + +== Security +// Provide post-deployment best practices for using the technology on AWS, including considerations such as migrating data, backups, ensuring high performance, high availability, etc. Link to software documentation for detailed information. + +The {partner-product-name} Quick Start exposes three user-configurable security group access parameters: 'WebClientLocation', 'HECClientLocation', and 'SSHClientLocation'. Be sure that the 'SSHClientLocation' parameter is accessible only on tightly controlled authorized network ranges as this allows direct access to the instances. The parameter 'WebClientLocation' allows connections to the {partner-product-name} web interfaces, while 'HECClientLocation' controls access to the load balancer in front of the {partner-product-name} HTTP Event Collector listener. diff --git a/docs/partner_editable/deploy_steps.adoc b/docs/partner_editable/deploy_steps.adoc index f679a61..c225957 100644 --- a/docs/partner_editable/deploy_steps.adoc +++ b/docs/partner_editable/deploy_steps.adoc @@ -31,7 +31,7 @@ NOTE: You are responsible for the cost of the AWS services used while running th |https://fwd.aws/DD3gQ[Deploy {partner-product-name} into an existing VPC on AWS^] |=== -WARNING: If you’re deploying {partner-product-name} into an existing VPC, make sure that your VPC has at least two subnets in different Availability Zones for the indexers and search head(s), and that the subnets aren’t shared. If you choose to deploy into three AZ, then your VPC will require at least three available AZ. This Quick Start doesn’t support https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html[shared subnets^]. +WARNING: If you’re deploying {partner-product-name} into an existing VPC, make sure that your VPC has at least two subnets in different Availability Zones for the indexers and search head(s), and that the subnets aren’t shared. If you choose to deploy into three AZ, then your VPC will require at least three available AZ with three separate subnets. This Quick Start doesn’t support https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html[shared subnets^]. Each deployment takes about {deployment_time} to complete. diff --git a/docs/partner_editable/faq_troubleshooting.adoc b/docs/partner_editable/faq_troubleshooting.adoc index 6d2bc07..8590650 100644 --- a/docs/partner_editable/faq_troubleshooting.adoc +++ b/docs/partner_editable/faq_troubleshooting.adoc @@ -1 +1,8 @@ // Add any tips or answers to anticipated questions. This could include the following troubleshooting information. If you don’t have any other Q&A to add, change “FAQ” to “Troubleshooting.” + +== FAQ +*Q.* Why is my search factor and/or replication factor not being met ? + +*A.* + + diff --git a/docs/partner_editable/pre-reqs.adoc b/docs/partner_editable/pre-reqs.adoc index 6b51e8c..483418a 100644 --- a/docs/partner_editable/pre-reqs.adoc +++ b/docs/partner_editable/pre-reqs.adoc @@ -1,2 +1,9 @@ // If no preperation is required, remove all content from here -Prior to launching this Quick Start, you will need to ensure that the SmartStore bucket defined in the "SmartStoreBucketName" parameter does not exist. This Quick Start will attempt to create that bucket with the appropriate bucket policy, but if it already exists, the Quick Start will fail. +There are two important steps to verify prior to launching this Quick start: + +* Ensure that the SmartStore bucket that is defined in the "SmartStoreBucketName" parameter *does not exist*. This Quick Start will attempt to create that bucket with an appropriate bucket policy. If that bucket already exists, the Quick Start will fail. +* Upload a valid Splunk license to an S3 bucket owned by the user launching the Quick Start. Take note of the bucket name as well as the path to the license file. An example may look something like this: +** Splunk license file is named "splunk.license" and uploaded to an S3 bucket called "my-s3-bucket" under the 'directory' called "license" +*** Parameter "SplunkLicenseBucket" should be configured to: my-s3-bucket +*** Parameter "SplunkLicensePath" should be configured to license/splunk.license (note the lack of a leading "/" on the license path) + From f4c4a6094ed5deb10e013c8d9c0c1db3ad572f62 Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Thu, 25 Feb 2021 10:41:18 -0800 Subject: [PATCH 33/47] cleanup and rename of templates in order to use the automated testing that the AWS Quickstart team provides, the templates need to be named *template. --- scripts/user_data.sh | 26 ++++--- ...yaml => splunk-enterprise-master.template} | 32 ++++++--- ...rprise.yaml => splunk-enterprise.template} | 67 +++++++++++-------- 3 files changed, 71 insertions(+), 54 deletions(-) rename templates/{splunk-enterprise-master.yaml => splunk-enterprise-master.template} (93%) rename templates/{splunk-enterprise.yaml => splunk-enterprise.template} (95%) diff --git a/scripts/user_data.sh b/scripts/user_data.sh index a9663a7..0ca7ebe 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -227,7 +227,7 @@ end # add base config for peer nodes (indexers) as an app under master-apps # peer config 1: ENABLE HEC input on indexers - printf "** create HEC token\t" && date + #printf "** create HEC token\t" && date # generate the config file and HEC token sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector enable \ -uri https://localhost:8089 @@ -246,10 +246,7 @@ end disabled=0 end - # Configure smartstore as a configuration in a bundle. The same configuration - # ... is also added to each indexer as if the bundle was already pushed. - # ... this should allow easy recovery for maintenance and future bundle pushes. - # ... note, SmartStore set for all indexes. + # Configure smartstore as a configuration in a bundle. mkdir -p $SPLUNK_HOME/etc/master-apps/_cluster/local/ touch $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf @@ -319,7 +316,7 @@ end # set splunk server name to local hostname. sudo -u $SPLUNK_USER $SPLUNK_BIN set servername $HOSTNAME -auth admin:$ADMIN_PASSWORD - # Increase splunkweb connection timeout with splunkd\n", + # Increase splunkweb connection timeout with splunkd" mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf < Date: Tue, 9 Mar 2021 08:34:50 -0800 Subject: [PATCH 34/47] cleaning up docs --- docs/partner_editable/_settings.adoc | 2 +- docs/partner_editable/additional_info.adoc | 2 +- docs/partner_editable/architecture.adoc | 4 ++-- docs/partner_editable/faq_troubleshooting.adoc | 6 +++++- docs/partner_editable/pre-reqs.adoc | 2 +- templates/splunk-enterprise.template | 8 ++++---- 6 files changed, 14 insertions(+), 10 deletions(-) diff --git a/docs/partner_editable/_settings.adoc b/docs/partner_editable/_settings.adoc index c8dbb62..b84a15e 100644 --- a/docs/partner_editable/_settings.adoc +++ b/docs/partner_editable/_settings.adoc @@ -1,7 +1,7 @@ :quickstart-project-name: quickstart-splunk-enterprise :partner-product-name: Splunk Enterprise :partner-company-name: Splunk Inc. -:doc-month: February +:doc-month: March :doc-year: 2021 :partner-contributors: Bill Bartlett, {partner-company-name} :quickstart-contributors: Shivansh Singh, Amazon Web Services diff --git a/docs/partner_editable/additional_info.adoc b/docs/partner_editable/additional_info.adoc index 847c02f..1e36aa0 100644 --- a/docs/partner_editable/additional_info.adoc +++ b/docs/partner_editable/additional_info.adoc @@ -25,7 +25,7 @@ image:../images/search-head-distributed-search-success.png[distributed_search_su image:../images/indexer-clustering-menu.png[indexer_clustering_menu,width=850,height=294,link="../docs/images/indexer-clustering-menu.png"] [start=3] . A screen similar to the screenshot below indicates that both the search factor and replication factor are in good standing. (This example was created with a 4 node indexer cluster across 2 AZ) -.. _Please note that it will likely take a few minutes after the Quick Start has successfully launched before the buckets are replicated and this status window shows both search factor and replication factor being met._ +.. _Please note that it will likely take a few minutes after the Quick Start has successfully launched before the buckets are replicated and this status window shows both search factor and replication factor being met. If there are errors for replication and/or search factor after 10 minutes, please see the link:#_faq[FAQ section] below._ image:../images/cluster-master-sfrf-met.png[indexer_clustering_success,width=850,height=202,link="../docs/images/cluster-master-sfrf-met.png"] diff --git a/docs/partner_editable/architecture.adoc b/docs/partner_editable/architecture.adoc index 7d2089c..c73db70 100644 --- a/docs/partner_editable/architecture.adoc +++ b/docs/partner_editable/architecture.adoc @@ -10,10 +10,10 @@ As shown in figure 1, the Quick Start sets up the following: * Two Elastic Load Balancing (ELB) load balancers: one to load-balance HTTP web traffic to the search head instances, and the other to load-balance HTTP event traffic destined for the Splunk HTTP Event Collector (HEC) across all indexer instances. * An IAM user with fine-grained permissions for access to AWS services necessary for the initial deployment process. * Appropriate security groups for each instance or function to restrict access to only necessary protocols and ports. -* Amazon Simple Storage Service (Amazon S3) bucket for Splunk Smartstore usage. +* Amazon Simple Storage Service (Amazon S3) bucket for Splunk SmartStore usage. * In the public subnets, EC2 instances for {partner-product-name}, including the following: ** {partner-product-name} indexer cluster with the number of indexers you specify (3-10), distributed across the number of Availability Zones you specify (2 or 3). The Splunk receiver (splunktcp) and Splunk HEC are enabled across all indexers. -** Splunk search heads, either stand-alone or in a 3-node cluster, based on your input during deployment. In the latter case, the search heads are distributed across the number of Availability Zones you specify. +** Splunk search head(s), either stand-alone or in a 3-node cluster, based on your input during deployment. In the latter case, the search heads are distributed across the number of Availability Zones you specify. ** Splunk license server and indexer cluster master, co-located. ** Splunk search head deployer, where applicable. diff --git a/docs/partner_editable/faq_troubleshooting.adoc b/docs/partner_editable/faq_troubleshooting.adoc index 8590650..64798a2 100644 --- a/docs/partner_editable/faq_troubleshooting.adoc +++ b/docs/partner_editable/faq_troubleshooting.adoc @@ -3,6 +3,10 @@ == FAQ *Q.* Why is my search factor and/or replication factor not being met ? -*A.* +*A.* The most common reason for this is the cluster replication or search factor is set higher than the minimum indexers in a site. For example, if you create a 5 node cluster across two sites, you will have 3 indexers in site1, and 2 indexers in site2. In this example, if you also configured RF and/or SF = 3, Splunk will not be able to meet the required replication or search factor. (RF or SF = 3, but you only have 2 indexers in site2) For further reading, this topic is outlined in https://docs.splunk.com/Documentation/Splunk/8.1.2/Indexer/Bucketreplicationissues#Multisite_cluster_does_not_meet_its_replication_or_search_factors[Splunk documentation^]. + + + + diff --git a/docs/partner_editable/pre-reqs.adoc b/docs/partner_editable/pre-reqs.adoc index 483418a..1f14f44 100644 --- a/docs/partner_editable/pre-reqs.adoc +++ b/docs/partner_editable/pre-reqs.adoc @@ -5,5 +5,5 @@ There are two important steps to verify prior to launching this Quick start: * Upload a valid Splunk license to an S3 bucket owned by the user launching the Quick Start. Take note of the bucket name as well as the path to the license file. An example may look something like this: ** Splunk license file is named "splunk.license" and uploaded to an S3 bucket called "my-s3-bucket" under the 'directory' called "license" *** Parameter "SplunkLicenseBucket" should be configured to: my-s3-bucket -*** Parameter "SplunkLicensePath" should be configured to license/splunk.license (note the lack of a leading "/" on the license path) +*** Parameter "SplunkLicensePath" should be configured to: license/splunk.license (note the lack of a leading "/" on the license path) diff --git a/templates/splunk-enterprise.template b/templates/splunk-enterprise.template index d96c0b4..3bbf8d3 100644 --- a/templates/splunk-enterprise.template +++ b/templates/splunk-enterprise.template @@ -98,11 +98,11 @@ Parameters: NoEcho: 'true' Type: String SplunkIndexerCount: - ConstraintDescription: 'Must be a valid number, 3-10' - Default: '3' - Description: 'How many Splunk indexers to launch. [3-10]' + ConstraintDescription: 'Must be a valid number, 4-10' + Default: '4' + Description: 'How many Splunk indexers to launch. [4-10]' MaxValue: '10' - MinValue: '3' + MinValue: '4' Type: Number SplunkIndexerDiskSize: ConstraintDescription: 'Must be a valid number, 100-16000' From 311ae3d980158becd5d96c6d9dbda0b0a890b06d Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Tue, 20 Apr 2021 09:40:06 -0700 Subject: [PATCH 35/47] updated readme to highlight a splunk license is now required for quickstart ot function --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 955e8f8..b8c6536 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ View the accompanying [deployment guide](https://fwd.aws/bGBmy) for everything y ### Prerequisites -Before getting started with the template configuration, you will need to make your Splunk Enterprise license privately accessible for CloudFormation template deployment via S3 download. The following steps will guide you through that process. *(Note: This step is not required, and you can upload your license from the Splunk web interface. It is, however, required that you have a non-trial Splunk Enterprise license to fully utilize the deployment our template creates. If you don't already have a Splunk Enterprise license, you can obtain one by contacting sales@splunk.com.)* +Before getting started with the template configuration, you will need to make your Splunk Enterprise license privately accessible for CloudFormation template deployment via S3 download. The following steps will guide you through that process. *(Note: This step is required. A non-trial Splunk Enterprise license is required to allow our template to configure the Splunk deployment. If you don't already have a Splunk Enterprise license, you can obtain one by contacting sales@splunk.com.)* 1. From the AWS Console, select "S3" under the "Storage" heading, or by simply typing "S3" into the search bar. 2. You can either select an existing private bucket to upload to, or create a new one. If you select an existing bucket, make sure its access policy does not grant public access. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. For this exercise, I'm outlining how to create a new bucket. From e0e87ae7381bc415e89cd477ce3f041ecbe17da8 Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Mon, 4 Apr 2022 11:17:45 -0700 Subject: [PATCH 36/47] updated quickstart cloudformation to utilize smartstore, as well as updates to asciidoc documentation. --- .../splunk-enterprise-architecture-on-aws.png | Bin 58890 -> 221641 bytes .../partner_editable/faq_troubleshooting.adoc | 8 +- docs/partner_editable/licenses.adoc | 2 +- .../overview_target_and_usage.adoc | 2 +- docs/partner_editable/pre-reqs.adoc | 2 +- .../partner_editable/product_description.adoc | 14 +- docs/partner_editable/regions.adoc | 2 +- docs/partner_editable/service_limits.adoc | 30 ++-- .../specialized_knowledge.adoc | 2 +- scripts/user_data.sh | 160 ++++++++---------- templates/splunk-enterprise-master.template | 9 +- templates/splunk-enterprise.template | 65 +++---- 12 files changed, 136 insertions(+), 160 deletions(-) diff --git a/docs/images/splunk-enterprise-architecture-on-aws.png b/docs/images/splunk-enterprise-architecture-on-aws.png index 6ff34819e5a3f090b6cf56dd24cbe03cb2e2334e..11a9c2f5f3dc815742c5e174cd4253e2455cfb86 100644 GIT binary patch literal 221641 zcmeEuXI#@)^f%U8T4!6Nh^)3mSpovGN3@8D2*?%?f+8ZaWRDPnwQ2h5p0E z#Q<-GQnF-liNqnK!lE@5r+2y=SEN40i3? zRn7atyyVVc$<3MHd-wh*zPvX0o2nf~P5f_#wsqBXVJSh`hPHsH)<+8IDV{%DPg0Bz zA9Za8jHCIuNk~t# z1ia?>q(g)x!)%M~oB#Glv|PwE$)WsQtbF0IKo_3DE{9j1nm;sLF*+p;XIJE?+z67) zO3pjK!>rv7HBI^uYBGCMpTI-UUW*OyDw(omh18Ymi8=ODWenf7jy@^#Bu+OZJr z$=LVY|Cs2T4ldM76mZsM?>W8*=(Xban`x7W zMQ2MFe+T)QFOOHdPJ8}+CXZF(IN(R-!#47TVY>3JIP$0W*9&m234G`@%8}i<>!VsxCb~AAa@#||^T7+ypcry}+$sDepGS9k zKmTPNvaz0Kx?_xB)M2qBC+Cec<7f{SB-PHzO#=ovqi0{IIqV$e^F?0wqcSm-r)=qc zcReZ|&PN%jNr=J&v|C!Fm_u1TFaOBw%Zf@tB%7>E6)r97i5+XmGx6)sNM1PfZLZV) z3$JdRE{B&-Jd-hi={d6;oY6P+BoQdXswK>Qr*3wCS2>HOD^Y-Uja`Wn;S8Gf)hY7I zqP1J@10^c|HWAkkic*H}7xR@$k~_y0W_jRxR)LOcM^oA>7deye(Z?9_b4GA%OZRW$ zmv(#!63P$~tyaBjd7Q{A+*f;0q{gMbU3Kd_qp77{;Y~Zf=4u4K=2-FY z4y4@*V}HwLxURlTOW!eK|ItYuZu^_mfE&?WZ@C~TIfe2LQR{=en+GumLHUfL^; zwA!23nM?Oh$+FJ^6A)(j-M6_;ii;b*_qZT!;Ebjera1@(A4Qz+R-Vr8>9p|q_1mz} zHxgi&TFQn&=Pw8C9?M=Q`^(Cz?GVY+9}kOBl;@2$(kMT2S6~$DFOU}(#COWk>F3Z0 zw?ncLYH!XIO%hV|b24)%N4~AWbNl& z?l~aZ;pRKECiHI1*!Qe72bP15uD$v^`g36CFFPjQ3zV*2+%2Gn@}p}ut0YrLcgKg~ z|3F_Izo!U&Rfq^T{?D3!i5tE;^Q@d*k_M3L*T><%0B4N{Yo1enoO_o3ao|56?pJyD z6GI1R9k0+GAs-FfM3eNt_I>>-*X`R9QqdPO)3i^ny0W_3(nO1Sc#G7eCUr>}8~^4= zpa+^Iq>4_c?O^`tdSHd>ff2|Yk2iO&UYU)8PFm29L|NjeCHQA7m+z4f(8{Hp`nCuc zGkWZMWP-)Lu;f0&v1h5&iwn$+n-I> z#TJ{v$Qyfh;NcIU*($H?Bq~m2PSRwvSkG(2Fn^)>HMK-Ln68qBYB&mP2MI_6&%ZS- zZVf%j^602)Ig383BoF*l&4K7j_w&|?+!_}kT0T{wv>Yd+br8JYz8R{SrSe*M<}&9p zusGLFU*K`%F={KeT3lRN0|w@0_n&7bANgl)P!dv@!^?30kPo>f{Ol>IAo!Hs0vU+A z0inA>U3DPLtnQY(q{~P`ShE6iC?B;Z+ik&&1l9m1QL)(2JFJ~faOy!LqDni*X(*W; z%kP@7Y$_uUrUsoP<5xcJQn#DT;mcT_C}RfW=KVP-7(y(4Jt!y8w1`=?u`1QvcVCMx zC7_8XjxWsP3tH=kr?n=d_?=}qV+@*5T=ah!}Ghq93f+vTP@phhXsD6wf=W%ZwCiby#eK)H`EV*ae1zGEn z^D*9z@Bs0tUVd2?*cKsgTak|{H0xmVM(iv?z+|)2qE8{l zH)56jS8u=FgVuw|FI$6AyfDUKRnMo35hWun2i?>qfZwxD?Dm=-oo9S^@L69iTTAEw z@wc5=;F(bv&uT6JT97083uC*~Qmwh7u@r8%@5km2%ZK7_g^Q@v&T)D`VWHdcizD+W zeVY^`>%`haG~>aWXxAB;2-{mD<)mt6EAWPnR|z|?Lw|Hj+U}E|qtpgV=PP9o`)#z? zh4BaxHKWRvvK@xgCE(XCRFPUD3iX(c(?Rf9t;SZd|ZsuCdEkp&0zu$8*(bb?m2qQ~$|(tI9z0LaaYNaS#3 z@SC58Q>uUnYF4S%+^C`%_<8U?G;FYAj%4It%O*p1J;sLZ6ah~rWs8&9qlir4GH>qK zd*}#oSK6(~mVAD5BNlEqkpX(7am=*vLN#$BUR_$S9A1$|xa@K40Zh}Pj1u5y9xZqvH^7=SDBvPI0`a7! zk4|XGoTIgHnaNNW*1H4$@sAXMV%!HUN9=}PKX^P>@%~a!$eKv1s~e@l=aT1~3nQtL z%qEkcKfB~dd7Hv?AAW*yvRpeNn|HK|imK8`EmxukQDRbUyQu-|znIF;*2`Xa2T3mP zD8v~n1akA$N8`J7nnE5N_WAz=r%yoEWrKJwn5c_W>UH=LuX`V(q&k&ost`@K+c z_A4UDDB|CHk9z7Z`i#Py(XP&;Vm7ykl^nXII!+kax~5NM9Nk>4K+AI>l&q*!6_@O3 zl_L{&{e(q9BdgRjVl+7Dk zRvJ5Y)?@N6Cffx$T)*)za6Q({$U^`sNDMbh8YU#u=EL|Wc?>Bm6&rz|HcQX8)p9rV zoDgl;s$(AE!Dy^|l;m&QaxlKQ+pRSs4*PU*-5MC35wszhrF^WQoq4;0sSAK{Al-)8 zl4X&6;+yLH5YZedHvMuOqmLEzZj)1;eUZN0Vu_a*)y1^+mpFuDbm68+N3JC#Ca!!Q zkC?8iXSv15*e3MmSuWD>=~DXlCS?S?uNO_;8EN6pd`w(Z(_LRGnlHxpXMU04g5mqAOPx^>a4isUZ!Czoa0N4^QjOl}W%KPY#G!YuAd$#fDz)~p=K4gW zv#V?!}V4}LjcF-y?Db~B8i5CeJ(%rw(w+5weOVqP%|^L)ytY`E9*(B-ZhQ0 zv$M++kw#N@xP_aftA?gg1u7g3WA3(PsY)K`U9EDCrhWnye>yy{%ScUbJ;$vlgK zmdDB?alBF%J_7Y0{@&-+$nP{~Y<%tg5hZybH?$+}Kpj(S%i-&Zc7)all!2NsVr1o> z2~w?3bI>jNAxuKuXH5UyLm`XD;%vgAQr;bpm*jB*lugc-&|EF5G~jc*wNemDo# zC`nhLF(*@9_7Uig%gg~TG+-fB%vH^aI5|aNI!4y^(EzpZVMUI63 z#!Lf}=xP(}d>=sFpd@XqnV^EE8*}YnqzAN07Ukz}yC@cUB&4pi@3#|8fA85>8niYW zyoem7THhHN(+C$1Lnf@h5@g;<3R%vGH&O zX|Ts-N~l8f6B;RNxLWe7&M!)_B9)6!`Qyvu)$a;{%M%;D2$uN>hfSX*kFx!$zI(Ta z@5+-y!5?-rS+V0~Xh5ZWdwcu(APFCXT&NanelK$orU%SUZNXSE-0Y&3^gQII>}~~Q z5iSFt3Z*?#$nJ%Ua(zoaZl&X4yhXECjGO4?JIPZ5P+SxxGH5Xz575fA46y(pA@%Aw zUUga5{ZDA}9IJ0w)1H!BSP1y^ax%uoYY|7E5*1lLKh+j*>T}lb5~zaMb&ZUq)Gp%H zJY?FAmdTc+3eW91tiNvgX|5^law34TSa9m^Qlt?cCDeZeMWQSOSWw;ceY7D*IJ zW`MEPN?!_Dvo_L88xbFoSb`LY8SKV0Vo`XdBd#)KV>_Z0ZG_XEF<`@kjvJ*U9S~5O zn9VEdKycO&*@cCLlmJ&k(S4EcAyHlHwRCzH#;b>&>CT>BZk09i_4V!SWY~fP<$G!X zh$wI*a}mE&v*T5(NAiG^(X#Zo2_lb(USUbhyqz^AFAl&NU*ZO2L8t*Wei20tY&+i_ zFzd*XNHL?1H4-8fxrnQx;y=;rIjr@bY%RyNhiBe|@$9jwxMeO=J%KIkdTVZJ8!d}o zZ@m|F{D@$#BXGYRX7CtpJWu12&_OXc4(g@(N};mEt=( zV)2~fTWdh|X9Rih`^8iz=9ZxB%3h~s24CNq%&#_!r>Lh z5{fE>JXr0A{E!&@g&#rOw%{A=-*QNZSUAh9@Qqjq9)-j_ne(8ar>>f`bk!-uHFiJ} zu|9>u-(bxgqE2q7VD?2~nSAsK|vvy3nb^=LmFx zU)lW%p1oG&1XNdtFq?%FwPOCoi4|)BV(0SHGmr*}?9;SaO9QYAC*tsC30aPcO^%ZC zt30ZM1qoH0O*~n|x@+1cS}ZmBDIZ!PT`NRCSBus9sP1zj6tFE4$jiY{ZdbF$jy3tQ z=8jFl4$VFIJp>OS16#L@Scl-FcfgC<8lZHxgK;OJI-xMiZd0g*cvX4)v=Qr-zzkl)K1>_TIT6iF57A5vW z+}K+#O2H{Pzq$T2hqc?3jC6%tbN`&G^qIILRz;(hNZPUQ+Y!jA8|}ixUdvz7mV2t` zcvg)rBZYcTQ61iIXpw#s!D`jqhp+g5aID=Vr`XUCdn&wP29!9gQ&x2+hd;aa;Z_k6o4O}e650) z>x}%*3l$RjUbMV}?ftpzW^2#o0UV+TC;rRaQZR^7tcEDSaK+}G0|AGWqv)Y|IXhr% z3@yw0dy{y@>SUmhRjbMw5DOyCKS5G8s+`8j{k@h7RCiL@Nb#6n2XkypaH)k~NB3KJ z6ne&`H`lxxh#3|J8TwND*MFyp9taHMVZFfNG*ek~PGvwr&fvP<(h`*LaqmO|Y_Zo@ zKP}f)Ockez3I*pjX1VsiD9p|@phlV?J9C11dj_A1z+Xya!qOWJo9Z}ab(Hhpj_4$1 z7)2khX3XYAiW}|!2h>3Jn{!`t{!{PVV^s~^-nI)^=xp#}N5e5bp9Th>bTv-bu=n?M zoyDFA4A56gw9Kws!KRIWoAA}HtH4MGjxtALVc^K|k>+_8yh6_BO_L~MqpSsgh4RvXd&!%iSJ}XUB?nmi$))ZJ07U*2@P{JcvxAW<@xj%%K0Cp5E zzvZ>O@)X2zfH9yAfMpLjwz(9ndNwyt9(ejR(fOwh5s3+w$^J_s#OZ3c79O9n33}qn zMhv|0A35eYqNVt$xej3m-*>kFIh6+y3amMmv!0rb!=Xf+GC-`#w9?kr26`n6)027m z;cpP#lu^zj9jBNaNx)D_P@%?|Y$1Ifu{JF@p-rWXa`_v*w@)+P@Zq08APu0k_1b!7 zZQA&LJus&+@Dq^x072&;kcH9JT7C+Mu2>FhNy2?X)IKfq&sx?eY(o0waS_f-%6V{F`9|5aDpOlq zTc3=OlCddj*;p-!#<122Tn-aGH<6(yDt{|ZtK&}YRTrdip-Trae_2JGlj5LJXZvxQ zQ_Wnc^#({uOfO_LUBq#s>8Xyc+6M{4xpd%$ulRK8KnP)kj;A}m{(Fy(?yP0RC^K?n z!^LuSJ;(|>D;FIf^!8sf5v6>}%egFgJ~>8AxqM<>dLHEt*-S`Iygz%IhGTXVIkX3l z#a`LmS(^f}4Z-RK#gJ)GJSd4!BWplD7YgRW!ot!-*J|6TsU28Z1onW7$iR#r?__g^ zwv=~(xekV3S;HakKD$EoQjgoMc7+241H~1ZvaZg=LbmAbH*+iA3C>Pb1zed^sqR59xoPb#A)Ti&T7321B_hE}<;Oh!jOaId`@ zK@-rd)6kRu`17%_J3U=?Em>KZa^I-Z0yiRlV)RpU(ZpMY5$jcnZ|l4|GwH#e@_?e& z%f8p(my-IqxyNtus9V!N?Y3gerjAa|@(2bP#-T!PTv_E)_37%|S%VI}i!m3Yr2;c2 z*aQWOux3c}?v|c<3e&CgIw!L+YqVU5W<(^NWNxI57mHj(FFFQ}rj1Uu)qftnu%qMX z(i0F&Ck0N$>)A;f7Sr=pN@6VvtfQq0UyePqb4ycBB*Bx-;p=|FHS_n=(u=vzJx+dN znWO+O3L$eVxL!Bk=_W(LM$kDY)Lz}0Z4~ghh;2($HgdkE{=iU8t%&*FNnwSBj%L6$ z;(A*-nnczD+x0T@d}n9>Yh%SSueW(@7$KQ9B^WZ)v(pT7sZ*}_Lh)BKF@#oj;&Smb za2hZv!?}C+@87SZ;}#9D8x&o5OVd-)aLg%6g_4KCN)}%kn-2Vr5sR?^T#4B^jH(7t zb`thu`l0rI2g4T1Qm;hO`^0am6#CkIZMGM}6X_700)LqmRIvS7*AT zkNb541H!LVDhcgI&ufg|LwaY4?bS17V6GntD9Z>axi&4LIn1QsD`-*aWET^~CXF#cFaSM_(GQqO@lI{{+!u>1-)4hwOA6PVCH7V^tF zE?}W74nRRV1l13~kUR$|DX~q14pJol+jw`NsqtE~t6pgvU2S1@F_wN&UMc;OqeG z_2r4?%}mk`*u9X{0y2NGD&*afifq)olOa$ciRAEPhnQoUXGo{ z2gSp9koGfOnR-}LBh8Bca82+!$ag%2RWIV1VHmGX8bIpK5StV*_Hd_?aDDjQd#;3V zT+br^vawIp?y#}9?zwq+)F2HIU;IbNZa)D@n1!IB_wO(HB<;Qr#@)Jg>jL&-suu3Q zD`!A~5Dc<+fW#wVJhjds|Eh$|pT0&)(@BC~bsZ#4xcp*V3 zQ7NmMrmRC4_Bhv9cYN}}o8s+6CIk#U~4e5q%seAfRt_#yX$@RwX;-Hm+sD&$81DCzk6aMbgh_j z!gAHTlyc==+O0;ai5BC@e)TC8DT^(d-g_A_Q%sZkwRuB++=K@wC(1os&r{2cvK`kP z253#Wr#K5$GdKG$`J7>xew?aPq4+ImWEuvML-0-Xiw)f(52fV!~s(jZcq!6|~TUmPhP;t<;3mzvY zPHEmoD-Er-mlp!0aQKJ#j$ZNm;1I`u+n_&6@U;E{UPD8&wz^YaJu$xJL1f5o_$IiZ zO~Dtc`zrFv*!ro>O$nsyT~75$rI2sl$_=qH>L{Dba240P;#b5j@XS4(8XUd8k_?yl z(%|tv;_y}}`^c{eDOZvYjMm^OM+8Haf~k!1f+DHyQAS@!^=&ZNX`;8e@{p?lZ*I-b zI_tS<(nFtLH8Wp8AP_!#51ytM6%nTl1i~>}w5;;H+mf97kFt*nl-+8$pXP9z%c|n4 zcFHZ+6Wi-VNQQqw1kCP+0|I4!`VLuwewVWzspeBu_M1ew4@K!JyS4OHR&KY|ur7XC z`;V({pQBIcxw^Tu-j&72jk@(e89$^7i#()$%HhEwS+zg+xZHGZo;64;yU`j`9(!Tf zj?7-%YB@StzI_}p;I`WY)x9lJHYS$~OK2t%5gsE+1Z9toPs_`KTG!5EG_U($G$)>< zjmw`-87e(yWQk!%GxMpubY`$+}QZ{7uDdm|6UYS>O2;WvtRI@G7|y?1x;y>R=4T zZiA&&(XX78(-lhA5Aj30GpX>!%H^{jm6a8aE;crRr5CYgQPGZPb#xjdjy%=AZ+_!V z(^J)JJwSmUYUR7!YFTM-ALts4;j46Ot)$TaKai&gB??ZHb+Twh^YKPLl-id)m~8Li z=4hof_+;9aVLnNIS?!u*FkbvunWDWWupXswTWk42+X!{i)l8?6&7r*gPM;7;I&uo zUGp$A$FHh~sfF`4w6-dQOz10rG&-s(FDk`4m@cGPRpE&8_Qp=!n{soWp-?2x!3GNJ zN;%Mx1GM*AP{HBG{l~epM?FUSpNJLN#Wf>pvM8-vfTgybHIHmGa@i!~h`im+k(ggZ zf}Jp*-;m^&qk$XTFJKRou;Mf|1TM$6t~^K`emX6Jx}F*_5E#j!DKp{t zK<|k8`?0avr2xB{SXso#H9YV~7L>VmI)fv_98t`r=nrQ58W;@pjf}YEmwn&q?4Ykd z$fnYjD|~%?kOlPyaq^0?=x$Y2zp4C-35*tZ$A^aPhd44+EoQTZon3tM9$Vc_LZ5LY zzSx@Ut{OfUF}di?G5gisy$*6dP1^1Wo5=k2U8`a8)7WG+(IQThSl3{=;sGOg^t1>P zW;DbUS!X3z(QGPXgu-?w=Slg@7PxlChLx5+dhvonr&bpLAI07Drng9ixsi0cQ9$8i zMh-u6RSx&tF*QZ_Ms3~a$1Ytpe!kd=kG)3M-8;9;4c96t7jM#c{}HXFLu_&l)ioO;)Sr`S4d=`qftxrp&h?JdpN! zbfP-C-k|$FAG6|8iRHAFq_54#G5h7PG9vMX=Y#1c=j^E$rgo9Jo(~qwVVyaS^E?AV zoKj#C3BbL)SH!#ZPH*{DbT^vt_AOvty;z69qavSAPbI#cXcn?{WCY<&tD?_)d0 z8fX}`NyXum#hJao)TRTvAf&XGQ{ik&zf!4LD%oDobW=O3G}jwUO-SgnlXRT5nx3b- zY+<(j!rKSW56qm?o2Z2a16Yr16<&}CSf+g=i-Oj{COJcA0dqyhE#f?X1cg1WmJi-9QH1}HydF`HlLY&x z1@%6}^#aYb-1V%;>m99yfN5>AOdWJ{WxmlN`K2FfE_T3>Cxe+LE&ceR_tWc|6-q*n zZGs;8|Mt6@;ubV3CRzRP2DmcdKjMS>0=HuTM*NqWkakP4u{mU-G-|xwh4P8f%yb*> z3-1XZmbg;9C_Ma9!hBq8!Z8~pZnnVrdt%F106=~et`!GNpbo+QXB*%#O-C!9ed#)V z#q|Zp+Bd1*Xl#pG?#lhHI9*rS{encZo_EJKhCj)*4O_f`QE!3V+e~9)TKdT!HHZ7- za+i4IJzILVfyD09+d#s(QAY%F>bydC&rsgEk-cVXf7@<#Ir96qkmwQG;^IxPU{SE# z-KKN_x` zmjv=)80O9I?}z$g3%pw2tX5zcd$X65$A6)MVCuo$vhi zZu06%<-13bo+-{l)&MWwaXMOc1ITvHQDyv>2+DpYsiCjSe??^lVEHok+_FaR=D1Ze2M5UN z0eimP#d_o$>K1EPm68?`a=z&-p|*F=&7018`ntN1U*4W~&)0KL1fBpgOaRb@WB%Hu zHcEH6(RSjC7+vD};#>~y&BnW&*+Q6m0&+{_ATI^nwE34qddBtTI0X+ICU{!_Y}WO@ z%LK6L5d7w|`dDMCW5rW%>&q;4_{T zg-tp&oxgqDcSFBU2wbe!T$@#3O-TtweD!X&fB>XI7n9_-GZe3WfA+=0oY_|3%<6&y ziujyvyPI2}C%Llc%IB1?GlSmoO@`e)*J|og#$GJC0G^qw%UfCv5Wftgd>}%2v`#e> zW=hm58ja}fEB@oaXzd?V4m&r^NMQ5Z{SQH#MmIEYnF0bqMQ6D<#a4?$dDK1KpQ zB5Bk*X`=#z20B}sY*9#&)Ze6(i~Asa&!(i>ev8QtU8gu;@u=b)LZ}b5ve&Z zr*H#ww2jscDnh0Om6BI>qH~qX#P;>28Ew@L`nk8o?ec}p@7v9~`LgLrNW^E58@vLDlj6B`{tx6>wBuYOMda(=tq z2*2v|I+uAj4R{z#_76+_by1UA2a0J2fMICvM_tDKeN7PnMiA&gwn1~SXbF!jTgQkv zk#o5t!G)>rt$i}?Y}?6m)IqUQPk{PBV}S&G;yo0{*PbvI1WJpAZJ|75mC3GmHaKSx z8^rM|_}AF#>gy*6f4*0`B_@Jrw_OQVtRN!pOJlko!jGp_B?^{%dJfa z`Yn)|LwI%`VvZI(mWs|Ix+xE{(_N9*%}FZ_@Xt#Cu+|dEN&uL<;>TkOryrzvpE-wL z?!~#2@g;xAvQyENAkfrIj&!51SeC24pkGrUy zr&lT|&70Zhlxj%GdJMt4`$E1xsnb<6G!aK?QB3CifD;zhfKgL(7(scaF0L`^ZR27H zBJ)8Z{d*QiX6R+pY_y2Ju8Tgy7C6a;T4e+JFxfoq2&XU{3yV1A+U6X2oQD2^mZy7E z>9`&yWHPV&6HcIXohFjy&^onCJtU`E!U*jX0)ijM97ZH*t){&XfL+;;@xj7r^CD)q zAp4Gf&~W7n^||T#RR^!0Q523i4rjt;^Z>!O#E1`qwK}t&xSzG%bg63XO+4kSvBrti}nE9F2W&ueR2Zw#=`gp?K&BS`;AGhStC{S zlU4-wFZvpj(&`Jz_JKv*4eJLe72+RUChU<#^hxVeMOQi%rVR_ zw`tPds+pr``A_`)PDJ1Bs{*f>jH^>ANu#Ij z!dbq<465}Ub^XA7dd&-$P6WxVxQ=x99@I#DSIh`QGChz#FaUa{O89kVOAk>xTpv2q@aU}bv@0ZBig94tC7kg`al zrz2RTTRhul!h}N+t^TMvJ!zB|(ez9Dxp{zT{sov}omk@=xX4+zv-6vM$O(`e$+SdK<}J+hcu-G+><-YAyiU!nQa;{&N-h%6MV zCMqKLf|vaUXTg5mP6j$t=wKH)ZCqTh-cPV;n&~Pfi5u^L1v_%Y;LuR&8X{<>s!(X@ zUeWyO0}R*6%Ta^mvL){D(j_D(2BtcdmAV?}y-%IA@u?-BIhRT&Z%jTAOwcCcPCiIt z^_gLWNaJfo_3OT>t}YHYEJci0Gwqe73v6Pc)Y`f%I(4~aVV~O}vxjNd-ed@}h~Z)Q z!~6dvvfn-E20;%L%kjW{GZ%m2I(@Zf?}{&Rs<;Z*&4~rX{yYYVHLYHRu0XzGmq3=O zp{mdb3#BEx`Wiuc^_9C7=U%;`_q+#Ws}hqyCVlvk{J(R#CrWT2PWheASpgaS8;5$7 zm7N$!*#+YSa3SDhgLl8GN9)z;x`HRs;wmc9gJe^=8&|B$)Y>cRn-xUrRb-hD1cDJ< zTzicNE2W8ul}T9hlsY;|v_3dFS_1SE-NkNtw7ZQ>kuF%6!wB#iwBbc5wS!!9mBvNM z(IB~dS=#yMfymOgGzibeaJm((Km_Ox-a7Y7p8hf%w6)k z524=u)gHt@JT%Dk;=kwJtgaz>vM(C+e*P)&ruJRn6F)pZa3JR>{15Q%a5}3}))=NY zj-uaK5rTJAnjbozY0{bf?q_4L9)=ye2wiUZ9R#=D6QeBC3kA|Z$;H9mxVBd|8@j#s z)twf4@wK^#(zh5x6zT6Fx)JFx>ek$S05)5x@J~)m4I+h<`n0nMF8c7-J@e4?CEhG_kjtUhVGQnry=*bL%0$CkK;FfCigCxC_} zj;T6#STTL=j%@{~M}oF-!0LS=|Gy5ZQa1#b8@)}mf&=P>^KK1&z6kPiM)2x$p4Wax z)|AMB_!i1MJ3?ieOw2UN)|&9n@Li} z<4rNyojY@fS@zL}B&G))*Ji=uJXf)eQZO?W@`pF5vJ36T9HxK{fxlETLPKp_E7r4%=cV^8KC^)%R;(g9|aPEIUa!Z`}M%(SD;cKK5W%6P{;M;r!+YR&fkUZ zKGzBm8lVZZfPthWAgD_cq$40zc@H{;%pMD*{$!dp72j9@77bduINk^G8Ol=&9fK^_ zLG@`j9l{4LZwi2nAdLhi5)&6U^gxk3^zP-!jM4NL zh1a3+#v1}#Ua!=#8IZ7x>!4TqjieZmdkcdqAMcB{DjKg|JG^a0#EarTRYX-PK>-u3 z>8c0P>0Hw1WwVQMAcX$meV%N96MNjFsAW7+c^YCnrU4xoyaHMbddi5Pd^s2Six}zp z&;yxvN;eS-bx$AEoc`MkK!lb<0)QA`AVQu)82VKx(40>;HM>-PkB$(GHdX+|&mVS! zrmo!0(uUQN)VqggCIB;`I5M~Ku`D$A^3!xLpv$tL6muF|x4Kx#p8pM4>Nj5#GIx8S zgbc_(5YV<&Y0%8lA@sP7!)&9V>{TnMN6_A&KHG>)sh|bxcwS4fh;N-!hR(mUy z;bNS0H8Y2T0V74gk9#oiGzB6gdGPL+On>O^f4>0uxwp{LF>U6CW0ueAf5A3kzPg zy`^{1S;2^FSdSEHLA$1E>_=N+#8>u(p=&x7{4FT3fm1>kR62GdH2s4Hu}1 zJwV6CR2XISjM#xx#wkESRy}=81LTOHJjl3U6xiyrkAs7qCvBZyDL0p*QaoBwP^3SO zgF_Xv(--FFt^6lBvLOFnxCvFDJG@{`mV38R$P?dG*7bxCknk1fD%PFluv;|fd?I=v zJ*cDm+#bUFnJ|CN6;}ZB!!X{Lpb*EFsF7%bH62~Sr;VSk517J+FK;L!3;}q7!dLF< zg4P8+;Cf0I%2Lfzz&iI2Z`w45Ei>yrsL8#u+bo)X|HDI31nL4dBQsr8KP6DfAI`ke zr)Xu62QL8ipJAd_>@lzoU?U72EMos6CqYw8uZz($xV1)ZH?a+r6k&ROC>rP=08-WO z@wGU2*EZ165#kXPl<8riA`-fK?wZ%!scc9P~d80 zNsjAq+cI4ysM=+f=AUr5e~9=;gQPd5_^PVw=TDD>v_MvW#{Yn{^gvG+w!NSLs<1tl zmUfnk_OrtFcS0!`sK64YCA2A#M@|im;+^uh!d|Z0nKhC1vv$7hd+VL4=u<>Eqse`~ z+v?Z;p25NKimigndF&$*xipuJrd)WTnVj=P)1!Pr4NlT1ND_jyuPrf^JlM1L8Eg{^ zBM*|h@ggA}-Tz3KuF#6u-cWU-GkYs;7ku>t(a3s}h!0#Rr(UG5jN<)mpsHTPFv>E7 ziS}se<4YOMs~)VfL0x5<9|0+}Iq%d`Sh}A{#u0Plr@5Nq)}S=0Z;C{w7AaR$IQ|}6 zSP1+)lx~BN2gs1Ah3al)FYZfzak>5b01Rk<3+Q1)1pf&NAx~<|rOIxs;{s>zF#VB= zVL0OpbnH6}sABpSY~21m4wxrQyr(rL)%RSkQA$j%CuqLdipTfMZL50(Fkr-=%7|^? z?;_TxyuxvXQB(Knt%DW)eM{X-#*zl-Z92>P#gVz=7vmFt61&(8Ra<^3N{Cq!ON!DK zGtUk_WI@@_IV&CD^uR+r>WdlM{|xLP(z7`(9n%37 z++a|i9y#ncUS{NvWWV8wa3oI|XjZxe+;X$K!U~93La=8o

31;5G$vDCN{f*{Eu z`0eutjvGIT`3eYl_jKwYE^Mw5I=pFlPuJ&hX8FoM2`2vbI>Kp{-$QZ}99AsGCBgy+ zNFEn~FH9T1{qtZ+QgOE9JrVS3y6R#pLW*%J)b>;SPh3Y_)!>Ij=y#88+SPv9uhxHa z6|VP)FVgzzNl#y2Om=FBT5GJV5%yxDlJo=NpqtnUN_vE$VR$AmKEWACU`Suz$LrD z_m|6V7-+F(jGUIn-l-2Sv`7`Tz2igVpWT{9@aO-x#%lGDNKRcDdYX-Sd3g%XT^WF6 zTEILs!?YH?IxU?Z9s&9)*Qe3!=@T}UC!h;=b%86TH#^hps%*<|8iQ`{_YQSgS;wiQ zA|ue87(oKpBnMrVCTL_2V&HUgY@&OO#L6^LmLb2%o>x!Cp}=ALcgOlg1_uXCOijDj zpgHtoW!f2Q)RiG`;^b>?k+v9Vn^MpfcExYN(UvTIOwLe?={)tp7}6v zWh%3>Qpu*$wfXKLtvGPgP6iM{bgLSUsrH`sb5lmr=D-%|af==5izgUSTO6tR+RLD^ z@u^|hLI-L}hnVRE?n&A@r0Yg>%w(sgxD-|&2Q6^aqxGOuJPb2h^0$)VQ-?QPU_a~PseWOLSM0q z!43)uv9^9zSq6!f-SZw`GUzk_3Gs?97DojHYQw&J{P?l0<6Wz=8LRi6g67bsLkiixzD+U0hnBtCUdJ`sQWZ6(Stoon=6Fj8SyyyS~0WS-sY0Q`^`9 z=WGaqCIMB}YBzE?yXp~`I|nqNEKjy70MXN+^*dOB1C2Rhg@svxdq1SvqsdHIGdOs( zUpuqF10@w5jpBT^U!`?nf&v4q`*ay=$*<1Ng;Y2{ z=+~ETrTXz7o@H>^tCCzXJW}e|TIx4H2=(28lX53122-9tkO%#8c12dxig*s2X^KFk zg55eYR%bLvv^OQjp7P}JcrY9Ct;%YI zNqv1&(jI~OKrLv2BQ_p5MWLO-9L7Exg-LWPw0OrmeMb+@5Ba5GYM`!1GxrwO>2Z@ zue>}-LZDf8wt3(aUv)bJ1A`)h4d`?PeTFqH2fe2|+M_M);=!R8lGkjD?O)534F#{X zqhe%%ka~CNiTT=&&lAziBgJ2Pqfd2(2j-76q>Ad~ zEw6a$oQn{~>8`leCulEs9iSsXC;@)ypk6&XIvTQe58xXg3(XJtIVFZo6p1SEFzW);|@9eq^JVY#d2r(}W=cGFr>!Cj)ldA}=<%4N1tHIG?&YuNJfu{Uyjmn|r+tTgNt0drvhz=!nAhH6NH>_gV%Uk&R+(1l`h@V} z3Uo>8-abA*9K52UV%TEgC5uL0d434>f~o=@J9*JkS(??4A1sO8q?0J{Y)*xC~LWUj<%A5?|u3I|@7soz*03SrIz z#T*?E1h?@Poq$N$9{am9U3WSyTxKxcZJ}YJ9LGk)ODbgRr)t!zG`#? zT+5j&Z4HV#uC@|PwHciaVn-JRJ7#;+ED~*+lm*%$v%tn7Syr;M zw2XBr!YM(NL08o`DFfW??(ctTvyuW@N;Mnp)^aW9JC)RbQ`)qxtJ!da9JAR9jVCaG zJFk$&p-by{b| z3D9jp=Fq|cj{t4bxX8u_Zj`&S$4H%>i)?S`uoqb1c{-0X~ zd;Y@_*lNgT_7x#gAsYc1^D1+3(9+BW?dhQE#FMsEI6C`SD4@vBqYciWr2AL5)08I{ zF^~>3%fPLb;lU!H+~B(YpcbOG+X$|CNb9rxEf*K>ZUf~t@n^8+3X&a2-oIossPvft z_0~Gp+T4}rY04I&2oj>A}5SS)xY+ByTL0^JKWHB>zY3|+iN zpjQ}kZkT>;!Ma1W&QmOFRLquCoLtjonSO(cK^)&mB%ux`1<{aBPy@EDI(rR#uj zJ1$^p%&zFFN2TnkRde^ifmXXd>Svmi4`j2z#3=TFRyRiK?xuy{;>NS+rcjZV((qAa zBcM_G^QA9gd%vhGlkr#&8@9v~j(HPu$;v8z9Q@)ytX+_^3~sdxA_5qn^UGb5dm)E~ zCrF*03uiDG!2VScZtaCk7*K@TN~_ZAdY!Q{kcWrp2fiVg(Vf}>U3G#aQEwSsrcwa6 z9QK|o&aRF*t4IEhQUM_(4 zMBWRm$O2U^>^cjKDFhpY35YGPbY(SjHmkH$o^-|AfaD8Mmp(92mIDr!z?_>}T2>JV znm|hE|BJ7;fQzzi+J{$BQ4~bMLJ(9?Bt=l9F>y(00Ra^$DQRg;5CwJVMp9Zy$u&Sq zx+E7#$)!8~bME5(-p}*C-*^4)AeJl6m^tQ{W9Bk)b^@`#7HRo6T1H7M{oIDxb3uGB z1r&kEK`$lJfZcHeODU_T*Jp0w)^40&D^?7io>E}6xAaxPF^S196wlM+Z-Ph7$;s*J zc7+ml?Kf_7$-3k7u2A+f>{yuGXXfV3!RfT2ebdFeHspMA#|(_BYwr5&d1lfD9`>;G6l!d|IBNc9flFQ6 zR<*LS@*KcQ=V2M$_EZ<-FQBl~Ud(OWM7N-$tix5`YlVn+ODOxJqO6=*He|c_+rwTA z3OwDqBo2|4rx#f^(b~f=B6Cg3Fh+r_iK(g8FlV2tT+H!n^IRGkv7<{+XM6UJ0}QBr zo*dxngFLr?%@r0GyGFk0=wLh@Zll!N2WH%$EknN`YzQFS!`8V75qtC8b0wfjD(&kc zy4tt)xh;CQ{h2wO+i4}!+Gk(b$K>Rk)`5@I-B@m2;cCpv&K`g|>{@UM&8ch}IzfWb04IE}|1rN|dCjiNitJy9kC#htLuKa|;3$dtai_UfQM zpnYwvdT6NKB)uAJ<;+avhVz>@u*TrnS<#f`+f%ToivPaFhEwROS}f|N*O|c^Fydq8tZ%NuUX~b?(PY@ho#ay3_Kq0Jd`voXL^UA=RpA54?nV9;B35yo6d)^iO`@ zi!g2h(`f!^TF0nT7253SZfm27$;nj!_^f{Nm7$Vzp^eoU>(SI)JCPdwKBBVuhsPO&-RG==+?CiD&Zx4u)whTiT9m^4=~D1!)Xz+NaQ z%DG>G8?gX{$&%|nx}-sIB>2=Su z86p}jL)|yNu}=;n6bOol!fIfkVOs#SV{{Sf5M%*Mt2kDzs%5aF0KD%{%Kj8>J# z$2*sDtwRJYbRgtRADgqhqf53w;gKF-d0u#-PSPC0C69X`|A@tPLOBU37QWciUa724!24TkdTSNbtRRHK~^ zz@8MH*yj_WaY{y&nTYz$Ux8)-@vK_4?FXQ2>*vx?WF&$KDDcQNgLX226@JaF0{9`M zzGhzgBQ;aIv0978ZALyQkirE@Zx=acxYD-<;GsG-w>tz37QVwI)1bONHM*kGpEDC8 zvG8N*sj1uw5^FXAyt)x!lO(WKU{dvA8c+zceB1aQSPqQ>J2TvUF!cpL8ywd6ip}0c z;X9XZvFK2w+q!w=?peXeV2u0M_?ekWONm<J}z`_+xF$L zwB-|uuKChkcP6Jvlmc=qcP6a?Kc3+w%gRYB4>&$lw1&RELU=!P`)$&Z^eRvFFjRB> z>m(h|#waTmGVs9ueW4xvzx>om-KCL!|8ySUV8=ey8x|%)^$p`TXM?Sn9Y@h*y1$SA zTL7_n!L@6f>@)fM!x@{|9P+pB$7TNif1M0X(a{dMsxnOY_`=C5;D`g7ch1;%6 z16bS}x79urCIgf9)TdS!^W{$Ck^?A3?|dL>>!JuuAR+O!Cg|Ag!Ti#r+gRnlCKbhu zyhB>S1gVt|>LdbY33bm26XNYUJnN-ic*4T5F%&JTxQq;|KQFuic4i`YHD=#mGRFVlHxT3i=?IOB^TZ>PCFw={BZVDA0FDmjve&>4Y~7a?Dl zNbm^&6lGNacNKCOU^;D&rbA&_ex3vt?S3%*&KoNP;>`7p;z3QoL%92}s)HHZi0z}-Ros|0WZs%%lOovOG%o&44|{FJvvKNuXMErehj4&t-#_kwTY0mBRr zI-ryKkWXa|io`iK+p*pJ2z9WeVUl!9PA73>tutEYd2w3%?m0oMi{b|uWZ%N9knh^| zUCm}`H3!&m{S?fLl5g@($%h5iIuG(|*9P+HcJmIMcbxqb25oatHE8~i;-zW}njU|q zM_|_x=K-ed(~m1~={GSxpys#attKSQ7)#q2UGpNq&UD9bKJm6V7)gC12KW@#ug zM_xouu*(ku&IREzr|y}Ev@!_$?C}u<;1oOO76(HuCZ?8Gmu8gJ)B-XxGJv*-uXV^F zr18RSA!f(5Xpsnaq8!KV>mhTvnWV}P|M}bV3?SbUF!_g zkf(R7WM}G~ssQMe2{FrUhXH@5)nd}bVJIm%Q4v8M5ryw5E@hnp-7A@pi1~6%W5p*A z{cEhH3qk%o0$7NXNgD!~^b-OoLVDTiu!39r+~T+0yko6;F6%RqgyByJ>bZ#j0N(?^ z#}^ho;66jBCj}QHgF-*RXz?&t*mDrP!ZxwW9ZZ3x1E8mMhO~E5Om#y(ko>n9>imX^ z>;c@2wwsqN%!ZhxRR9bqsBX?9oNv9|s6gB{#`M=K!TT(}+$1GH;fqUmSFA4K01QMT z)+Pc$N&urP;}_@V=12?y07q8dt}zJ+lh$0t5#<78K?I5kA-Kj)D^*10>JTd_%j z5Cd4YSO96sg%1&v3N&Hx1v5<`k!uI|BbQ`b=LxHWg7!j&V7ywxu#Vb^$f1f!(*adk z1td!3-*^s!X@Y9;V(%e*5S)~iH}zbG-mVyH{J44+c{W~%|CJ|DZ3g`9W@8A!qTUiv z=0LG zV4L~B8t2w6c8>IMo2eGG7b}Jx=g55w`dBgFfR7AThX#VX2(JOYE&!SXj*D>1u~tAw zpigOK5a8&hmxaR)L->;wVQs68wFPMKyP4}bxas0N6Hg~Rm=9Bt6^(|(=a)+pvyBS1 zuwSeoI*$XRQ#ShQ5N{14(V?LXDewR^Z)eh7`s&ca;ev_$(P>y(!iaocn9;<$x`2J1QegRXt= z{5jPJQ9HISdqP(>)i=Ppp(qen*KyECOK04sh7?gvg!R!yE?zBOEae@<$?#MpNURO3 zs7*zmlTV zv_6%3M~^GMk{N%eiEoK+sZ6g-jPQz9(^7n}<n+;{GufBVezY_P1sU@(E% z@7-H$`8i*wb4!J~>BYhhEu#)4J)O0;tw&*C+Y246A9ndFh$nV--bOuM^1+fE^~)7% z&$S?=tP#P&-ZAclh1Li`$3Ck9U&GY$nwl2BGs+{PgB2Y-5YBa*JvQmPV%m~%jn_A(c4u4Wa(O_DT+SkEV<34| zVFa+!(q22L8DcLz-LYN5G%_+W-MBG+yF}*(L9)=z`KO84ntx~s;Knk%`%ifiF<#=gF{eI z9dTlrUUbw#1W0wHCn_gM<8)k?^kJiD-xYCHQ&XGFF6%R%9y^i{a0=bFH{$>3CB563m3u8`0?-G4uAq;US_98CKTT{-L4C(IB5P zFu2Y|1fJ<>x?ycZS8Q)d1;0#~DKt9xdgLPX0|_}FS_+Fh9wx|mvga!<7QRu-%gf82 zsIHLM%Xsl)OUkjow}+wD7i7XnE^dSSON%(YK;#XuA0}$W3Mf7u^(;)*RcYSs+wZV& z9PU5ff?OqtVTr6wfQFhQ5G1ui3s8na-Ie+Ar|G+Q?|zyN{JyPR@VRTs@v@4puC7nt zC$6oaozH9pJQSSR(VweO6KO~lS97gsS1(eUt1|@7(eh|QB-_) zn@2r-6w;0o4*;$)2pGLxhp%^J$_Jl|Q|tDvI&xZibFkncNFvsv}`wB zvaSG=RKt`8yU$Rt)MGMpg1PP>dd&MU-(^^0xzI#INDM$Ob-M*X#;>gqolzC@oHE-KU&!R^(ketc7feUL!3-`@AWbtrl;w|{81k0ODo?nb*}_9{nPA-4DydI z?mS)76||qs=fiUtX~B|C4O9KBtm>Ah(M%M(CoFxVyP3CAYysa-Scn^DC(oEsjFOVl z>@U4H+ue%628^!J7TY+hz4SE{`V1KVX?lA8NK(%zZcUZZ!#sg9Xz_;+mH+&?Cx8(xZfHaFys-Pp zldaeW05RGzpA`dP2-Vx#+P?OsX&2=DScbNn#}}8OSt_;0kI5zHd_ZOXzP>R$+WAc! zH^VL#$7+@#l^N+UqbS`KbzsK)k&Nn0Jp0YhjW&MEc|PScBUzAhzg0ZQjA*!2`TDT7 zc7BJj+sOff8+S06tf*+AOjQBHoYevS_?W2Rc!fxvK8o3=lzUqsNf(2By=H-3>h#P^ zw%xcUn%Vr>2AT7=BTYRyf}Iba!e~8_SQu%R0aUST-5LDx2yhAY5SpjM9F9Va?~Ss3 z3}ug2#&bjcH-NB7)^S^#)7%I>r|$(Y`2D_<*SE>+hKF8mPIpz++kiBy;G!dh1j0}b zJqzh$BY?6Ye0ne1vrQ5@J3AQ`{-{7gHr=EX4+AQB?b@}kCdI_!l_x_RzxTTRiW-&1 zViPSb(u(HW8RB05{_a6(7=A0qG#FAcR%YFW8ZZ&?4CSWc5c(Og52d`S}toz-7CjdAiUnG zv+#1|0Efip!(%+Pb0k@4&oV`y4?27I39B&#>9EnLGb?G5MmAhe_50mu!vRa zjkPQi=Sc2m58>DHH&J8P`|(uz$oUo&ObA#PHN6S^oVWvJt5nYl2=y>a(v>4Bvcig>-N z&xV?fr->^Kz_p;m{VhC)m4Uu;2nKW2@8o&8niNy%zdfU9L4WPee(0fprI>|RzcAS9 zl1Dn>@$Sh@n}1C@1^GXGpq!*F-5Q{vx_jdFa6`$ii06CH+*u+G<-b0L!O-e~3sC%7 zFs8Ac%09%W{zS^^+;pl->Hl%c7jVkBRgu=p+~0DIe42jtbFcn&>;F0{AJo>-KHu7G z?y$b}dHC@4N9*hE@LeO{zdl3yvSgAmZhj#(&uv z?_SO9+i9v*`l?gc_F~-26WepH!M6jPTxXF$PZFmB_S$Rk=LK?K?r%SgVWdM4!Zdr- zXtO5+*!KMRPO86ac(<@%m5+t)Afpy?osD9T%$fw{FV=YF{hInb7LTa ze%OfgX_Y*K=Qs}?_PL`*NR3XdwmL?Ki#4|%s)`7@4?khK&ZJ#}H$1A}RGRZwn`a+-w3nXjKP7f-wGGzP(uH+70Fk3zwUxSV&MT=h z18cPzpWo$HIeb-V>s@;I4**4{fupVkc)Dm$RlCWoQumy1c-zF3dixu~I?+ZoE>mf) zir~MMqDY_o*MHifc2$!8ZqCb)B%L7omcDTIo2;F)I7YD=J{Jf0oSAePGa(TS@w=ic zNyzOBNayCwuwi}VgX3c`n0vQYcG3BZ&R%AlWx7MM`mq)Sl&-@_ra;x@)tBzcer=~T zJz+I_9d#(^z20qrJ|!9Y`-U7pWD?y^S)yS9#6huth1zeKS^&)wi|4|3bdUGEyKFF+ zvZWjsBjL-Tz1nNhqD1lgn=N6`2grx}PACw(x(m>(oRpFEs#aiSfnx;O>HPf&`u_>E z^tY#c3&)Lm4j(qd{eLdgeUR1n+`3*A8R}CP4?Fw+-bwqQEF336f#?^rUy&om)|l za));=zLESbZxH^^-EV$zZ%^s2FCQhF6&v?G+|TJ&M7rdEeCS&_?5MhyCHpi!rY)yG z`Shdt#L)V-D+GP$e}9PMJrUCg9a@b1ULV;jjRWf^2R5|i-CkDA}dq>=Z5Me!C)Ue z_`$9U->2uWv8KLVe(9ljw0hLTgd~E~RUEzGw4Kln?c+|G>W!cN=g-Jrh3x?3`g|K# zq;uqkc6S_J5D-#7Yz<_`Vm9=>@U!A=N)2+T@vEmJtfK9rsu}h-{KeiKDFj68k^WH< zw3vQpLciZdHVY2!-jbEOhH5!vP)~c%u5pWd&KC}m4@vk=S>qEw&|IvvO-%z<-cn_V z{zy`VbEzuQ=FYOWRr*Q^Y55Mo^0I{=Of#Q32NO#B9V~83L`7e}W_BmZ&|wM1%qV7e zzlCC?v&0vSh9$s3z1A1D>^m{+?P$}A z;p~Hyh31JFT!lj!Lib1CHuqG24>``GI1e_uEcj4Mem6{U%2S7F;yTxAYiFGacV}YK zp;KqpLkQ(U51+gvyVZYP=mD}Jl3%7PW`68}je63RM@v(XO-}2kNuJw+u*1R5=AOP1 zg;i!D%Gc@Hoofx$RP^J*u4yzH()reRWB8Zt(|uJ}y$ek?8e;D~wJuShml#Q)Zf_A@ z%}zSlX`CXdxYm7=%5Orwv%KSV7!bTHnrvZWFcsxvrpO|C<3#VhW~~T#YlOaogL@EW z1%2Up02a$xlZu9CtlPb2uJG9R?=fkzyzGB!M8s9^qScFvcl@%JL%O`R-#i9twHiJ$ znbEM_-Y|_xEA3w5V%u;|Oj>sgO16^lH_`3UWb!eZS+XweuhrtO4ij-J5*SIy4(KSD_01mjZJZ!pocZ>) zYRyT)qHalSH*%pNj;u_%LlNYD(d-4=ke;u(RF5a3}Yp&^Xc^Dq|G6~;( z%EZll(lC;hE#b^?POH92prVPBAzo&nV=;HKYwY?oJm|d6P*r^&qu!DKyd{i#&g&!a zusd&wJAhsJG^6EV|LpdJ=n8JfIC1QdP`LN&YAdU;w^c;AvV;%`vEdieU_F(aQHutc2;oi zhhhIJgJsFXbSJ$X*yc2p$r>87?$WpaN=;J_p-7%;F*GtYBc(>^Ws!3FTZb@;A09uI zi9h%G>zDC+e5Qn{uEzTeK4emCej;+^ z|I2Ahh9W*Neq^sfs1FNv+HHpTwraeKvb7+xXr}G`o7{z&$-$1?GqYaG1|<)}rn=sS zYIx*C%ridj?Ru~9?w5E;& z+lrhNUrO&&dlcX&<(NU}2|M9G98<{g9u9xEQKd#c)@E(4hqFf%iLO4x+la4+qvQ>imq$y3g=V zLK2s9&#h0U(b9(zK_kNL{R3VC|Vtqd~I~Jz{1jcS1 zcz!&W+K>6cI}_ubgcpJXjCN1QjJ1)6{m-L)8!QF7?Oc)ICIpybc5Fm=ThScW)eDC8 zMIXrSko>^RZNzl%*S@jEi(_pgVN1P!!K`E9wGWoDTU}Loo#BVyt8>jC_wp9h{;v=q zN)CXIz`MC>!}ya;y@b4YHOtF5Q{ygr_I6d1yrPw!y0W$vhhLe`L$KfQPF-g%F&$sX zo*%m2Yj>otV=}(?NA=t4n)EvWVeLSZ!d4xoPqIrbGvWI2Co!0IcOQvjTd~{DK@*i@8(dWTErl^TS=rJPe`1Tulb~ zo2sfR7B@f9#Ti(2;C5iYaO_t(v4_u=rUS}_?l^nv*KFxiEt>ota`aR}MGH?%%Q~1r zL3kV2>_kSK-L7?0h(Rn5bu(H8yrfG~U(2hBmeT5h@oN#TeP>ET8W^}LZ69Pr?*6mt z1f(HhDQr8!ij|g;QNDLCdiVxLQ^(gVt9MdGN0NjS;ee}kof5urd)BBj1CaBFvI&#w?*pB0`xp;+!GV&`$9duc(8w_KY z23hAJ%}fJtJ7Tx?P>zt0&!GOP5HM+>CtduxnyE5jS&mMH%dtVQ{YIL>~^G4ImUYXezqVnc%xwgGaH zY*@%z?nz@7bIgJ!>|5tXTNQv_i|5@UNgs3Z@rAF%1rs2YLm)9*-o|QWWd#J&PTTQz zRiH3|&QmIKd+gY)onW-~%T2qK(kamOycb_o4V3l9#*k3ZtSVrF<9_@7{eczA~11=l#8bO8>8yuQ@vAr{#}u0Jk5o zf4jRTyF5!g5H4DfBulI3@hj$*Myc_Uu7ceCbaZl3)RFGG>s_P$ws&SMK3wJnajjy@`fUw;%KJ?19I64q#UgM!XJZj}m!|O^P&x+!*_Hs= zKLXv!hGlYdPGC$lM&#T*mF667uwQDI30tfTrfz~y56T4-idCw$4?w{Oh6P($Q=pgCZ=zMOWvMXEC}nFFO>1TH&(x+j-?%L%>+$bZ0wW6}dRCHR$DTTnb0tCQZ4G+y z*FkZ|lgyi-uhazj=I-rOQQpxP9|wJeav_H2FK1_MxlQkw_+hHWg(o+`uu0t?Z=f3gUqa3Z_m$@ zj7V0{&*041;7r6+Mb+n5hw~zSO@I_@{8yxjVa19OGz^dll)QD{&~Ox9N>&HjI;CVu z(Cpd&fpQkpj!41n?X(5M7)fQAMZ|UHg9iRd+)EI_=|b+jHHc5|#Cl**M}+C}!LapX z<6XB*g8N>-M}|1BC|jb{roT_f3!j+HrBWZm;}dbkgn8yp#Bdc=g`SMS=0JtL;OEo= zqOR?c5k&M+C9V|y=N_a0k@q*oDT$@q?gdHTYgb`Pyt19PgIzwV zxuUA75xVMsP}g-)#RK`+_Ie&EqXjq^!rVi?Wj>aVFjvu}F`PCC{tVdy6-~{gurS8za1r&rqLc3X>9lgn>lnP~THdD~4=kg`XSbZw z?cU#LiLVaFi^KW~Tu=mOA)4vCrC`Zs$K{iK^RUwYMbe7v#vi#h3p98I$j1R8w zfNdV%xI+VB>SKbYmBtIUVPeAl(!IiTz{88L^)pOq#)Xv3mRrIC+-iTk z&{hzrF7HXD5~6qk;Y!#^SEV8IoS)rZ%yW&JRmtjW8q;dQ#Yvhu2UO0?q>w4=e{G^D zxhgPwRlN9=<5ynXz(qJuW8p<6cwYihkcnFIuws~`N);>u$h{ zvSmsS7Wn6E-<8?CZhY`Zc0T~@_?VU+h(+F3A@4jt@f0kM{=8Z*wc8$-lv)Cxi_r0L z-kBtA1NHwk7Bk>G=1S-k{`iPYyk$+jou>pUPuhW9EH5s~QDR0iU|^6p$Hl^3{sGyF zpm0@5h4B3al_@@ar;ZHPvc5y&LAmVy_XhT7tJ@a2Vn( zGqS5bth94f$?D2;i_kdr=f?KShm(M+5#IskLe5%shX)dOqk#q#0BYQQhjpqZ4_2DN z?%mi+EXnow{X?HGkyx?kB&Z%FbxbS328UkK%I&4NK<0`$>xXm;@x@Y^X7{9m1WBkm9H4!jQ*t1b5{cqfCB0A z>1V7c=- zQgGk{m)Ls#qui~kWekPs+@Hctj|i3No=&JbSQ}~aB^HNY#r{_c0|UO;auwc%45)Yq zH5h()lxA3i@Hk2EiZJB}%ssSD!;N_5ZYY(7x#D7r*mUNq<~g~Agblv!EDg+!?Z#cY zVi0%sL{H$5_Yp7rU~2+5_F4Ym$bu{P_Gk;Q6p$oascK0R9ddg2`^uG(t-GY(?pxy9 zIjHo<2`Q4p;u=!(<#@xV{T#bCDwKpP>q%ifPAoMP9w5WE99LZv^OxN+lhM>PFt+t3!cUWal!=(zgcJy`{e4+Ml3 zOAD@PlD}&LMDmia0$n~p$j|z5PfLwisP@=NfMXf{7UERtHj$fTCJewZ zRCx!mk{~zqL1)?}Nue0#&c~^iQb&r0K-OpB9~5LHtmJDm=8&_j>tH=OL^tsA303;A z(OILiy9(YwMS6dp$@P+vz3}%{QTxzT04bF;@|;+i5wu!88x7Hq0=&3^br@XGO-Q{C->5z}7C`Ce7qD-&t#9|A zJ|-TsPAy|$2F;)jli|MfH^Vb76AW=L`K4~h9lIhG>O)By4fma&sO%vRnk1Uu4Q4^U z(J~qbK|B>H*9M=s_YL%^>EOmb0OA2fMAWJ)9wK7-r@h-=KbmhdWWxd$s|N+Cp0Ipo z8rGZzfkOL`idyYg1yNPx>cy?sBNqspSU@Gfs_W8+=()l zh$;tO+WiA;5gX7>a*By*7uXY9BsP{5U}+%YKkKvYXbTA3U;shV++-8>5i31@D_Qh7 zcEDVQ=%Vqyn(`6ma5DJhNY}oGN+uo$=f@1A$n*w^i7ME6G?HFu5d)FWhhD?Tw}ws; zq?}&m<6*%OlpvB&x-U!>EgRL&O&oDZa{RqAZK3@@SU$NQ1Z@+9Hv#tFwWyFfhSsQb zli*)`cmg6j$6&EQ>yxLABTM~A1_7WKp=9lQ+4pHAdS!=G}e?N_Z1O&W<);9uGF zChlqj>np@SR?rG#M_W?)nJ6Wh7O(PZ%7VBI$`07E%kY{Z3n50D#&;)9oym?#b29c< z6I&rH8&pSYj;;k{C6pwKvFXH}YHJqbmUqe6??*2cct+D-bvZlvR}6S`m_NtdqRAYO z<_)hX;>AWee4O@Z5ePBeviI0 z>(`Fxk#aqC2KqlA)!D$kyQ`h#=9YuXBM+TNzqg|)0Vw`vxVC(2sz36DA#Opx1n+*^ zhHU_4xSW)6Hk1w%jDe6~0Gj03qn<5|mYP3{y*cN8k98c)O8w3gcUr`6zlC~h6QTm- zr{a0v%UL>cA5dHDpW1FyGN2sXkxrEx_hL0#R=TQA74IZ7o|zw7yqSf0hW#>~xLi~Q ztE|b!@4{*GegPp5!imsuqB}S)bkKIeK1Bh7e?Y(pj5rF=dWInkz8JwArzat))U|Mlucw+xX-o@B8bEhi*| zlQbXZ_H*zt#Z_nM&nfm&*H#7KNc1r2+D#_#jyuQciqrlP5j81vM*EzLi!8_DDWc3k z2)KS63qxWP$_Xe;>4B7sTg^(o)%@0Q@C=QXwAZhs;iV)NH^dwMIBiI7zA297#bOSZ zVsl}l->E&j=_maDOWK2JGC}+X*+apLzx0J^+?8*JNtOV4h?M*|`Y_w*)R9h$57!AR zlxsa3E1p}gaSHY?JJ~dj>Kc{rB`U3?O#D?+vB-kf16+~{q@UtrdbX**1jEP!**DqK zn?Au^7?vku31GMCIxD*33E-VhzrXm{(+NtSS+l#^PF*&RY}Sq;u01t>v_!~<#pvHX zW7_zx4x>$}8!Ka2beK!FgzZ%5W(OYkvs5U}v6u%`Gvoq~KME92g+0RwDwBT**0=Hz zw)fyIRB)RYUjhMMasf|B2Pr-l2d^%C07hFL26GPIdkX!VS0$rj`7oEpd|hQ=1z#^{ zaxmDZHJ&X_|3lT6-Tuw?o*9&TlvirR*riGH1-WHFhoEm!f~?0d`v(t;?^+pN_ME?$ z4ew{pcv6r*BxxhWH(G*3%*aH*yGg(kesP;r*|IO&WyKDb83$NjAY0Bdolatlvr~cl z0aver6Ikw+xPkLII3dWCDrb3$l@oR~Iip{us}t{@AU#i$m~r}4Fi1TlpMn=)MN)|j zA;$PVmdhkfm)yJCY#?dcg7h?nQ`VJ8#Ur^b{E@`i&q`8SAgXx@-rRQ@+g{|93-W!x zfB*w{uNj1b&k)&!vw;%VV4sEu*|j6)B$l_%l+A6)m!mc1=8xBuh+#ldGJ#)U(xq|0 zlhk@#yGI}QvZbO@H$4fzdgG;_Cl+09ho=g+f9Y|bz_ELHb66}CE-FsGkM-aLA zQSKwE87nK>1cL8us{!dXkV-W*B`QN=nWX~6O83-NRsBgOjzJ_~@Ab{aWocXUv?* zlZ1(;jC*3b(00FJ#lmbN(E}WN zWG*_ndCB1s|{lb3zC%mgl)&p&c3rae$(?|SQsGHFKV%Y zYqBm2y&}kYQ#DP};c*JCNJ&3< z_>bcEnFUHen~u?pxL8ssgU%8~eH66Vtj6$G%@A>y{Nam|q1P?9-i1|p0Li1xNDdD^ z=YE0f=D1q(lLEQ254u(%kWK4nbk2tVF%%Qrr_QI({o1#*U&2e;R831q7U)4Qs;BQDxly$GB&iN`9gxVYAN#abEGOz$Fq(~M$k`&7WW=B1eGUo z2G2QB$Q**=HFQLIOUugcDdyqe=-pkhwKz5M@oIDAFUZMkM^NyUx@{;ibVS?Xk)f@k_Q*PhXLUxvdcHpHTJ~p<15UBS> zAD24r;u~x~+?atRe_O)Tfb54%X$?UTme_-^M@Tc|K6n%$K&*v??(Q#pyy$ioJbBXh zbXm-CmZY{rH!XSez(fC}HGiQ{%oT z5MXl-Pb_E^p0(uADv*~hH23K}y?)(G#&ms))^7Ee&L+Bi;hRG$dDOOdCJSEh7d*^P zS~B|@({&|~q=|Yw{i`TnR zVJuzv+o4S)vN^?MmkRwcH|;{L$4Pns=I)8KowH)a&S%9}ubP;&V$m#(u;BwO`UtXw z)PuhrRsyB-$Irvqz5QS8_uu3w`0$S%5L*7DbZTdZR2{4O%QjlLaQ^t*_1bg$K%GX@ z559qyI7Ad!6dnUcA*L+PDojjsK1JMH*l=}G_Xd`!Uuy<$K-Ad16YvV`ej!R9kR5$s z`$UjTBuM_H6KO9&N~Z}@Cy;QdGuV8^8H{SlGw{bST*1`!&l;Yo+TAR+-QC|Yspczh zJdiG-lXGhg=hvWUNeJf}+ODksO5s7>`c#a0VC)6Ohz~mJuR#J*X)rYPkD$wJm%+ZfF~kqO(QpMuP=Bn{F(|FaDCK}zP4`nZI>|wKKwC^Nw$P+*$YosMbv_kl#YC8z6G50 z_XznuYf1;(2+}mG#Z5{WviOl(ByJc=w9VkmTSrAUlNGVNE6iNz|I4QO9DWT}l-z!1I&{fjcw3eWq zNVck`f*9iFnV26TB!qLII+zW6ILH@9q@RqWBBy5G{ge8 zYaS=?7NU!r)q_pj%<7Of|Fh>v8A?7p)qpzv05=9oHvm>Np#F0{+I`M$eUa1kK>n?V zR@c=Nr$FfpX*f`*{4&mcC9)x08t&F*oIbt{%!L=sB5uN2eTvTQB*=go106M+t0FfW%oC#Yp5Q7Ep%(n%6sWWy(UE!(v<2 zDah#i+YA+W70l{X44!q#v$ggw2WfBPnZGwLxqI{FB=7^H>_QXW3w9HWQyVVrW*{45 z%aeYspYn=qkgv}&g3K$Sgn1*( zxHOneINOGb=#n(MEZdSFCVWzQ!kw85@{T0?ql5r9s;i&F>KG#yj(IN%!4H)h%+jUI z9FT(euR7cPLnDYW&{@fwoyBysJq?(9CbBfWYVcu@&l6f_T`mDT^PxPtQEldr&PlL; zKRHwH17##!XP?BIRPBVmftR1JHU=`{+{!p$!&MG$js@-A|LM7qDi2D$+~3^%r*pvy zuiMU<_iC+peQG<)5aYPS4-|xFWEuF<{b??hvjZ>s*A{f;r2Y;mX5XLyxs59P#Qg`D zw<99CMIG*rt&}AB%ejDbMUold8TvA1Yktq4$O) zs<0)kX7jQmgjD;Y3MDCD*c>aX#IMX0Ai3go(S!mfj+>t|FL`_fcqnF3XBagvjF&ILY`Cn;7lr;3iDY9-2rll_ zO!+P%OPbK=>rjFP`>=y7I@)=Z+;_;`bH>>}0hILpyuxJtq!MWFkqBDjzyQR#tm{n4 zKf^`E+hzx(#E8aTbU1pq;i3%v`3p?hJ4h;KqwnmY6c~3SWzg_L>_j52KqQQ+1O6V~ zcc&>P=2Mm>#w^AOrd(Q05BWSB@Lu zkQcw5U6$?X%E5{&yd*_CnVAIck!G`m8#YbyU4JG4>wBSBeAe|2NX!q#TU<)+*?6E2 zHK4xX?25=D+K*SEB29;6P0>t$ybe?qhK5U>{(EyJ4A(bELD#<4sWN*Gml1{g#J419 zCl|GkIeo2 z86m3|!Np^0WtF;61l(7)ak<9&bmh!E?*Vp+rh9o5r3Gxj^SWn1UqsIfkQFEUT9y<5 zwSS+f?qb44pihtvL7JHz0FB~eMF{@ZfA(sQg>h^C+#=t5L(UiS>hmS6|F=zM z0N;Pol?I(-6S}$NrD{gCGX?aOyxDjT8QO*u!CFZ{|6Elw;9riF;l!P#6RtF6?p1z( zkr^VZRXGSbdk0qTy??0%g$@=QN;&;D$aiuVd9YS=ySxP{az?4(gw|Z2R2Pp^LPU}) zk?%~;n_C7O5!Ba-|L8zH0V{7lrn}nln~I0)`#K8tnyVPY^^mLUcH2;W{4G4*LZRu? zbgK;Ratou9Fo*eKs?~gfN{-*`4yIawpKvkY3}(vx0modQIPiDeJh?!~@b@?z7#3d= zs{5cWo>Yg*X0#;ei3mR8O{PUG-nToS)I90*j+0cJX>@gs`Ch@$A>J zZNGmbve@u+dBJb)?OX)oToO#`qLkuN_%eFIh4fOVK6F+Tupk*9lm`C2puNr1~A$UPO^1NlZWW%4NrkGo%pYdXG zjTwZ;vHb#|t~VV@wPWu4y-Sl(-x}`POzFD!d9u3Yo7X2d%-y?8UFz1CvSl9Q#^d!! z59Ds}(RPfpG@mR? z`Ugz?Y$uf~wC@Wuke0s@78{&lzZNmpc12(2hCjE{2h%g!_cQrBJNp#@g3-^O17HSw< z2v)aC+gA$D2B)mXWzeLY-%N&HrLcdOqD`!5pVRR!oj3okPqYml)8={0U9@+v9c{De zk)jag^~D^Lz7w~tKs*E&H;X5r&I%;4>(8Y9f;>W!sj_cD(T0(@-lp(phpaFxI{Do0Tv=w|(}&$?Ipk$>kp*UU12s60S~L z-?C~*-_UtHnCTCFnU*Lj5yKzlc zVnQaH{X0_WtLI&{Z0#+0?fHv%(;9d5BZ^fm9ijCt4Y9JNE*1e}Md`g-pYHe-twcGt zYOM%{`gr=@qRhQPQI=btC+cGt&wD797S4}hX<6(lBV>x;oRQ4RT^T*6+;P*wIYhu1zJf|s0MI8 z4JPUxqoG{Vl=YYCGd;qrc{EiVHNO6Ml@_=7ofaSI_S&!t)rOua>oFFs`)a%-G9Qp6 z7~=EzaBEseaQw-r13MQUt-QmpU-6H0iAM@hV|r5AtH4E_u#2{`a6y5+Ft~SUBJFmx z@7(Bq)35E|7IQS|E2SWLowJddP?pfHGg>Rhlva*q7)G9^Uag<<5Q!7fXIf6F-)rZ5 zbg(>7P}edh(y#BejI8dlcF%yYub65>qWFi>8vW9^pyJzC^E_YYmT~jBXuvgrOT+x= z*b+4`xyy* zxw1QvI7KNkadMid$-0rVoyyNtVr@(3wdwWIvT6IHJVT{;-y)a2je*b3PCXKB|D@;P z_39OLli-0DUd)XibqRx>O3J&|xx$ae-){NJjY~_mE-G4KS<2-xTRQsU?U-@bh_=On z392dwNVyWzmu^QWg#2IFZNiYeQIP&{CM_{0;m!|MWA-yGIM z^u5_Z7+2aOuqh5hb;Y#BvT{uPF8c^U<$0aHHye~F4yV1&lorIQ4Wf`eQ0|<;W{b1# zdDG9hcoJ>bO5KJiORCW?nyPs5=|!8~D-#0ZEBc_uJtF32Vmtds(d^g9OVF~pU$Na5~t1*bK(ky)L2pJOB}fJxWAjprXZz7{hJ>7b$z?;B9*KMUXyx|hvd})=I&m^dMi&OHD?FcI=&Pm+kl3 zzC0=fjbUOPb9ebMQ&r`0B&~*6)(XVgRGPO~iXKz=D3Apm86aDr4UIkOKpOU5u=~*! z=wDb2J(y!(zkVH%_tGdMfWacclx!9m&^#FlL)FCVDdO6VZnw41mpYV!(4vImtcrty zTtjt7s9mGz*xPt&bv-yHrt#&LKiJ~?VvZeqBgO2x_#PnLT2Dr?%gTe!&z8&3Vz;qB zx+Jl(gDv@UC3Aq@_R75#P#uPXaO==#CXq_by9sZ`s;{hp%xbBt0wP}R4TE3u>b=v6 zZjK@C9`EbwU?#8)ApYy0dX%MCMq}2MuL^z5-a+rEbdar&LW`jKSgh~2dE(A*um1Xx zROG&XWI~+;izrG3X5-E4t}r?gP5dVNQmtshzg_{L1V>%3yl5SEaZ0VtN!Pl4yl7+j zQ=y4ls`~&x6Vvgr&OBw*_wl0uYHw!(Jv%~#tmC1x4t>ksXNGf3(fidG*BMpPo!@uQ z&1a?kKf>NRF3N3vA0Bnv2)YeK1Vm6uK&7NnL>v%MQd&hoKtN(>7~D1p$Vf;d-AFeW zAl)gcbaxFgy!RUP>~ntKKi>Hq_km&NdDgSmz3z4AbwRC}fOnq7qj%4@)ZNjta$SEt)^VjWA2+cGl{N7Z5!ZV1an0O#qHGV~C{^wImb26z{nhlv z)ZI3Lun-$shzq#U3UWSZf0ke75qusUpFQ7Utspq{)uyh>SQZ;k$K;?*Lqn4f@Ho5x zSN1dMn1bk%4|HA}XFAjOupK42lzA&2%=nlUV`sn_CFzKMx+NN_V!GELVQ%FX5cVcN~ zg|CaeuebL{0L>d4PfUdpASgBlxYN)L7reW^gxqgq%eBoDWG9Xm;iCx89hRPs$QO{Q zQr_@swG8IN@)tB)Kir<~cc5b7$Wes9C@LEC(B`|_eK@+i*Ja(b2q2*eQ4^^pIsmm5 zbedASwBE$_G(#Ud>&nZi55@IcTobeHu{~U7gQha8zZjx?D(Y@D3`bil_nW3xHX5!P z2`r`HmD)(%pF;9SKPYJL(e8-wpMatmNPUj6h!fv18$m+JfjH!^$-B$*k9kpg0A%J2 zqzWWBz%YC_k}5gj{913u+2e1s4dvx!(Oc!<;YiS`L3h{kEqWG+Pap#!BDl!eYhZw; zC^g=Z$<|v0Psg5kPqK6YWmTZSbcmaq$Jr#}JCYrM;lUDIh}F8r0OiZ+K;n_siQc78 zo_~KpG~s`wBpvn(Ij(~B>-XJttTca#%)FAxUw8hIAun!){n>E@l5eza3k)f<>{(p_ zH&UFTaDHuw+iOcutHh<~1gFMBW@*hbWE@DCLfo+#f}UhxhT6lX=+aM-NH%WOze}&IZBm+Tl?B2Lvdq-nT?MB$s@6(cDV$T2YC=|lNcjj5erd=?_ zX1>i);@>u*y${R%8NcuTT(7vbFac=l+$hZ%x?)0r1_AP`wjX}!XDQa6;cwk4d}CCq z`MP|d5rCczu}$avwVL{QrF0wKc_m{(d zfl{?zYE_dZ0RBE3ov1_0qtLtMXd&SBhy!isH>nYOHM~KSh~R^6&shJOJKEhV#IC>2ZQM(Hj19R}?qLKK^eOD@?C2!bcAUzp6~A{hWcA*< z=Qou#`H|93^j$f__;a=|p!7B3%X-J8yr4rc6DS?m zdc~hizD^*`u-u2z-=^t)W2~Y~>|?!^k>^lHt_6@+S=r`&DFS^?N@(|u-MsYX_gT=; z2DWf`GO{rL-chZ#B?)#g=^1kS?{GlpuhH-Y6x>brfyX-6U6?kV=6#gP3ib}aqunc! zf&a`jYxwzV({EQi!4~!v$s3;y4h!8S!qJ$=)Uu@oVBPi*cF5BF&f1ncuL`)wW zJ6y$N?S_~ZM90CaJX_8kH=8i=)BU0C2mIrH*x0BV8+cOy&#!3vJf>()dvE}R27`%h z|J?@Yy6>VO*zz$ypd`KFBIxzfKS!6r4}uWeuf6WkQ9=hOrXvOhSndzkRQW-ai2s?? z(?_#_`6)v{5VLWs7~A$Q)MFKw@TH#SP?5W?@P4qbsBSU(8o_om2tp;}uYJ!~u{+PN z?i}wHcQ80nQBlzV{YTtb2M`ar@;8EwS9(Li@Bu31TPO)qEQ&+~bLM-%DG-uo1e@h* zUcFTbYQAo1POVtxcZR-HL{pKaOjmtn@9X4UCPQ8G_!zzK!TtRYl66aT2)ss3%*__e zSVIchMAs;~SBYnBJSB*X&~?rUVFWo{vmkvslE$=uOvO5=ONl|Z%UzWA%vkNc`1-|j z?N4C#umrT|yY^Ck@I1=%=lHo-NGH(+t&FcN+q|a$yd@Kc1Y%pHq}zOHTWmF+!!KnD zP6c&K#aUieLg_u$H6PLe)``65{yv@oWlhVU?-Qc5rCN`O`-_{$vxnv11>iwm=O3mo zq3=$mNDwf>h~7J;3eLI|Z|awCoyOIS8Ll;%+`M_Sp;b+nlU&_8cIDF3-%{vmehEn- zz;RwrbInnNy&k_kEKy;H7_V)G@o4|@t!VlI?l%lY#$|f!_fwXc%y+G{E=!K&! zlY)wzCFgK-PTr{8z3(55wPjHfBMI6CI;?$Ez5WcZ6K1c$?>0cGe6X$Lt<*kd8M06q zAX2(LVWw!)gC|Af5M403ntLE{3anP4CqG@80@0- z6rlu`87!5vt21Wd819h@X*$5X7Opx?a=V(_r<}Atx3*Cf4$I;BaYB zTT+w>eNrVAF;pV6R4>~YRfAY>XwDq{`)}xTU^HAE>RhWY84r5k^>XWHH-p^b z%=lhK==Z%2sX_v?K|h^qPoU6` zL0BwNs@>{kP_Y~%6h~-VR-QxkILJ(eiq%@{DAhk&$aM{^KPN(m`G_*BLz^Gf&g-+A zO0VtcN}AgG_DZ_%RTWQ(l_zthIaZibZA>`isK+ok2ST9$XT^;r z6-M9S`RJlMiIXKXIff=jwRpnnjg=-HEwGttLgj_!MmX|DdK3tSLBRika4j&Iu72pv zW)!uKt1TH*z{%6l<9}#@1`6;*DQaG~kwg*b-C)Ew-ba4@rSE<%5K62)RMezx?GzkM zg9^2v5AlFqjSEk)5f+Pup6Lg+S6az(qkG)$R{2$qfn|+OO+}FR4PB^0S4sshwAuQ( zYI4@w95txfg3?=5nn7+OyScWEpc)|pe9By@Vro?H4MlhjZcb_K$)E8$ zVV535QQ4t%mraM}BN`!XyuI=$yb7=DyTIluy$m*&&m32%>PUXBJKj)e8_!WfIl;U; zs(9{1%gpDeyWlAk_3ATxef$`)RXsCM_ncfoN*|C4LRM66>BDA=@z!EzN4P%cZ_^)h z3hl`>H$d%?O8Vyzxb9SWTwwG(ba$VIDrYc~w9&Go%qI357a4UV^07swTftz!yNR9W zy1)p0)MNqYRw_bdYGi9(Ja-E0-}^$>LhABt@|g`nB)&Q4SD!1vZQx3(V*@>{H1_Y` z|D~PYtK2$R^%>f8uEPNP1tHT+QSU$M{Z3R0+c#6X^{U==c4(7>&z!d+*J5!xK7i6> zK-)2xarOo8w?hP(n}cF9Tb&G zLGB`mx*-T1%47SIZ<4eGk_2K>Cl67^dx@ z@^wD6LA1Yd&&hhsB%9ar{s%f!T{YymoJQ3=^Z9^Y)Tb6)ata0#(Lj zi^33;l7ZLj^WXuzmI7ym_1F4j{JU!Olwj42p}B@v@;|`-n_sd!(Q}SE(`8pm-nmtW zi7)JVMSf#9UtiPr6`K+?%6=34%Rk8T`M&$VV}9X8*e-`n5SG|yp?rn5l$C2KiHTX; z(IVG|@r@G@IGy9Xdnv(L)iy+Mo*kkJ)0zRD!~!S| z@<R2)4w7#7Skr-%Q;k=9U_!hoI>o8FCrTtZvGdLZAp3hm+iLRO{ zzu>(ow?V zm_Uut(*X$gfQ|>)OS|D_av#LOBcFfUixR6a&fic?$6Ofm+>KLjRtTKIVCCW7$C!NRQ4xu17_94KG{xiWS@KZn6F@ z+JC2V2g0`v81QQOpp5t*@fo)Gwosxybr6*#}?E!PqXiCcX9Sbf(#k>ez8NCpzIzimk_qgeW~n|F+JQ z9vXivpzDYbE5*`r$!x4E#)cnRR;?WBGg=*6V9YSUb-Q)+$dK8+Y#_pl zppCBFsZ~>9SEy7~nIr-kL;eP>ivLVfnw*m{Ls@Jn8&+ma=vrk6_dA|TJ=WWWC1f>J zx>JmJ;N(NPHCuqD@pRUg9e*f9|KK)MtB>Cd^_

nNRI|+#tr{&nB}N!OXUlG~q*V z{zynK<|yE)T+}C<42KDv@$XTz;&ysbo6tl<$kD%&; zyX8+cc@H{V-a&^;v$@uR;LOL}slyO%-}j(UG@FB-S(0<&H7?uGb)M$N!_U~4FR0E@1EL%* z>PI>I)|#9zelzCun-Cw1X^O0wOP=ab+#pf(|CE%OzFp`JLy>RjC|yoAZg>{_A1E)~ z1E)TgH#Ck5t)8W;*#tuF>E(%LZ7%0jTeq=Cj~GpC>ED;Hn3_JQSXzmL9p0RF_$tJA z&+DqhyYY+CS!NG@PvGi{kEq9UkFDOSrg=7VTT4c**?%8KqD6?TdVfA2_RQJkYE&af zd2+CCsUG3KNC$epJlW5+rs#M=q45`9{BOUe(#j1LY3tQKuSYBEYSp+W$z!r`THm<< z6>3li!?6u-<;owEV&RwnU0)uRNkc9Rp<+>M2D#5{N_vE?_$Zr{|6*@WYuL#@9S^Oo z_}LLq%^_Bt4541QWaq*n$kbJRm^-7tu=UBwjIJ^$w&!5^t7u+}1dwZXd?Pd6+9IR6 zSk74WZp;~WsOW~s&Xa3a!uW?RoJ<@OwTbV6kX!I_$N7bJ>WO;Rs`)()f+V&PO+Foawt5ggv(?{Nt zmgE>=>xwUujk)gR_a=We(UTQsIgjXdAALu{C+_z+{C?Srq(o)D{aNoKt5F#J&;0eb zpclpm=*o{>F;WMIFMj4ZEnMy3y~3g;Xm364LdtX#+bT+GQfdO*?ZHWip2 znFg?FB$J+PQRa1r+IxZ&m&yB_-%uHj73<`PvT;gMLxTqNkTuUW>^y01zDb!B_z@HaFWtauQkATE3_{|9 z$Dl)t5Qr9GKQeK;A){f;u!S8gq zgz^J$5KX|UxOnC#r6{dy(F$Ko4foXG>4$ zMwVx1T>f|M@l&yaU!coW_x@9eQ;x|>@GQ~evQW>UhrSPsMozj+*a`Facjams{1(4V zsS>S9KE@1ud~vb2Hy^A-7B^QAqE9@eN)16H+Yv^S>L(U%9w>gYJV%WlbD(XV7>Cdqu3*;?`3oKU;82>++Tj(fpKE**R)n z2%_FtKhk_eeqwg5T%Xt}AAmwN7}uA`tv7*^oQr2}r?CuLLNW}k+J2C0GpEZ*b`5oxOk#jKc z?%gD+fGx1se=oCh;lPJATe+5SGi;1r|1sJX<#AAk$wOEp8lUr>7r%FDhPe(k|61}A zSid4nm5a+QO>~nfVHf2q*~cpQC55t*GCIdL0iQZ(5EA>a+FeH6F=0}kqysiTCrd9v zGHq!p1y|srN9;aKgA4#@xs}*utCx4!e@^b!_RT8(nA&HrX43U?Whf^KU6_5dQ&%~e zr{Mf}x0oFM=iT%nDcmUTMZaQxU@=%Z;V*Ex4+z#}%qZ0MC=)PEZb?f#Z&3@a5WX9& zr{Y)K9z>-hy$d#TXGpoSQ;n{PHnjVm7tMIx^p{3awlcqXzIgx$e_$bAB`dl$?|4F7 z5>c2jW8w!PD&m=Le3KsfUwBKR=qu6uM-uA>&X*c~EoHP0Io5JJLY60Rb{jb>=@)kA zVJWDNfZKB@s?VywXW$CixW^VP`SRu4-~=v13Pu0WXTIIV@0pGIlk4N=N00a(n^q;M zg*|E>Z_k{#mqtk!Z`LLmaT|C4JLJ0knF_GEo z;2k8dj(-p-mPp2piPpD0FDEIGHPrQE#-=4JU5Y;n1$FmX&-?FK5?VidXswsZ=f~1x z{f8@*C*m%YC>+<{Ei_v@(z!9#=d;zyqCv8^&nP}Q3MX26U0B)gYVNotj{?l+{m3hL zkg<@;d@AKZeMw-ZF3b}ZNjt&Sv;Kkw(Wj4HjB!zUsB%h}Ezg++H{%@2bqfE=Z)-EB zGk1O~b7R5s5JQVjNb>-#Gbuf_?>CjuBa62M;ap3;ELA-&P!pQRCBh>mD$M6{`mfpy za4f(TU_1Ok8-*6rrH3yy|21AZvpEV!=Hq$loylD`%Ij_kzDqowG=M+ z7N05K}xU`iu1pU8c*Zg^YnqZ;Ed&xe3W0{rC_ktZ6G&tSTwJbyJ$% zsWVXbM-;_zBE!i%L-MFIPrPl$ytaWO^=P+L%+YY)L?J?Z)MoauTGh<0cF_{e_PD*W zEY;&S*)D4n$7O0aJo#O4N!ap7Kd4KqG9B&a{anx2ecPz6%Bety$2+8<%da5V=A$4%37W`+fRh(HyY?Ow(Wpx%&VxU~=cGq`N-=(_C z-r!eq;0q)+QwuAtl`*x4X9cEg4X(zky~i&<=#WwJS0E-o-cN_i&CG9Hci^CsTBIl2 zFYwT(p|-K%fC?QkqH#TU*AxzR*-O6iciu`q@7lT+Q4l{_;$J2O)WRhZiHc@WZ9N(P zIP(*-B%=&_)f6>uR4lp3R)IELDY?)d%H**%%NZpqov@VS5xth*pfqyfC{iGBe#MiG z2|$Oe>YwuHHPrnm4I+Oh8aGa#eR^(xC0Z`)(bqYR>#9Bw&BbKWZR_)GWNJ+EJEq&M zqs}ki7E8j1@7Lb9y@FfftdHCHkP45dy_d-bPo6r=*N+gk!u1rY2w4rP;LHXRvLOV( zg?2|3JFWPQrW1e$l#Iq2+m}0-Gu~?kuFj+W=B?Wxv(4U5Uz;4%w^~X2?tj=zd6oC! zpwB16G0`V){}x_0U34j@OmeFz`aO+@?SBO{pMavTovH&2pZysY#@-(3bH5py`If%( z?zD=rFiB?nlWFDCPmBSJ1pR zAq)<+rppf3nH8L_rEB#@-I%dWvNOCszx~nc*JkdhO}vDD8$dxwur27n^hyA3~F(Kd?M@)elKw@+l1!(56>V1_xi9>2uD9xhj1THB=ncK{?X1ApHfLC#^<#lOeVnG4W&0*DCIv+U$WRzLdU>Dz~SV!jG(@pxdF60gJM8H_T#`f8PXy0l1_;Kg+d=B^ID&^FyH< zO3or9)a*SAtwt+znoS=q!zg_j-peV*+E9ixUeXa2`p&^tXSPO=PfTixb&l4dOPL*q zWLsp_-%WF0OB-lsR8Vg^H`$Oym(M)%yFe9weiQ?~V%tiXy)MGqVZoDd&kh`Gs^qzo zyF}E<`8${&cgrG9);Ku5Q`pzvtjmS>R1Iw^wSK%9{b!-^&1(QmPTR_`RzD zgx?zaw)^nI&UBpJsU8bk;pVE`#w{dz-JjwacUGCP{MgDl8~seH1nmfIy1(hF#(%!8 zs5xeq8vXS^n41^Tx@JJ_MVF#}R_iFuIe8SO=ldC``Cm6fLllU zyWb0Z<8oPQwYF;a=)hmhc?q0(G6^QhRvppTN9J})y<#rtr^~87Hud+Ekg9&GhR#%u z@-MOC!Yac`UB~wZSlF|I?egsqGUnjAB)HRdTb09|!hij~NuifZtSI&OpP@i49psn9!#UpH zKLUrWeCV70uU+(ng2L-%!dAF@&8O%(=L2L`ob-hrd}8&6qJqn76slx>z5R9g@2MBt z8{kYoN-{(%Y`*!8TpxbtzrY7guPYjt|9pIm@Q~ zj=&EYzdU+PKScEURE8sKvNQwKq#4{m0r2oc+aWIK4B4%)U2AY;0w&5DDUD z(Cn{c5|Wdkr~)*ZQR&XYDpNulCP8kJjx8T$>ouwelsY-!(pbd@uRKvW+BqJ2TgfHx zv}7j+FuY--osl^W5h}W_0^YOb^0*Td69TWKE;uTYE?b-^PE74{TFLCf70(KcH&|UO zP2ZlrOjXDseEBLF_h7ecTV$4BZBfdzDqY_At6eet_s`@#oT^uTuy$6Vu_0|aBSq6t zh<$qkUEg;=lJft&ULX5U7sS7RJ7d6iUs3DN?+vHL!W7n508=G8DvFhdC!=xQ8L&4H z@fOg_rPkEkg7;er%z@5p7MH41B=494S<*bMls)D%mU+s`%FNh9RsUJ~2E~6nv|LYQ zwcJjYgf`o7hd#LD>pd}wFK;?l*D_(5%=d*i1 zeku2@_pbc29?E*9Wu!FC%F@!2E8i1;2=Rh=@2fq5(XHMP2JoVw^y&zPbRk;rGaXGv?7tbR#Hh`hUAAMgR{CdLt`z ztvkpd{n4vGSd<|Vkj`EuCw-L`aZ~{l+1b?v(UtDVb{$7Kgf^6>SMCGMZs=E_tde{Z z1e9Bc=tXi>?fVD&O98-ZLUiU8gUj845g;6IE7;67?fNIR+=G@Sw%KT{ZAY@qcGEbQ z?)|F^RFHo-yytg&=KtvkJh&m{*)lpMh41cH)4!S}E9H z&$VpFqW$;iaszGXAV152zhVBXYHC_CjhdNTgH`$;g4j#VE)7;f9fer93c_uKOiSGJ z;$38jmv_ui2@hG%Ka@K_5QHWlz3xQC#j&nB01+V0?@ZuX9v+@6&q{&db8vxZY-$y8 zX6_pU={CU{prB<5z%e*vnP+T@h&^}f;(@+dzv2n^%9rOeJ zwMSl`4H7V?ES~PlG4Jrg&nF$O_UBGbGlR;*FYQpLn!;Q;W{paF2~j`{+tN`S7k3l3 zG9e1!n9C}946__D=vk7+ENheX44ZG%??c66^>I}g8|GDCIZ?m5K-MUaOEqZq3$|YeW z%jCvXJt)R@#xKH&L@#$r2W)2FwLSCyh_{o-!N3l<^smi~bt&kw#>O1Wi{B z8KY0a`gb?<>)c3p>V)lP^LHRU;VOa<%Ec;za3iTj)2;z5b?{7smU-hB&fN;Qd~R^Q z`8bPwDBXif!nu4P_C`1U%U}D+7hrD#5qDhdwyHM*K3GK521@IMmVib7_2wLkN3Fo- zcfc+I`X|{@4*v?wE$SrwO|o4|`CrX-;W6G!(tC6jfLMF7Tmg%1%(Z~NbVM7+j4n;^ z^yd$*>+CDwg%!g#0gEHZ^&$YK?rqlwX6P7mnuY}5jUfdgc$mC)=cbKkf9xIO-+LAA zE#Z>~1%o~z&Q5;sfiVuKNyR5&X=SeirWj%tM7)sI3OFdl-m7cgl`RJV)jrICcLhcM zI&gulBdE zTN7jvb*@?nt|x+eON|$rmBY*$12K4WcX#k1TK+*GzpHLb)_l(lw0BrZNy&E0t)<#7 ztIi`*v2=C-EB1Y3@=ZN8%0Gnn1v|}G(g>Jo5e9PyJgeahvILqvfWerf5p1em-!z?n zC4R^Hua{{n#VbXKy}eQ8wq3b!uQ#Ij1}QTG{KDK@ARofE(>1^cm~J^#B?8(e515Pd z+rlpE%lKXRvF;%c21o^5Tv1oIkFWDO;k4sqnxpmzoM-ijk)7M=*Fo)O#043laGb({ z$8{#3KyQrSRo2sICHB2eY0)l|)q>r+~#RK|FCC9_vFdX*q`) zdi5O2m+(r~J288n?mv2dFzUU$4B;)U02fe=Rsmh=W#g8(l)V-hiAGR-4tHc_WnC76 z`W^xs9uh*R_*siUJM&^i;f6t}<4lol4$<7cT5}#A{1Q+hCUFPfd!3k&P-R=Z5VFzJ zx2cWD6qzfji)UY$MZYLQgxd1~^-kwiR8mQNpHt43aveNz!LAjD9?h(prINO9^*i|y z_3H6zmZX9MU3j3N2foin5wN`+H&&1pSs3{8SzV}Rv(m5fT-iLnCX_U z)a#X!tf@z zqc{AkXSf|vi^rT(U#X0sGL%>g;@-eDLQn#;rktl$*Y@4CCk8q|I1h324mavhN$hqBytx!hIzTa&j2&|3fQuf?xvmXBi7m4aLAr^ z=wJ+RZkiLE|G;z^H~ul6=8lpzGRODiUczNzjSJ+0t{8nat1g;#lH^b7^O45SRVR^% zOxS#CHXuy+rzT8X9E3?GUYULEldIY#fI>{E_XR$8T`M9DkHMg0-?|RrA=plck)Fw` zaB=1H>fC@;w?(-=;GT+dT`HXOFrQo|wt;b>gChbhyjitEs7T(Z(*DUv%e-KaGHBgQ z>X@nw!(JZo`60OcT<kK=}I1^v`xwzW?%R@R&G%AHds3@q}2?*gQ6)w9KhwD2Y4 z3{9Y(J3xd~%`#sRm}NgaW>|2X4GgaUIB~fF@vt67;x2Xp^YUWZepmXtKmcx*H{_S3 zk(JQ3$TM7Di;WEqX9e+>2n)PobnQG`TuEM-&A)J_$o?1crAYp=zx|UTg@u~t`e85z zYeH;$17MRq1eCr!0CV@awqutvp!ONmd`Q!skPj6Re9xlLJ96iogK#-%c#m6SQxgGk z@a9dV6f`w7H1KUUe50(S9SQN%^Ab1cbN?G2tU;2G$@ucZ>#+d)(#681!i;>kV5}IC7lyd;f-GT9mWXEjG=5`Fs(jDAeTu;tyF){kf-rX#ImJuKW(v*1 zOP1I7}kUZQHPpW)Vrh$i5JhX7(IGaQ7h0FjHHNK z>&ew#fF(Bs0%R#@qFB2FTa-i$+sf-2{TqkVn|Cw}4OLPIi@boQicv==%5J2fFH~1_ z+0MnfzG`DlP2nNHbg5?a#dP6!+V(Z^U1=R3k}c2>sLzFzoGesE-}4g;MyI2#;_5-b2p|4xB>4`wWVkW zDL9WS^&B{Quy1oY*m{0H=?Ep}6T^*OoLWMAQl+Pqdy|-CWudmhgwRZgd95vJ z%29oDLE3VrXk{2!ifh4xdxtawjiBYj#!Gu&cu;fQB;4Ap;*1x%JNB3B)5PfLbD$mt z@;xqILV^z$;miLE)1Zfw^*@iz?s+2Fcn5Rxyzz~e!M8*!o|U%(4{H;22UGB*6<%Im z>*K5`z-zEA4}aY|3_KTh0e*gdPNapf8Hd09zapFb*^g4}QOnBp-mYW`3(&3x0Ch>6 zeI*_Y6w5`UuYo<2Gi=@3rrTD5GT#AfJQCJCu!Ns~A2w(ewyxFw&Gp!MxX8&QnP^3M z!Ko-T4?PEtwQE_)_0Id{3@U6bDu|xk=eh|_*Sjb!El#1u^xW>_tEQ7nLi z`1xlJ5Hl=y4Ua6Flaxa3*M2y`9csXO3r+;?d8L?>*d3TXk!x#f-Owk1q=+zxHj0#g z5z8z3;UYT7iGP_I+U>^BU3AtKKeAVwi32~W$56dNoSxVjZU_m%`>APZm(WtSQ_D)z zIbZL!YAg_Wa}X0woyFi{M~Jf8SdECpP?)@;=Rc>mwNjm7(8_JOF0jRxsG3{_zJIY3 zx}LgWh>EocCVcNSn3HByyYffVS5Au3fE1gugeU{7>dkq@r~ODcVKcnP=Wptg6*4p% zUIM0STe0OdFa5$9h8-Q!Zbv_V%C?#6bQ)I*8$VUNK}8yEI_okaII`t zp*coUeH*oXgCJ9K z^G)Aedsm*yD)L0cj6TAAKHOAjX91^1co5n+&(sRVy;3&yNhMp(vVbk>3mqdO;OU!s zf zLuE{BJsXVzx=k(PsLNS^--lPY7e^Q5Yc?|C#m%*1En`MhZ0itN5_*h82nKU3Mwxv`d&XXx z^wWz=jsWM2jQvhmwdgB5C}=%AJkb1P7`G;*#9Gk(76Q27M}zBfq}loE{LqFh6FVzR z_+7LlYDWFA*B4&->-xbmAbEk0{^}U;8at(84@wqYtGT1&Ei9W*uBtJ76!wnna&O}k(KG|j=3R5qnG5JT9UQVp;pZf>$@tloFD6A5J*SF_ zHO94AnajVx_q^Dg8lL}N*!LxFTbG>CeY={3Q?8_e6iaZQ%zCW;zpAriFS^*RK#@y1 z_=PY_kb#j;-zZ@l9x9>b&vBY=#uDD(XFvLU_uz*9_iv>T#cEaw%!OS!=+i9EF4RPi zYkOOtqb8zj{dUI~9Sd~`218lXaZZ-N++~*gag-JFss4LQ>+n(hk|A-CWlK%XzTZ#N zjONpd`;LZ^xA2_muo2Mq$nieE!DM%s-Gfz#EW5ZWBNm*8h{b@1fB~$#l=Qf*@N@wS z`WGUs>E^lf^Wp5Ntxef%7^IQ?BDFfQEWpiR=Jw#dbX)c)c;jJt;B8#|Vu$=cW7yJLZ$UMa^hpdo9-b+Z<@1~B^sd00V(OxHqlShhpt4e$Nh*#16bQ~<10D>82#OL10LTD9xcS{=ABb2v6Pj0 zf1VmZSs9ZuGI+2}EiFEhRKm=7JEA^}2JW#z_>CFh0M6De>#1K#&sGF zE=D~#GRa4t-C5Kcv*@iR7E(=p3-f8KYAF4V4~!w)tH|>D&~XmcV|4pncY@C^c@4Zc zvb0q)Y&1rPR-kN~^XQPm2!u@3!6doYfMO@xUuGzDx;})43tlCRAUuo>F7OpPWQfd_ zccdA9y+NKpLpdDqT=|otSOU@#WKF-*^=fQ!u^6-&S`h{#s(ba0>BA>S^~&k-w>*W` zUNe^z^ijC}0>qt@i^yC8-%$WNAL`z#0=ODrGn}9leJnE^d|4Pf?~f+T-i?^$L-HjXeS$GUi)$oNchi_W zcke-!vzd0hOK440YHYX-Hij!Rb}5iAUMC|4jfMr?=(ie%7V|qWgKLnVz4)kTqdNM< zjEf^I4~!2g6gvdR29G*@`3oaDJHK~l2-ss-Lf~Hdic#U|n??iQ;fRMV`c94AH+{Cp zT;Z}c!-2m(BRRWjqM*wKf5U8&g=<{8R$-IefNXT0D?ie62A; z5Bw>6qU2MXo>zN5H$a6Ig$&vd0J!0t2MXb)wI|K{y8TB9fq`I@HSEw&rac^J8k{GdS@6N2ckRUqu6VW2h4vj~4U$b={cdHY|%EM9^$@iwCRA~25xuNy>?br$B+#FsrNcmP9i2UyEpb=7@LxgE8BZ z1D)1=+m}mODTlYR_wGc~k4c*#Wk9qhIxQ`26o$kILuycmXewbaF4F5}?d!np3zgu$ zV$08Cry)G-Q#}OleRjRWsy3qf!M!Kou`Oc(QFUYG7k=A z3PsRGWS!Snq_7i1VIAqmSskZe?dG`yvl#)F6jHYv(;xt`FiFr>1Y_LQC1b)RQ+p+L$HhfZv(IjTnr*-RNGX(Gh|+ za^Xh27C8EDAbc=iW!~kdy-VNcVa~up|4LbrCeJbiW_Y4*DDAmtt0J`*)1kILuMFng zo*2Iu2b(RY^Tv{rIbm`)fBGs6pF$p`_j1=LPrVF5`R&QVa*Tw<+b9YQg(|npVx*Kb zJdD74)BuWH7{GW1Np>r7J1F>W!15hZ7y>7xP^kPZcI5eftcUkE%*$sV7ayinGLWvH z$FCk`^Pts*ZNKNEGaWW>bM{-aO%rzPw0QAo1qOp9z{b^CyG4z8c_fl;7lkR(n7`uD zA#%}f^3)|uh(?ho2aFP@WN)7?aCH{?%h>8a+#$nCoXpk{3%rbx^nyuYZE0_}-P|xn zX_9Wqzf^zl0k-#IE*~^=6x%R8V^m@25CW z@RBF&qJ2 zu>hoTDqr`I>qm6XDu4H&)kN$b%aXObs2(oT*+ykr=%KSv`qeGL+|hk|9}m1Zm_GM) zH*7ZY62^a=b=ilZ5RaV6WrBZ^=&+gT4%>6l8q9!aUjz9}+&p2}n8{eVApYYJOkUGg z=-o3AcrVjH(Od-kV`yjD{8-$*qO=JYSI=J z0SfQmFQ^;`&mH6XF%>u6omm^`JHI#vkBV;hlW+2FW*m407)%jz$Kb&jem|J~_qP#D znA@&2(x*dF*k|B{t)PPy=wOT$SV}_4lnNzNvt3{9mu| z)PK{C=xs^Af76`s>&1uvdBA^TSaNb;#h{nn@#BXMk#`GOOE++UyMf}2wD#@V@tXO( zDidwTL3|w^R*#51|6d10weu6BN}`&r z=nryA$h8;TP4r0&W_N=9&!=yT2RwcF%`Sk-fY;}D%HX8I>t*rsH!1~!wI?_f$Iu%X z9my^%3tD?jxEic69E2nP1}I$VgVucEERDv#|1&!Kxqk9YFS3`RZ~?}(C{D;u2BhNT z9*vPYxvnI2Hia;q?TfoIVz=uhFqi|%p_d}bOAa%sq2Ks>tmq2htV0tp`3DJx&UAfQ zvWUUKb2pLwH(KjOr_HH8lBsHnRseH=fVoaeZoeCSG9J>%pg}%TIkOrDTinPYYGyyK z1WW?w&w?wNQ=&%3##Ja}TQHr^k<;h0Zni*u;qE)2IyeJ(J5`W6T^|gduB@(Kc$y0^ zKM=VeB03LkgysUs$wD-@b9`5}KeukLX@EOdJ}dUJ{rn(e;16ev|ML#p8c{M^e8T%n;On@d#>N;&Fho*rZ2H|t&vq|p`II;gvPjWAebelnya z|K2|kr9>~sp`#Ds|JJ(ER)zD>=7NR~*~Qw0Sx*8}_&sx^e3*ZgcjR(@H{_}2!5U?! z6)>CRcZOV-;B@Z5WgxMLrd zrc-7DZw2`H^dZO(<(xnc`WUOE)NH~f0CUpP*0wxGeDJ92(|t*onH3jq@E!_kH9y_E z+8#ClbvDD01(^<9nf*pJ^79#09WY(yC`77LsG+CMSy-0ob9f}}vRdsYvPk_(-%>k% zG#BLK>wi1(pd=tDiyrwNcWA*_H0|{mmmxpV6D-puTcnN3u#L*Z-i9D%NViwAh|Rqz z+}fPMx6&>`dE1Yr1+e%Wm0j$h!l)p*52_quM}~*iJ9Vjn#@9?CwgmD7R+Z=cCvh$c zh_Xb~;VTJ}x|UydQx^`;y!n!xlj;Ha#Yr1cElBU8z-eK*i5-y15W7dj+W9oD5m2H^ zw0M}R6optI>7J{*oK>PTwPp^ohbnw7sHaCw%=8)N;0Ei9m#&fKsMcK;J&SLH71Gq^ zSJ&AY6$3U4dN?R!`?D+d1i>m4E+w1S1{j7C1Eb$CqudG*k_0e$iCkXk!{Zz0ez*@+ z`>%^OGEGfQ5sUiPi&EOr48Z*Q2btv?rJj3@k~1+uW>vbRAzhmw(o-s@@X>EHypXxE zg50tp6uJmLoSZ2hUu%;TcJs{cL$U2~KQ6h}eB5t6eUd=dTA&gn{k3h>k&rH}0gY%4 z@Fah*suN^^OkL&cBTVyv1Tp+deB(Z{WmEJgCMF81PGlI?bFE!;sD=5wY;Rc~HZNx0 zTj)}4hmvQIKq-*J|9U~4zv)Tn+YDW^`U|rs7UGfTL3*@P@f!mSGYeq>Uho64(aWV} z$FGzK4n=c$%eTZU+I7h@Xg%^?4}MtF0+Yi?r!W^C zcY1rZiloX7Ki6Mt)U{AO6A-3k#cWa`J z1%ZKq^DnraK29u2QERtEPJ{z18oCfrAB}54*4-X5u)&ZAi=Z-Tuy1Z;DkusS`lt-7 zOs}l zQS1=ZMF@wVEfXjq*3$R9-CP~;qP7u(@{0BW94HSSQ2H*_tMINND8il?U=vO^=_PLg zXSfP+t-T}^gxjUMTo&s62pM%kiP95`OZ$!=8)zk6Kz@4SsztpXXWmGf-|5TQm$w!~ zk7le|w{xN~VhYG~?cwz*5bOa*uSv+(tSYqh(C0Hv5ZS>J?!?y1LTo_0*|0t|WPQ4T zd&a)rG2i3%Z78#t+Oxr|4(AR^T3^u0{Uj~rreV%4 zMR(ne2c%W6tt%=jVq)B1A@$QbAWjV&ebzQM%Q9_ni%J;Nau-)Z1LF|>qYy`czq zuFeVmKUM+&)YO336?Vn#rMQ3;6eOezyYX9_a2Xvb$U-ChD|CnsC8;wN#FVVd1~q49 zM2^})5>V&gSQ8wk-fRMshqyh zF7pymD3hxLYe^SZ0D(L_I)g03tWeF%3lGJ{<|OQ8=e0$bdb=O`{M(CTSeBv@}baj zjeMO{e2VCMH_BE?G>b6$A8C*7kd6LrNq#qQ)CoOhS<^!6A$cZJG-(WyB z6tnHMH{{A2BrtRLP>92+rDaieT&mm<17M0eIqiLGZ8?^32&~u%qoWwCv=1od?MA&m zwiv*aUqmWXG8If7y-l8E3RYim=3&2&nyBYqM9#U9_;fDvaJ^1jFA>l`Wly>s-3iE| z=mYL%9$2E56UjL?a;b3SkGCeegF62R>Ky626Bq6_@J#`|{RN>DyIP>S#}W=xTv0Kk zrJ8zsdm~LDw0{om2ta4@AH=0PY9kW~j+xuW9gR@b1P9Cr3ha?%1m!R)a(*5ZLLRt5 zO@jBYDJm&}w2pfJd*F<_=HTF2QE7m7D&(?fsGaR5%eGb-wj#SGz%)8W_h!d9*tIij zdBw%WT@wI#(;Es0LlpdGvKi?mmOmW`3M&MlsUd&RPr9Tj{U+KATzpomSXr|p^*`$otg^vyq42kS*qatb=Znr z1(WF_8?)cEn~PV=xDCiBPg8itP?@FKMqQg(GbN2CyO65a|7Ic3+FWGbcHm%fJ|PDH z=~*VI0j&p%WgdvmQl%%v!SmM^XMmW56a%H>T!SPP&e0hvTaMGc(Xl?m^cvNHsi^dn zXylRBCKi&-ofAz4U!yI9j$AlL>L2zN+6Rc(TY}zv&y2hiBq>@}wS3x88-?yuj^8NX zw4p>&x+zALm6esMF*{mmqid=OpB~Fj1}@kk$dpeyYyz_BkgV>SA{;@LW)sdfjn8kT z&^m4VV3@VvzNrM&1>NGpi7f%x&0zmcHamcMn76syRiINcCTGsRcDutJs#&ca|3A*& z1FWg6Ya5Q^h~rpz97V7IU#6DF*oI5U8#S41%cD zZO1`VV9`Vb882e$rUI-3EqIe9pgBgcRW`kV1s>wSu|>?HKdh1TLd*=D9?nRdm6nzs z2TJ3t%>3|Tpm)c^I$?;0VYv;7Gp7MCNfqk*gR8T0b6X*O#mueR6Wc4l{Nc!I5Mz9;X*d%xlxf6hf8nDrIA}2FzI~Ft(I2Tdu2M z!Yf7Gf40o|4bmtl|JX0u02vGc;2_pkK=T!J^Aw;d$pbbk2~ds6K;4!feImIv7O>Dt zPaeedxBZ?>GIoV(^;(Qafzy^10o1&Yr#C_F&W+v`$)Mt^Ca}#E-20O0dC0LWzW{|X zfHx+3{jTI0#DU-DldOakqR(mTsAWa-K~IO|j;Amh+D?G|X;K`Lz*&ig5FsDM*jLX$ zE5GOo(6Bw#vD|)lEv=l)c9bH_NDq)4@jxa?0?l$E%Kg(K#5KzSPM6|O>lG@~0+27O z{o;Va0C6-Q56xPs_xN#HmLjnYB)ka6ev41#xfHN5Kr_IGdK494Ul1B2>iN6Xt8-p$X zax7iA0w+SKl311iBKW)G8SKyy(%k-^y=Nev2YmVZsme+qssqIZFRu)_6V_%5_i}q& z?Rfb8J)LrMolBSMl*RC3%@xOXA*K!jzZW<^6>KZd@?T8&k-9-`v9B;*{e96ltgskN|YM!PY15#dt$1G7+Y41 zS;NT)ZUvd3RoNhY^66a&@$Vsb8egLf#BQx0vFH)_>K3)#{D{Fr#}4pk=n2|kF<$vD ziy-01z2o7BK%t$8-@U^?=z*&bgvsGQ>e?M}DKbBo?Wt?c!le#44I+WZB~VHcCWSX>s16{#$!BZZA@Yz3|d`*(Jkflj!CcBA=A%Ddp$D{QRy_LJuB#1kT;Szrp zb0s4gL+Rgq#~yfFbr7;y&B@P!)cmuUkf6^b3_}yxr-(p=+yM?2_D3$Yx4l7cc$Q?$ zL+_c*4wVD7?V0WtJm#%Ohxy?@9%NfF22d5C}WSDW2Mb1EONno_uKzibS6V8nky{u?}()Gvps(|zleSqCjW~OLyyfCT@Xi1(U4vXRD4II;4D$9uz!5<=m-EOgSm1;=!oS{KRiTeoDzWO>g$VA|EAwyw zo){4(Gh!xBBKktP*N3B^S6d1Q(M{_EAvzc58EiahdaCA0C!}N|+RJu^U(T8#Y~0Qa zg&(}6gULwcJ{l{`O6iG&{e$7?Epl z(jd3o0bPKDi!O}<&>NUbW--09m#hGo%^^uPA9lAuD2~XNQVw@Jbhm~8A?`ec8>r}0+7AcZCJ2I>QA_IJ+!!1%tK-NXs={V z^;98fik7&SoM&7)0ti?ig!iF~%V6h*yP&f8Vy|MFclE%U7cj6n06-PG*f^Mz4|#Ae zcr`{EL>-0PscYn2|0EU!q5@h5+t$SHHNTxTDX{MI9WRmdoayT7?&g3Icwm4j zJG=|hz9&A0hJp~Ul2>~-KxoC-04+L$1dgWX2a3zJUV^FwWZrm+)IfSFq`cLAC_U*a z0D+=Z^Di*t1GSc2e+LLmd*f2P26%$lwt7MB_TjbFx&9(3AP-&lB3b;V4`Pd%Iw=Ed zl2@OA*}Dn4?7KCMb8o-6mxKGE@{MR^=>FgumYA#MsfK&--P4=EqtyQvMA(?BtaUp} z>T!KSCY|W)?@4Z(?7g(F9LHm1R|Asu?!?Aba)9N_x;XW1Mf?(|gggyy>{x`p6ru zLhMR93Ex?&**Uo*Q)!0abqh4gHy);Zo4QL5jOjAV#H$Jt zhV`PCr~CF~CHqz3K1;s#^eV=!mLC*ktc(;hR#H7&1FIIjddR;v%`Pk$<-L;IXfWV* z@6p`D-+KmbtS%Z|4=8cUy<6Bg(~+223}hVuXF%~)OixX@vW8xwlsv>8?odoNReGun zV*3nlPPu7|y`qs+0RG$GEl~n4KlZJT&2y!O< zORZ$74TdfQ(KFIcoia{Ffc2%JQY)yPe2rcCLy_6{a7Vc(4WYqQEo?jZe@?<||F%tg zlk=PIouy}4ss1Kc>QhFu)(>c;7_wW=f5z?ZHgwERiJy@i!Db&JB|x)U z{~f|Q81nqUg%`vvMQ-PLA0AIGy-lSS;a8Tx?#%M zMQ8h7S>}9MI`Y7eV8HVW1o*Y3&3n1~q?m4+z|$QO8|(HGo=vtaKwNf{3|d#PnATk8 z^!>c=K0fj`PwISTcQoY(il!aPe_)aE@SS0N-@Q^^jEIZM)_~@o5Xli-yTM;l7aIU} zQv0OoF;T7N^2yAiQYdcTe&%o5WW}_z zj*=rGI^S$<7K)v(>sq{H&4=N23GHUuD+Tg{`WsXQG&npWPd9C+o)0^Q>fI^2o{|IXRTH7x>$U@Uo`*VALM{4P~YzCkmA!Jj|i97GC*6lYZ#Hxi;%&;1fP{Vqj z1OEEepB-hLB!BjF4pbB=vyvB3Pk03ysqYw3tded+&u*hf|{E z|KkO?+n(~$!LUv7k36RSOF*Y&@oYD8|Q^GudBCt&)}6#PS&$ zUZUH?CzgeU#_ML5-rfTdijs!>$^M^Dg2RXUz~*0|YjsF?5zAfNh0axpO0TNC?Y(8X zuyI>RJ$yQfwpg`!@AxJ^Be`k$AqPeXaGy*6vMavXo&QwJ(@-*&Z+|{1X8si5nrIcI z@J~46RzCLp)>07eMRaG!s=kCDVNXNbJi%_VP(>Trj49lPb~W+@R&?vU_!Ey(8QeHU zI5fPVGDJ@Z$AitbX&adRC0Dp6F`Ptp{e3#d6vPRM{T-I%eqh(IhXLCIvOnPUB%j#P zhQ$>a(|AtqFK4^Y=&ya!)WbC0&*GAFhzRv?4N`6m3c7;@@u5H+by}HOsPdTuM{*g9 zTQ8^Yzp$a|tTh;XajTJ}XPg)b4x4k;WCJ>Pn8m8MIpdRZV^{g+ zGW0!Ymi=70wvc8?`e3m-BqI4ZqO7pl@|<(arp{K|!^Mm_te*Vn!K?(vJ3wB1^XrUD zz0{R~$|4&V5;qEBAlb5(kq|S*W}bdN@%!GLu(ub}3l?mNW4bz=QWRueifm!HAjHwt zvA#x;FK>Kk2pqH8zkg+;k z+D~2Q#NGY+WqN2ODNsrF%*a|VtyJX!jIfV>gieA4;0vU{O$$}Y-_|0_1m>T z>JHNi$1mg;WnC}hA2!xWN;%9)t~%dN&G61}pOwt7wpJ6&7;V#78*28d)TkWox5BMe zY7&>b28P`lMmpldu-Cie#UPg(_A6p#5sjSGGO z**fLo-8l335Q(UY))^m4FC^sz^S9|d&4=gLG1X63yD91U88c7TGhTG|0_V&n?d@cF zfUg1D#Zb8s*a3jA{5%jupQjI+{6$v7uAQ#XlIBwD1G%+tSe1Z@NWG25_PZ264!kNq z|G^+-E7gEIXko#ZZK>p~rtk2&zUTY$y*1CTx9u=cmQ%z!*k?RyVf)vQZ!hU5Vgel} zf^L`jLVIQ948x6teQFg9M40xSKa`1-qM#Wpw_$|V^wg&Rsp$;&?Nx{E%`z*YJH;hO zF;^`0w-bX5lc)Cl+j!Wm3Irn7HOLKJvN%K!7+7Ga5Af2`ovin#8SrvPjlj<4K)9*WJ^|Fex zz>`ZXSjJ)e+F(wXCc9w^haIgEQ$wZY>$0Z0SH=&!X|dFjQEAYFOu%!tod+T2yq2W=w6lfiozzQd=XPK; z&MOK1$52N>0;qFQ6cj#g&i?#Y4^Lu$*VB-JeQ+u)Pm#PUu{o%O}=swf(AjG{vPgYv)Aj-2hMv<^YrTFSL}ks-y2rfdSAXOpB~0nrbW)XMPJ6~dhYG(wkx7DYQ>aqLxB z@+!^&Xtnxam%Pl)s2|Kj(uazbJWx#$qUib}{6M}7IhN9~m!ov?`TKut_+aJUz>O~e zIR`R#0UmC*5lY)-(e=$Ovw_8JKS*nh4p+bph7E#ICS{Kjw86u4W~;4q>W{FWOBwGS zx(Vr{fabRhG92GOS3_CAoBkwm+fb9&n!AJ8j?f_VMONVk@nzuI(-|u;_w_64S5Lo4hSkDl}JhbMi+6zzMSiI4~iUsoo?rJ(HE>yxrYk@j!4v2f~`B!)*D02Fs7M z`$MRwWam&%N05TElg2iIj!wjHv=t96fAIjUxmrvC;X2^zI@c$Hn>Z#WrR)IbH5*;LoYIZgU25~Y60{c8~2+K4e4NgbJWsstPab50>I$cFK~ zy_1IT{ICOP1X6dh^+{3C76J(JglNFx&r46zO$K@cWnF|B5)i9-!h_Xi%$F7eSWG5R zJZOG3ffaX9BR-91X%%RAAbq^wCay)Ytr;V0LClrwAR)`B=W@LRFUZrd-bu!ijC+ty z2hE@X&s~GamoqIYTH6?_Mbk_V>Y!gSekI?C&qZXrc_jQ$Nw%n0`vOp+bY`R2acllq?QS5dwxajzOW5jxr){|F1M31<2fbOZQXoy{!U{f6 z3DSTI(@RYyf^GR3~BPgs=aJ2|slkBF)i`7CA zuQwcR(cFd}$*z``v3+ZdM$KCx;dVUQ^=?MzG}O(PdX)xTSK~%X(6WvyD+ca50gHxN z=Qpn<)#!sKoE%{+538pLbcKH^Catd(lNjt-ieJOBe4DXA)qTw+DVRw6Y$%5p2;wCayi%q1q8}4*wYZ1?Bk?f?7;ng-5SjC zE%*99=YX1$DS=_nSmJV0jKk(uhC}&ioxk}@h&%caNPHX_%3&)xc4nQ|B$V|hlTFAb z0D~O?^~EOcJS$@M-<;I6Qo_u$bV<8q!_AKTq!4AQD^tlnKQK#u7Kaf5>OYBpn+`s^ z0Pe}+k*}B{){0*RGdR6y6}dOn{))R9s^gBAtY3h7)#yNVn`o<|(wSpH%2`w3$QCeA zyY9@1WIFw>8qIBz6tp~A zMf*T>ZOu&iB>B)l`Niwkd7l2=Zw3wbzl>@sZQte_;r5rR$kH|@-9KF%x)s- z*u>f@$%LH1rKc`p77P4Lg*F{8;1CMn+CY??wnJb#VSljdO6QS90*#l{;6B*Ax$MT) z({QA}BOWkQ4_f}Htgt@VwgW+wpiW9Pfija9NKMLAEUQj-XVl9o_NNAVw?&HK?zX(7 zZi|&3YP6BamVSNwTs~OS|319tVw07j9f^P?h#rWeO z%kFr<6+n`&WSGLhDk0|tNM`33t9UVW`RS!_CF#X2Dn7$@?&9W`{L)Fglio+Uvq)6u z(eR<|ocZJO^fW4+LBBY2DAma0<>?%Nj(4v7@&I07R=goA`@@zsnrjp1NT!7su|Mp`8KXytp9-(3BntaiSPF`Jv2lPgIgxtrBz)a|HKzpqKSP4?LN6;p-X z+LgD{ty)gkr<#(l*Se~QCB>@+;eQc!-Lg;J=&;!A?KX4Y_>c$*n$Yl4I~Nh98lI@J zdb~qZCZ{PeVeFBtNDDP5F0)YT4LucJ;^5R34VEA7PD251!UBsIR-w+JR>*b2tHUK? z6HAY!6Wljm?V^osD>(pJJEPrdA#2a;^|h*M^9**)z@M$SNzZU(87_RzE~6G!5X)R<2>1)6QS5suF+3S6@9^nCv%=(o?$Y(a`~KtTbjgrhO75)@T6; zg9C6+j2{OI#J`aGyJu~uEM#37bFl>5VFt}srlvhnTddf&GhRH3@R>hY1VQpFC+3|My+-qMJK!!$rSX%~j$S5xk+ z+*gpoV+cp5pfp#F3v0q<2i|`DZKX48(48?@B2QPT7E`GlFY^70@*XdrABT5`uHmyf z{+_Y5D5nd79umBJWPuvwR$65+)z?4LFHM7pBP%ZO0~o_Th`D$N(McFF{Hs%H z|3EBfV$-l|8;>+St;KKqW5OCGRMK(i!wd9ras|W@Amu@)ntaBWni|xYeaot$jnW2@ z;7Kcc?W_w4;uX>R(sM3&26$pQ1!u}i$Fn|_N`V+kUHIK5?%_#n)kgLy-=4~&=h*%g zh6U2#22gF~0bi1zRticM!J9^{tq1YX(idfmimF%3(6w#^f~+*oAmPdD?3Rl**%xeY z-ue`N{;WnOI=df71Cm@?qcArkd0vFu*VW(ObU?wYQbIu^+`s--g6}7AybDUfnkl*m5<7?LXfO=TGiwn zA%?j)IEvuPOC+^(K~?dQHM!g0Ov+6IAklznRCxQkX`7O4N(o4L2MAaBshP7Hkxd1o zA>o~8VlqG#3=)=3S0Th&CT$h{h)*1=)uw8~(0sw%7c}J^MDs-1Hcs*qcOj4Hn01nJ`w?d);Zpyb0{z z9Jl;mG$x%EOOxt!lH=;oD*XC7a!RAP>XEe{fT{1loX#u4j4Q6}lLr)o$#ZXs2bNxK zU{*?yPRHRxea&to%3u{7ocf<}Vrdbee}?o?-1^Jw#C+nL<+$yVd8kW&)L>^w z$>dF`xMUdznU2n*ueXQ)BqDxFiZ;Y*o7($gYCY9e2=B zs#swtrS*G6pIDR%^)Z|fr;2yNO5*F=Yt^#M{Sw#)&@ z$012tczl}3%nwA=I`sjpHjE+ji(z^E6m8VOKdkXu49W_as=A>{WqKPlXW|D+zJZB$ z!tbtma-*NYhZ;K9ZU=N6p4vPAkT;bNPCyobJH~>!fn0&(DoyqE2wDcn8!2v0GKLZ+ z!H`dXi@d?NgY6B@QeyoH{o*QQ0W+BY1NSo(v;!E9!7_dq7m#SJ?Z`^iM%3oKvbVn+ z2@@>P=KzkMIq;!|%7rUn(y~m;^5C$jnezIy^X3pve`Meq5R*WimW7hS0q}CE(56SY{gx@zDF{WdAi8Qw0$84GNt@Y4>0=xxtW1Fc+%%EdOs`C>-O46*B~=u(-2zcX#31 z=vd(P+`gwGhWrVW=DU0Y?Fl+MQK<|_>S7|VYoF@xzylFnZU1X>A((EE7$Gv5y4^|C-(~%uzo`q*l+vI| zB*lMYszAX277xr$02YYJZrd0C5|V!*Q~zH24Vu+&PCmrdv{K*IPT&P(A$uOY-f>An z_koMdL}oGHK$NrdROWvkyxzez{m+24vJ)tD!6&Glm>j~aj)7-ZxEta({|}kQ{}v5}*^4S3%B}e)3;D*c z=}Y{~?08xp6ej^38$r(gA9KYDNCV#Wm*)WLAy*+QeH8BQf6)y7%_w%*Tuxt&l7o|` zor?>UkOKQj5SD6cmo9-yegGDb4t3*4xYhQ_e-c(OPd|v`I9J`iI3U~0Vk3}j11a~# z0G#Jz49U<9qr zzz!;b(a{$VDnY=_vhtq8S!x2PH4??g$~Wx;NBo6%MIX3vpq@XBy$H8*c!8#DothUuK8~dT7zQXD z_rLRYRayK(DyYxO$ngInNO^!v@s>K%mf-R?o89p`toK zenQnm;8jdC3Q*A&uEB=KPP|AbhlYo@z4rO~vAWG_+u7Z;nOm(MF!!{Gu>bDVg-m`( z=psv9M37hTK8|LyPNJ(hA|l&w&NAEOl4Hre%P5px&1#<$=Wq0J&M*gOS23h$?Nhy- zsyn@+Z(w2D?#`l`v6_Q}MZViL9KX~ox4S!t0QcH)>jtiWmdOBZSYQ68{r=bNZh#x^ z8YPt6{CGrcVRZ#qr<*EHmJMp|=Q0WlUrcR)Cy)#OlHE-86{=kU3_eiyGz!#70QRZf ziKM|I=e7OA5tX*<5#f`(y1nyjTb!ouqzChA^~~vKCDZ`rRZF@gb~Wr_>Y&TkHtBY| zD{+EXH!k6bQ-!wK@`q3p@PZb0>neh+1S+}#%4}pX3z0%o_DveqUA1xdui2`Nl`8S_ zNUHH^`vCGtOX@vE6D1wWIs}Xqmv6XQ(E`94?XqS7H8&18X!Ie1`lmKrE55qnF0whe zExTxx7$5YTMYy8(>o?Cv`?#w!kn}Gqz=M1?AOKmv%#4Km-r(1fq{{bEiNZ zHYwe@KRnTzd@V}S?ul=!OIJ_y%9qWDb22Nx0ppxbp|@_T(GI0EgFguIGy`r{k~&ud z=wN?Wdm^u5jYv}2qO#Bj>Y14fj7Jri5la_sL1V1%WoQ^Z`1S#p5j^#UgvMR!>GZn; zv+8y;eTfD}Mn^HQjs$q}Cl(3+H|^#hSWrLbRZ8h=KSvbLRzzmC=qjk&AKe?q+cD~5 zY-BVRseh;`gx|6SyoOxp19nM8l>UjX9)pRum(*{~yq!6vn29Wrj>*bB9xw^~(bjUu zfkqnn5~^>)lrSv5&q_K1fFihJ%UD*km^Q17FQ|KRhmu_~^o%=~+xM=MlVzW7+p6}w z$+q)qPM$t+rm(lA1k|2=u!-urH37V&qi8H?l$zNSu1Mz9_MK9xK&$v@8J_Dk;>65U z_^!|GQ$tNnJZJQ!@}C?G371IIK53OATjdH+Y!#c6s1s~!l=T;>4<~ViFtIK1^}&{kOsx|gexFays3|nZ_`bYu-XXzOMLcvu zF33s|UvzHP>a_^+Q?SgP-<-lv5%!Q&Q7!M!opYcG$v@2 zNo`sZaZE#d$puMSe=7^wiBrR%DxdJgHt$P`-`R@jFd)OkxkXgc)nh z)ZOe~JrWu&AHXq-Zax+r`zmH7wsSSBJs{yBjvyLJFZeKS29i9A3BoM{Ev`vsmck@e?_sk!A*VQ6xGqm!pkcf@+jXwiJ34_L&;gMM!af%eGfJ9 zSwe|RWCqdQ6AkUg7L^yGVXgDNd09#a!LPysk&`F9g!F+%f(tD7be5^QmUQHtGk5zL zuJ@`GP|?ry?@o`%vB#WFtC#CGfJIgtd||T=>ofgu9L>o+E)B7adyYAhp5~s1c=S^S z5}Ueuj#~YBN+nxp6je>uC7-lh?<@vV$9d316gd#QUTX7c;`JGj+AEP}7$+1G{w7Jd zP42C6*?JkKiuTKsylI-Q+o2DAhclGr^Hu1}5v$%o>)xAa#wIoS_Sb^^in&KY+hqnS zTlR^ZqFS48M?;j)4tE(Gswy08(35vldR;TcMXrt36$!Mu2@3o*bwI)| zzxhe7Ycp9wJ1c9hp>L+tz|hOqBPNO4zs_N=^jNXfQSN)nW8R8n?Hrf3;sG2O<`8X`0+B4 zhhdIweTkG8=|H(UU;*ZE-V2x_q&}5fnE0WK=f(`jV`jX>KP_Oh7sZ@sS>Cf}0wklR|#aGnxMio1Aj1 zOcQ)kd;4n?_!WHJ)~@^lJYaHGy7ySCzKq>(S?Qq0Ik;}uW_HU=&g)|v$DWA{XD-eO zjN1{=mr-^d`+znQOou&~0GR7>PFR+=c<}O(B7Uif;(I5yoTDE@UQ5$zBq-+vLc-9) z9z3&1N1u{(H7lEjCU%m57C`bGxCY|#ILK#X18yOofVOAw^)c{aLuu)ZE72Bh-*VVf z8&g60d$~^ZuK($ftKAhZz3@?syE=Wa7~1wWW?+-B?e6@icN6BqT<21K3ShdCHJh? zQ&?Kr-|`dnK}Y^=AU&u$oDp7iePuti#1=$|)tHQ00>$@$z`qP9F1EmulDxrLz=>MH zvg7CRkU53}E*@sGB3Op@=5t-ewt(Oi6s~AQrf_FCJLNXPl>08Y1FFmq_0`XiSy5@q zY|u2PqUQUN@i!fq&ILUO5bvg`?7MKBFj)C2(_gaHMk!suY!-C8 z95*9cg0j!x5*WI8#v9Jrg{#zp|6J;W=qeu<;UEM>)0r1JCwn&u+Aq5eolu~vz4k5C zY59NHei&2u&i`JXPW;d6H%0y$*PT7hPRsw@u*UxM@4Q7wS0g7uW+Lz{|IIs5`yWcv zVSY#of||Yen!>ji8o^6rvMrWn%7O}gtbjNYkFi@0hC+{W>EDM4guFfd!=CS4_dWie?@y8ar>{po)tFdEB}!a6R;YE? z?i``sbNuV;b>EbzI*q#%RfL1gS=`|Mkstai?MQ)Xi*v7Uk4Yq-ac^EGJG{F*){ECItBcL34@X;ir%XeN0^+mbQ61WLgZ@yZfzm1qb*%k7ze;~v z6xR8wp-I*>(@-f+T2i52{1UWrk9myYXKC_I!9v8r27lY*nYy!b9gMTZZ!OdIYYHMtl2Ft59vrZ1PcarP0DP}Vn3fo&!fvkUAS3$*^FKbyML}P z_@F&l)TTb^e_yP-sh+WXjol?VtO)=s9rusb%;r)u*0jCA?3T$>nvi|(rFIBVW ze_P<44>m-YM7r}H{vAvzOklc|mV%z=nK6l_AN_U+FPQBVwR;V@kuz(U5Y)00vVhtX z`R#9uv(u3!v%eD;+x;4P1@vqYk=ActUDA{xGRI8MCs)iG_zinz+JFglri9jOM4o?l znnm30t~%$a<4(! z|HX`zA2K@ybtCwY5K^?srmFaD3#jwPx&jXE@Cwe2&B-4zG|xSAgLZJJ;In?k`s{>6 z>Z)h>^ks1S)c3zy1zCV4b!8$*eGcw?)oz>azh`0KZ1eIcbLVa2wA<+pN5&NWphH1Z zx;p!VR=G%JtNwGls)Emz z@BjVtmBwalLO4QfKb7hZt?hS|c}Zq{IB+X9veg56WLnW}xhsa(uD+@!-J1RI_y+M# zuouUvn{h6EYC?nFS7Y`bN&=>eJ^wZ(Fn?&s9JBOpFVbV`>9icOWbI}(@!tD5*|%-+ z40@$ww@{4tKH2L1h@Ul@MhejR)N#W-4^}16ntAi{g4(MdK^u=bV6KQ z*P^1YTS2)ECQqru-d%t+gJr&YAlJt8^4CTx*va4(jg51ImNxjXRp4gE^bcX%gRdpU zR(sfpg1bEQBErnBEt2D~K5D%4+wC4z;W>i66tB)`>^;I0ITU7_+||@e&oGonX`$GH zbw(5Sh)q$Og9MT{>KMuyqo})DAUkv;{#m-Z{m`G9p5qaDS3NwUry=*KJpx|nU{3iI z9hVXEeR{QHN>8qZ8!N_w4nx2FmBh1ciqctmssv4aeDSSS8JGSl?ftxFuXkxYuDJ1a zJQ18$(s2?jz3Sde@Q(ewM+c|Bn7geSiuHMr%5>q)f6Y9NZ^xFN*HbgRKP_ONf%2N~ zc#)6S58M=FGQ#3tZPjBhNEQ~4m1iVIBXzw;B;&pVia_w8KVS+;i&3WeMDc93j%o|V z$6wgI@bNd4&@KDI={~4q2;Qs36<>V6y!+zkF>tRiLQycZ+d~h52#7cn_|!3um%i}M z>{hOT49FdCf5)w2`I<4ep$^Kz82hPv-D}P@tF)Z$$?JXD_1JG?nbhRUF3k<3RhoV} z%p2{WD;+m66=$5jWqVWlt=3(=KWr^!HO`13(Ty7WGS9$t9?&A3y%$d2xwthO}4+eK`$qa}NMEiHxz$%Th)=kgq)rybm)8T`* z_IGElef;1d&CLN#!e}yIDG*wMG#mE-RKoy zgJk=x?_7!qd;9s65`#?hb06oOoev9ao^ZKR{ne4<=+VS*P_(Ok`YJ5BrJfO|yONXK zh>?@AJqhbYNtr^l<}%Oql%ktu597ms^pMLVcsG^Y$Sqz>gJhtTX19}*!P>xy@++qR zuL@3*u6>ae!PlD*I5l{Kwq4*6!(kjB4(UX^lcoiwTdAVK$By55CvVDV3x&GUEh5uo zV;N{!BYM&^1LWu2LY@O8jr$cQ>GtmdNfYyHbj@VkawHd9V}iQQu+u{RfaF3@bgU)K zGvwjZT^{F8fB8L;^5HX534L@T+M&B{8kuPF>msbPS@%8K-`2sIM1LNN!gVEh6I;y4 z)AdPOD4>B%NioGpqV>XDWpu)`afw_r=V&iijKvvIxq1&p&oI`jy;nW3O;?g_>tMX$?$qXlYxt$9}W$e#K@qOd#M5aJa{yS5w5WAY&~pW8yLbYkfTBm*yu1S#EC3?TP>C zC!SaPyw{E2-`8DhLj%gn35v_>#%~*uT;(#8ht-4{g^ksGGp46reO%krDK~l@L*bT! zc(-cg&4g#B7&K>a?+|A4d^Hv1LuN8oCcR&!rM1Ij!`nGwpg9U=Y>`K`O;?8WA{;m) zbUJc^g3M*if~S3g32*p5Xzt6@H^>plH}EacuXk_uXwuEH=|2?1sZiY$SVp&yvJa5W zFE%tXf1WGsb340SG`YhJEQh7T?BKzAkGaaIOz$j9n@RGTsTsGgibD3-oq`$VpId}o zxLeQbZhcbBpP22zhyGFd{VV?)oEqJ3e5mGY$6B&@9vyJAxP)kb@Osy=uoR;4Go^bm zrCYbFo1q1s4M|24PYS)YKjcO|G}Iro?l~VCd!;R=$GBkyi;1jqHy`}E{v>wk)8Z8N z{IH#$Eb^2aRcAn#e$0MezOz67^ugs%@}0W$Mc-Ms&&2#tRCD;1Hr}>su{r*u_MQnN z!(O9qy>>xc{rwVsIfQ3M#h>SA-EY6u9{y?W$HKj@oXj8nQRnjGfr+9M8?nvx7O!ND z>AJ*B(rjuhHZI@HwMJW*zGGY}hcriyH5z^#O+!p6I20WyszSy-u*Kb;kU0-U~ zMtpk0*(N&SPKKLYkLcj4(U(7qs;=~#`8FH4AFQm18_SqXiokdm)&;UxnaFiKTQ5ov zQBnDIc&`sGHoL7&_wz! zR|)m@K^NiVHcY_BREhC2(5>PmDqAMhB0(^>B z?|t$nrY#Q-R0l&WTKqJoP6A9~=F=aNBE>=t866$un#YG0Cr;u7{7DySv>3w$2T0U- z7Uk(SEuGGU&Q#er3u}A9ese=LnhD2Ec!(qBn<$vAAFMqd&0%a0@zZ#HTcEvpTl3qPsQY97yvng#P$v3r7EwPvyqSE{_Dzz&qCoTy(uIzK% zdC|D$TgX4f-hz`@`7{=5w)3V1xOwVlTAJvcWh2w4@k4e<(}#xcmLh%>35Zdo1Ou*3 z&T%6PBttS9;`3mpT1(6LI&G?~u05N+>@s6-`&gzXe%PM<2pGfKl|#lXiVocusnq1p zo7(?JuI09PUUuhM)R!z76<7Kv9*(gR*{L`V;|3GUTYhmf>Ao@2DRS1|b>TDoG! zF&-l%MzJKwaojQ#Y7sPC?zqdrE!w+0)G2u^>R?Kz{$vK_<@!FvRIp`2HPMEe8K+m( zQ(6|t<~!I*GsWKg@Ssx$H=Ha-y7;yC`f~w2|yPuOH?3_A|$>k?L zqg4rRg{3>&hLrK+OL>3%Qm*66n2#`w z5ycdGSXHYX*~h8w(23dY(fYz&`sNie{PxeBh(sZAIo0J!lw;E(o5L2it-D=NiQ}g) zo9||yyM?Y1Hm$N=zg?}efHfpU7s2oI`*Omj+A#A;#7bklc}hp2-$*_XCyo+HyxayyG` zXf%5=CnLKvBS5BW4ioXYu)!}eaACx zytwkXNd`eB7nkAEcL?qnr!So|{uRpaPgv_hyIBF3|3GJYS|Z}>J`WEs|3?euvuqI# zLEE!Az}f(ugXv5PHq{C8Z%$_?WR&eo+r9mHdJ%Ao2?-It_nCrtO)u}>Lx@*amwnRm zOg!@Z4*s|vZ|U_utAtUB0^26@jMoo&98Tk=1x7-G(kx?3>K*9oiSwzivON;Q_jb)v z%6omE*xBC9N=tilKNmEdrp&a%OU_%BcG?6`$2k+jzfao*RFO_F=}MVvCywR;T}4<( zxeJK+rG0=t&kYUZM;`8zQO1JN19^0Wxx#*OKq@UoJ_zAg_SsS(b_DzNJMT&aydwfs z{lZ*_4hamlV)`gH@_`=CGdg@Dy^FubZok>?t4SGdZVvW^M>)R4P{M6v1zgsyM>tfo z-FE`S&G8eDy`T54THLkW=hu|AZUZ$CQ%}!2EPFsZ zkG^vK;P7H!$=1_pd)4Z^RKN22jcnQ8c<6Mu&&JM~u%6HT@!?|7m_%URYu=>r?>7!M z$6qgea(p7Dv?)Zmc%e}%!U1B;l}Z=Eh^H;~Ag~abayKeYcO;<)X6izwos6lQ&oW1k z+W@6V=|Adj>VUWq!EJR&r^4wUEbmx468sju$zb{xcE8uE->vwhYAPUN8AQE-p%63N zh7km}yD@!ZpYcX{K7g5J3j;UL_n)P}Hp%sqt8OEAkq#JG-v){k;`1t)cB|8eQx{G9 zm*y-Dqm2{8ZJ*rg`#h7M_A|=^r78*J*$Hp|UsJZZXH#3|y4DriCHm)2SNM2@)ECbW zdc{MA{byOG!blfZ5hK|s$_u^&z6M<5puZkaMR|yyNd4&R1@8c}54L*4c1>#S*%*>o zq%17X4g8*X+v!2G6N%^5)Z(F2NIrXicW-y}R?_dDneO=A+#MyoT4XMjJ1^ee7lA~T z2a~iS4^52uJpsyzht~ATRmD$H_1^l>)Y*U*pxtz~h(L)i^`E~E?aw8rSc$ruDbgmf zfBL|~qUv39z6}PHfSo9LBb_!+4xe3+pf`RZXrUl_JIQQgjZ1E6u1EH}+8m)KVIWo8 zZ3dq5u8RXJk*Y^JtjjYB#s*aQ8^~h=CK_sK_0TCV2t>_mbjYNp&yVg+21e$9LO(yZ zBXGfvA?h)vLH)8grBdmW7?(^RG)eMriW+Pbg_M6g{Y4Q30bJgluDKS>c3t5iwc40cdPc!WdHmMMil|=5B!}Dsq%_zbeTC}H`;vJEA=hfW z$g|AF>*bjY{5YR`w<5wRT!azR1~V=&kKlf^=G(NKdY=hgmB4r0p{>WPA#c}??t^Hb z$hI^~&)y6j8(7v3?GY2syLw$Gp}v?$<9enym;uvk&Tsqck z(*Nc^%bpO^>!zw@+W1&F<3)K!@5|o;4S|NI_*iZ+51$M*orvW>_opA_YB7sLq~#v0 zd687VQQ-V=`tp1mu-?ptd#;?#U_CO}sF3YiwBpEWAc{GD@GSeiERP?u>isFgL&M6o z#m@J!U<-Fhi+-@F5-58OQw_M&?R3_`_(Rfq^t%=putptEe-ijfU)$6wfmREbnG&e zH$4Ev+@q3SO*z8dEKH6MTAn(3kn47AAT_-JlzWm7D~-VhnX{`eyz1GU(%?vbq{E+s|nvfKR&|Np84TCUh>-$&AMoYYV72QM&x&EGIYR zeDYN4<%lEpN}PUy)x8so>&HuJlTNhl|BtM<0IO=--iNmZM-({F&-g-64o5NS8E-NJ&X-ns2O)_x$etf9rYhC}+o9 zbB#IXc;E4kG2dB|}nG4%4E7{4UUe|UDLIw{T^PrDN0Y|j8z`fx`Ee~-dq=tYN zSNtolnFjz?PZ!Jvs`%;=JL%LmoWnO?FwU8`mh{*X;zuRq$KBm9EI8!C`mThv^@`^` z3Dc-uvD;bOw13ll6`C)oEhAzS9w}Gh>u~$5KjgY*rTSJa@Vc2`yq1~3@x8Yqdf3=@ zDWSR__Cgz93m@Qe00#??ZaMlg+B|^0pBb}2a;O$NtpZVw@?!HXi}y#IslaXb+76q4 zX5PEqoH?InY%oyuD7YBiCV~Eilirx2pt-HD@K>h-y>@3`ip{mPoa>m;uP+!}Smk=pxS z@7x3raOYFwQ%_lmmn3U53t>GPSyb+uqH)PS0Ij6tq*fvw*s$`4YcUzJ60b?#{F-xa z6N%x3uLnNj10Y)geODmm<9ItD1qe6qC1#ywy(@e07&N4 zk$E5bTL_=aF)3MpYaz7$`2x>E?f=KLW`!J!7tXpzY8PV5hx(76Tc+MeP$TxEs` zyvV<9@7{*bvME}Pa*VjHGJ7LZHorLa! z5)p4D6@WmH?89B|&)xqxb?Iy6D&NpS6H!ms3ofFw=j5?>Ck56m3ox3-3x){fpS769 zOJ+rL^3=EUo3}jc;!=L3o(v=*H2=1E6r=lCIG&(Wz+E0PB; z30H;ahNqftk{mb$xZN_0tuncn4fX@v);jP^l^L+AmEpnktiHH@`t*!z5e!t+_=pMe zP;LFXHzwo)OMc&=rJO7O`F8o4QQAzMI|5DX9Ndz~0|ABueK5BR2LqCdHqUen~bxx0#golj;ugp4nh4L6`Cnb5lJ+(d_}&P zI#dpcJWNX73hjimKy*5DePQ=3-&d)=$SyJa8@SBikR9HgYf;DpTJ@}u;JG&wIR-8ht~*Dh zU1FbGtbi)w0qEzljKfXaf0-5zi^(+qjuu`ODsdUS*K^Y)+Pvpn#U^#Ap`9<=>DBb9 zL{enwjM60kNPQ(h!pfbx*+`9|{K>+U4ctovgU2}+WHZyV&E%Fb^%9D%-YfXcA**R+ zG>)a;#<{+ZjLi4-nHx$y{+D;kSBOipuyb20FS7^w9|q?ZU5~+^dWO=yi>L8CRCiYc z-L^dBgN+VpL~TJe+yN?KLbF^s*g)e3bP(jm7nX@~#rCCTYIu>#23-l7sdfD1`r1sZ_S@o3 zH`N5)bh-~z-Q78dY52|CBVmHv6qz#3#n=z~2Pj%z z=&xnJ_RD)@Dp2^&fHis)|Dr7lB-{2-C9E)vhA-~;;^)glDuo1*0mteCVT~dDXY^Kz zo^$nwJ$PiuW0MRN==>zuG!?ze?OOF7iw&b(V|kB;8h#8~SZgLU~`T|Iq?p*Hbl^1ds9af)^=Rzh!XW zE&FP2(_FHPLp0t5Cd$TmKNG#*Dq+WleZTYK_4wDD)Td{+USC%`q#`pBIE|_gMC`h| zJMHd1!@TCP`ke1ou`8OB_igXT=U(hEjhhp0+@v0_Jaf+s1Fp8x%_!S~S6J^iWB92N zJ|xVT&_lu|5#wj!tS;jh#a(yvEvB1bft-LFRIyRWZy>RVpy&5&RJlFNLXM+mj$r== z;7a(D6-n2qV|(}Fb8HW=`mXzJj+%!DMu8**=2u!-?dqHt5xyGO=bO~yGxtx0vC=2r zGYlJZe#gaxTs0;s$E|j7-l;!9EJ~_wEX#{DbVrG@ zI<1LcJ^e&{LvHyk?y?zX$%|aTty&#Cgr!0tLhNwW;pkXHFhjh(0xC3uCXgUn2xBrf8nFYN&|%NTaoRyH3ILRtJg)Y zz3JvEWcXrD^A#BfYC`7Tah96jzk^^U*^@luu6$cJZX9|0NhlmtS4cm%GU*a{JSh6< zJIqq$UB_|$)`elPTY$GExd_}FdR-L;??bguo)g1rq&hUzwuSQVRd%}7kr%cVd7kD34^n+5!+L-n< za{{P=pz?!ydO(EXhbwa<_W`ohbHbXsWZsyt#09Hzo^)Kv^*g50Pb{2MD^r3tenIyq zvN~ab%R)X08R9tz!s;J2rSD7g(l|-54z~D_$82(fd)mrMkhz=@p@;6(A9@knn6AGa z`?=m0TMP~*`<;hWPt^&#hqdS$TLIRM^&)J=_>Dn!UMXb5fG>wQu*Vf5rAE=AA)VrO_$tyq(UYUnv-7n%95Vfz-({>8~%!z$|i(|mw6qezkO z;MXyT`EE&eBO6syx;qn0^PCBCtEl3tZ;vH%`bkb_$}7La3A3)2?4Fffouc)(C&B8j z1>tjN{-Yj+wk|R7i(Vsb+6}-l*=fzYAWPH zgXUpr)vNbY>5eB%p2tn2k*J-*zXD-Gp-o8F$N%IXjs|h*Nl9`3fX|ONF9mw`_Jtdf z*murYuV>LwWO7aDDSn{;NaD2zV*?Dv-gAGgaOv1OWU`gkf$&2hQ~J|BY=qeu*3V;( z@_~2ObFO0-Y(gsr!cs$%zN9-gGdfTCJ0r_6x+^S>jy(R|&Sp4+K%o!`$wdF#u9P12cjMVKn6UUWkNvB8f{I8?X1fayRKU#J!pY7FS`n zVpVC=OGUsXi-{`1&*s%}EAu?G%tCZk9}KAjZsoz# z#OyVkpMl_q(%fnA_{;M56lF*$n&ciyX$bfiE9I@vy>V&Yr`+s}$cg#0%xv$^B+P~x{gy*Wd=}jf-pYsbc7zguRsud#^h|~DICENB>n%DJWG^3*xu?EH#0VxqenEb4!Ua&=Kazao zx5ag;UN5xkiOk&;0@G+O1j?^?)<J3z#8%G)^S*S( z6G;5zsj~T=%OSoP+!p*dCj&IOGJRCMw@Vn?u7_1?4y4%qxeDJ<-Vdj>7HWn*thS?`(G^w-r@$Z?V?UDr#8hn|W=G2R@<@2+WRIxlU# zJY&4x|2_v((Y&Z|H=PdITTR4{W_=|aX1x+TEb@b(2nI>8>uDx-C2ag?^v0w{n|A;^ z&-a(lx#35%<`FV<^s7*A^X(%mi3u2`M|e28dXnwojcg-5t3`$Bfc6xDsxqK_ZBG#13B|v-n4jW61&D_o`8dz1`)fdEtb@EIIHY* zeS}R7#3~-A|9!?tvVENDZ{5tiZDWquS#r%}(VQHW;qStDjDeyi#8YC3HUVb1!sgo5 zw?~g`_Adzk6<^Mgp*s23&su77Uht$_L&OrurE72m%~2CVLieIKKVa#b2n1!CkNziW zNJUxRIV9Y?-4)-F3)Q*WH3cLs@ZmwCInp)vq}#tO97SC{rpV;Reko=I#|Oh6mkju< zwBz&b!3?3MPP+bake67@Z0fYM3DHYZM%&h+o107KHi3C$v7E7zRMghyOgl^abm#9& zB@S&>OOwy0I031c0U1|Mh(|opAHTCjv|fY&0hM@q=i8&$0=U84OdT#zA#`UEF|#R$ zC;k)SjW~xD<|hRsfyYqw!{}jYO7>WjWsI??#1EFt1NX;1fFn+!1X2g|b~8YL!zrm* zzSYIc8T)X!LhH;=7#k>J3VJBydas<3)GV8{MEDokr}!z_dhKCbnM#1t3;Nq(?``Wx z0>L4k5c58Qii;d!wJo>ol)<*501jo&m+@5h@v8tmyx$59h>0AT9mR3hb&IJI7yvdaBa4Hxoi)E?=dw|Nu1 zqTs!aEsN8Ah5SB|?pfIFA1qA43%!WKC$Z;tRjUs=gYgx46cS^=HFTst0>6HtA%O2T zR^s6s8M6ioxqqTIl6H5Pv&n72S{X#pZ%L^Yl*gwj_Qou~? z^|dcn*>%L>@bvqRN9z6k^`Qiltv637BSXKLP{ByzUCn$-El2aep6#Gne-J>K^n@aH z_ESQKz?A12$X6hnl9X|{buZ3=p7}cOgSDkPX*Id%&WRK2xY0F_BdY_`+L#^G;oRRg zWCuwQCTjGu*23tfw7Z+eAO=^FVY&abDp@~yeND^C!Y(FbI3y^IWc={qGWM`jUxa|3 z!E7>FqQmJ<%)(>2eBtd`uKfl7vIUFf7v9TCknA?L&|i#p+yD}Oq&eS#%ExCPPRbk` zNgcu5DqQauQ8V2x4BKc=I1+#1-g?pVj0g4vPJULPz#-}DdjnZaVOt!GBVMFekCFQlu~_SPf_LyZ(s3oB&ydkG zbJ0nIij7SY{bVk|?n|0JrNvByNL`BDq_{t1TTDTgq*?J@c3*$`kY}sD8q(S$gO12= ziH+JjS_fV_lbAxz(qwVhI&SsDc8Wv*GkA=^WSoLs>quxWqF3;P3b8V^@ zJm2LQ8Tl>FabRCZ^uhRS{Dg3}0Kd_!*kmjLQRh!xPUA7Z3OH z3B0R6bFXc?c-1qono6Wvv%LjYMki#lj{-9^N{#r zvdvP$NRX-~C-G!knXV$7>~XB7mKC6C9TOh1ZG zX24mjy~`(=)E@n^e5QSOi3XGUekJbX$3_q9YwU*xD_kR*ahX43D@}U;3JVSG{bGj*w7P!c z=7qvD63%d0N9Ny*c&l7@a9V1(VtAD66IesZ{MIp)0Ot`IULOefjVbTFH@&HiK|BIU z>Lo%|(PIK~v$i96kW{|_j&+oiW{y_X1W{O8F2O2k7W?Jyx_v5;@EhTE2D48a1M@!3 zhndr@sw^U$dX61&8EKq#6J6~uw@IAeCXD%s&i}}DN$Nc2|=IKR`^V}oeho&w-Df4g*M5h=WT#0Vs9H~Y(6j56D&8!(X^-xYe70XA5E-(tbom;L z3EW86V@?{`u&AK4$ZwGX&HJEa04bMz&-D&F3Zd$qvVl7RS;{)UJj`x)jFPARKpc_27GO( zz%~oR`U2+D7&~lWZ~E}cUzF%De~xqz<~HxQC&&!0ocGGOcjptGXNxS7)k6)zrvCy7 zCNHW#L6pvxR&B$}<=!)6H#0uako_EWk1!g$q4Rt>G9|0$dg~;UeTU$F(ryp!7`97L zSPsNeeL}TXi)eB(r;98`E>+F?d*D8^dji^wdfqNzRb(vQVur?+3p>iOuvP~izi23o zP%HOlOp{w@iq3pe=54m~)^uqV9$w3w9dCJ!#3Akl+K(S%3ez8%AQq8Lu;SO>Opjd4 zN$A6jq@<+SO^P>;PJw6b)A$L(8#|H#HSVh_w76Z`ay78HrTESHaowCEZKIzgLe5{S z4)f8NvP+Snnf!G-8Yxj`WkR;SZ_r$leNEga=I1Kl1lIJU1R-iqU0J>Ytc~msyZh!T;4bsTl6ix%^O|AaYl<_ zd@?m?ThFym0af3Gw5uoxv#hXm1MRWtpWap&q+*<=efbu?j+dLp?ZV$vPZJwg=1$54 z7f*=@jy6tR*B&xSPte^Z#axJcwx7ct6WedSkSH=_ zXT3>HuB%LbA>DWBw0*ju{%$7A=lpDrpll+4c@_0gAehJuc(k|`KvD`!aQNk{!n0Hs z+-JT{qWk!HX3(eX?jza_lGqp~X?YNrFQ#WU6gB%St!pEQ?A#|U+~sSzAEZLb)Wr+l zb5010?Pf*SJq$L`;U0%LMwi>=^1Iw`e9RKu``oGOJd|uWa7PhbNq!Zs>&LEnNp=bVPXJL0w8`~MX5H>aPj77Ry zKK~s@y8a0(P>wK2hM#(#I@_*rTS39FE2;ZNpy`KWa(K~<2X94(=!aLbzp=DymTbG^f>$EwP8?%bH6h7hCvC6VUB`bR{T8;V#=;m*A3C4t8%58e?Qo zeDNWcamAW9MpjxE{h)3?VcePQx`B}a5|v2DYq3a1J2%?txV9-1%VZBfzw4&!7Pk?d z?a(Do?46<mVDstWFb_;w)#3&#Pw@0j3 zt9$HVB4=v!&L?kiT7>ED9jiX10-M#9f`3^i0-jLRtYqU-G`tKlhbyRAoAM5i{t4j| zl)<$(9}Q}`JE=Pkk$N)6ie@}68eIRO6u2rHICmoW0?+q`Ntz~-XU}TZzdx52LbsS?y?L`zdZ(IN z_X(>XSpW@x`q=8TrB!~uan+gKTg>*!i1*OfynnykDrRi~JY|O=H<`BU#>>T@yxa>;!RozFPep+*=M|L-pFEjf9%w z`OF5T_}wA8)Q|Y0NxP>b#vXh&2}#?zem?yOsH)2jLQ3AHPziBRhJ(mPt`YP&_1Ve_8FkN1+5x z=O73Og^EsZ4RDl^fK-$AJ*}xLo@F*1Np$beQfcp#1EVWdwUz&I?ZhmgJAg#^xG<4) z%393n40NjC{%S?i2m5i?KFLUqJ=NG|WEqrvkoV4~J%&9@cX$c2AZ$a@vEA1}$rinm zK2*c-Ft}&VV$IS)S*z~bSoTJl_3$K3fR8`&0mF}%>7y`|9I@{Qqj3kzA&k_EPN68& z!7DriP)~UBiU?FT?wy?>8zP#ySe-`~r=)U6@SKR66N@_J`tGDNAZQWsr*gS;`?7x> z*7Ki28TZ3p&B?YO(p-$K+xrCj#EdtmqwDDR#VcRG*yDJwN~#^q`VvIg-K#>rX%WlAGxLt~lV!r*GV&K9OZfR>>hn8M(-BAs8JB^(?3#D6N0 zic``{OZRl`+i^(>60=C?@3f|IbqpO1>x|;`p^GA9(z28s~uy>%r=4Ff{%vX+r>Yma1lsu}9+G zJ$3PErOAB6 zq=>nUF5Lf9F@u<<&R6;8G+*OfBT6mCu1iw#o4s;7^d5IER;t1UftGd@Fyc}?vswF# z)(1LSU*EFT6z*YZ7KC?uFHpnEr5H^;OZ&Zx^g$c$2LPj87pL#5B4%H}=eO&_{5Bfl zt5-d^ipZ&N{`Ulj<0rUKx{{^nwv<N5 zp0I>Whd>o$JX#w!zUHy}WQ(DLJ+CK5%o4B;8o;_hkJ4+Bu7;*Svk%qY^pa5T^Sn$W z0YRLA0P?t8f#BHaVdi2`5pk+pDQE&q{!YNv+m40_qnBLZt=7qSpTcZ3jxK_5r3bKj zPEl;>=+Muxn-a{8-cD;;PeK7q#F&RKgvVGvr||A|;anhvr-}@SH)duk9VnT^y8R6m zM=GciaHQ?n2^fc}w54sHRynD-OvZ$4j^6Fo@%SE2cQ@~v6{^iQG6i( zvYQCwBm+6N&R6k+___or1IvM!Rb`C=%2w-JlT%WPfoVVthQ=C)?Lc;+Hl9{;YHF3` zz1}Zsb17}h&g+!VDx>4C0oGEhSp!Hrua^_S7ilP}m@Ft}XQv#edq%U-sA%p>2F<`r z!Wo|E!?0=hzPz#ytKz&@Zmu=qIW_ksBuuBZux3Ard#H4*6z4w@bexE3ONR&{;d+`} zuHz`|m+abmnY&y22PAdo#bs|^9PYdEISB7fTX!%E2+Y5o;Y6V}l8(y9f%V}*hl`q* zUsSDYYA<{oKt^pU5TJ&5Xq9#pIII3BJ|1BuRlhkrYYAAB6?{Y4n6MV|1H@ElMMhk6kl-%+TyHU$&4PV)CpTwKSGB6-LgUmXNRh`-tcOhS-rQ95tV9 zD_M~?Ib>6A9S3Pkaw-2^ImlijoH}wP#+{Xs>aBl(erv)4PY=A7JrVVg+5S#AbcYL$ zR=A-szSGsEfCN2XTKViT4j7XVB8BR{2W_hs0nt|cp6PE$U@9?RJ6_$Ue zOUcZaq5IMOoZP~F8Y8TYMhR5ItS^;C-O%!?^u8_AY{Dhc`itdR>4ZxZdY`0`Asv_e zq`Bo6OZHy?r`})3a@EcVHx2vAN+4;3qig8O5z_|>x)m96>0VXc%ZX4OVz?t;9QBH$ zdB4);S`E{KLB^`+fG64yMZMaW(K4r>Gy^ASdQ{wt|CmmWKRR8MsJ9A34&pR5pO63> zo)CT|DC5=pYjqq@udZhlC7>J4txEJqNQ%65@50gdcS>qV6RD72Gz3bUyCs_??WECc z^{bQ?)-u*Adc`@$r?Sn*1&SdxwL!$6Wp(wO7h$|&;5&qhN3?q{vZd5&dZ4ndr)$D6 z{6-Zb=Cq?6p+M3+9_@e1?%`KXs(!sfACs1@p7Vdh|AQm>o8v7-!>|{N!B=l5Dn{5H zj;$w|a6KvYz0QsZeeHTLN(OvYbBQ2L*DsFx$2_c(ApDC}&bzRgtYdWwkxFF|mn0^c zy_z5+bd-pIFMITF7X;xnhx1M11>VXKgN`S>Ro?NLI}6+&4%2GmI=P*++U|WQOWz{x!0ES-~Gej`EN(E2RGjwdwU8hzf^g zHuLp;YRj@~zU?0`T5Mbr3DvcL#F8DQ^C07b3@a2dDZ6Ci1rRIGRj_$M^csi`2cH3} zK7umP8{;{stJ2b>J$IlwvIn(dT;j*n!g3;1r&}eeNrB}~(}{F;@(W8E9*PbPrUHsp z*?0;9glkB3-ZPZlEeTxz; zT;lV>XkhH{S8+-7HDBgcjcB(`zRJ{H+&sDFQ-Sb~*{~~1H{%O#BI@lG%=q#h-R1RP zd0yE}SZ-<(-JdP(LFUbTw&Y|{N18tPC^sK`p%f5(?SHgdpR~q~MN(Xl&vJVrK2M>V z>dWF65b8A-ldMk7Ld->-*C<6pkpmyPvQ;n zT&sqC_J%*WZ>JZ1*FY>aoBT~|>6$O3QDmBLWgnV!@Wo_6WnElsJS*Licu=nQe5tLN)-kSz$c&PoZRU%PU(dqW?}bhg#Uo`qdB& z9OI;@nHSGgSay-+VDGODs>`Ea^AhP`fgyFm_`8-FhDaCq5mS?v?RjciW5n^fdEqUl zGwBNRXwIW^hhm22(8}-L+!j9i%}s7TrDJ(b6r_?1TW<=u721o6BcKK zmRab>`u)=J964oCf{-O)Kf+=H!0W?R{Ucs*8A%EuSs)~x_@`}5Vq><>{eq?XGeb(n z;)Y?2;10oM7em#i>hCQpnx1p6TDdwoBuGkBnA39OD)r#hHlMZVJ8`v9zIq|y)v^0t z_njQB*KWGwGLx&j?OgER)+q%WcS}brAJSu^P8_dob-CA-MK=_L3m6;2(TkILkl6lD ziGFeS8*>c4blemQ^cSE86I{zg(Jf(tbohR#lHWKy7tT}vorVNTYs&Q)oY<70M$Es% zI48T?5X}c)J0XFTmctT+ZYrV~g(ABcq~vAAytJPWS>VN3Sk%X_#Gf zpr$049u{2T3fEbW2o;se^}+E?)?L2_fi;dgy1SeCckR<1Y5z_K<7dfJO=?2Q{66%I zn~p4=295cR8Z8*k%84Ut@(GCZkDgI+`Du!$9&Tf|o}|=Ev+hdfPw5 zYNsuZuuJ;-Eu=x57Ts&*|DRwFW8&HBUbxDID;{bjw(OX*oBuqSGPJ8xT6^$Y%W!!# z0|Hn3c4yCCtb4=dz*dB5@NV|6Q+B{)La1jp*vi^lVxG!D$&=i*e-c$caI`NZsM^iH z@s*?QQuCrBzwmeZ$2aH6z-~~*1t788{}k2Nphgb?^K|$ zC@qX3jK9c%Rz4AOVWCYye{^VL$#laK3&|e@OabcapC|=Lx&AYHnwTacdOs)?!qxsy z#IzWh*0HKUK*%0?NB#}vB&}iSQ_C`v>G)i?b9nb45lh57uRiCdQo$lC0pnc}R9H=l zwj1|=DzdVR^W%YOIl1KxcK1=U@6Q>NE$HD~b*#JYLpcGZ^S%ZomhlCDliO~&uyFJC zHq;RBhoM z0HGDEfS#76RbIAyE(3M3byY_HO& zt74vqsk*(|{*jT{z`U5Yr|X-4)gNZA`taa&A0PE!K%GT!g)Eo#v%roT{Q%*iy?9=3H~=l_`#Qy@*n9@ zWwEQ}dyuhI1CZS-`>yzlE1a6`TXJbE|r_;2eYDCUp<^!N9u}^ zMN*~HQ!uHG>7hm`E!b3bhvw%^Yh8#TVD#V*N1O@@HEO$NxipEiY61M}5IAhX3tFM% zj0m>=&!N%`Dirj&XmfufZFkG6pKMG_b~x_y0Q9|S5AzUK#t^cCb3TBAi@$IoX;}HM8=5S#>#Xw>a6M4O5AV5r1)Y%=yOfba2ZfftZqj z8uP@byF*&lZ6T*JLJ#+&#-%P@daB~lCP*!yCXl17pgK(>Vs2uPGsNY3t~lb|`yG)n zlP~tgx#joTf6p)99TWDx(#)zEyAYb92>FxHvW_I*?(FM%q(gn_%p{Dg^mpEi4;Mqh zDL6ncN0R;w&P6O&-6l^tbV(8aFdyM+>`O6O;e;!n$Iz{ypY?gr<_@#l?A z!^3EU)d2LNa&WQx_zQ=QO6ML5sQffEv?pSu2SP#0I$vXn#>!_%NQKSGMi;8PhMK1< zH3rJhFoxG|IqEzg?JFFlbTe27O1^aWzaPiq!#Q2?llE#V@=-{OntDR$<-nw`A0J>4 zpW9RQl27~A?k`oLdNlWfK@CZp19$Ugsm`-z4KX?``?Ic-TOaByG5d*ge+lO?40PqO zo@2q7Ck0h|UjI1%()_!Y%8E+L_-7NZrjw>qeuFH63hrH9uoK!topTz-S%f3XwG_e( ztJNK-G)J!;SXalk4182`XJ;NLW^B>Yd1$)hRJs}aF7;9P64$1C5nbh6TBvGXoul*% zHMfq_KJT;CY|F1<2w1BzH^dQLzRSjxW{wVj{MO0=#B=K16GFDs{4UCn*q_&N08R((2mPd081WDx zvFG&Zzm%SS{A=T{#f->zP8#gT1hfzGk(#$ePl*0|gWg_PbYfNW;wRHOj?!fO`Ac5M z#?spU(b+Yr5BDuc316A+D9vQu$WX=zx2f&C)=zh&@JL`5oXjmtWccF&8oYG0Mm!M% zkk{HA1Mc+WN4NAT?rcYwSlF;e#EGHpMzkPkPgaVeK=$$>k0m@auUDZgqt}za!atwu zALg#n=gnV20th0g1b#t9(!?@8hL*i`)v7eNh7hW0M3fX2GTq$|GaLq0Wee`RM0}X1 z9BEw7hs_LRH`+-$hr$hF87L3cg$vY~FCspfO?-=Va8A6*pQd@J91eX#I?63zV@fQEb$ zX>-doTi$Q8-O|VAIsI7Iy>o6lx!>ug7tt;+8&7C%cs!9D%R-#O3eAUkSGjVvp=_p{ zUdIFqUUO=#_bOK>+3OZ{6m+wGe{bR9pm3CnyoP?|WGM3J3bWGE0K?Mi`)`S=CB{2f zOgO(pH1`YEz$&oXcURBI{l;wUypS(_cN5h_;v;Y8lKD&F1(6>yuR|;pmXo==rGD=S zR8~oo4rovkh}TM23Xq!qC7d)>kw&JBTB(E`VxhCFDL7RUM=TFb7VrYx`sR{8v3(5< zOijNkv_~ubwWpplrkR4ILaHJNp)93!02)ytbTrRD%nFX&apE9`S3%{=W*ZDX&vjCUUWLQa3xW3(C0%_)14U1X7#U!Wm4 z=}{V9RP~T5-g4_i5fn*>-r-O!*suId`S>RFfEbitcM;m{-vvy%ajx-gYHMXwKqtp* zIi9%0=TzLaF$Dg&!{=?3k5{+&yMpqcf$A5QFj>#dz1MYDI-o0u*{|5zbp0)VH@cLX z--oq$kIF*bCcrG&GU$45P>YJgP8(-%y$O`{DG(zC(@Wc>f}0Y^%A94wt$?`7vd}+r zmdOxZAOsvDSALx;@`GsgCU-z)*0PCF;~TF zT76U~mq$>WO)nXqHD!3Z2ze#yu`dRJ7TY1b=l9=K#Uk@8c%10H2LwIDqNJdWK%=mmjTBy=wTcc$ELd}^q&VJ+zv zj2RZ5HZZM~-bIC*rO9dO{7O$gwvbzwmM=!fGx-K2bb`@UW@IdmjOI4@^gxd^mdeXb zv>ARr{tBQ8U=0B5T-$Wi*RxX@aJ8vL$HGR>D?)CLC8H+$%MZIwPUy4fgbnEhTME1$ zZ{_SzLi+Dr@_4juyEuvVyMBF?&m$R@KPu4&mJZTGOSaNlG|m|SnKIH-?2X9_u>ftA z3Lv)NMR77N31dr>kh5!>TiC< zsVTR+1t%vOS+ZG_zp>sYBy{MC4#t%%O|bL??TxkXS?<(*r6~Sc9|Jcgd;XLS0e_WW zD0DY!=2nYPVyRhtKK2G$$qkABPi_B-FSOK{XOCA$yqxbgRo_6az{>0JC1=$H>g_kz zh!VLjM{Dn&LcRXBn1skLa9cU<7>E#JDh$g3C3xslbgn*L`pX zk<%ytsMH|lh*qJ7iu+cq)BfV@HztPLou*&I-VQ~{NRKFG}}qinO% zWuvk{(y15{2qQi4#RCSr+dNGd1~xJ3jr#7XR!PQ6Y|xp@H=AgY^Gkp93G4a8TY8-$ z827vq{YP^TA03>vd_+i1SPZk`%jEHZj7BJnxC8C5wlr@mWmr`A?$@6C3#3RDk>~u; zIJ-!>Hjx72-Z22ArBW%=EOy4l{*FJ~J840CG#es#)<@0$uqtbuGVay@jsnr#dY@|vC0(jJl1`<5XhQ`wf zRU@Ezcsz0opKQgPfRPD@ezuciya>9yBr4 zrVUkX@;OvjAlO;ayO!PI5dyZLBi%gTts%QRPRGQ_z?-m-qIWGMZ7Ilp%uJg@#@{|X z24vku)-@G_iy~D91^EdFX9Dkeg3#KT%&@w`s6uLCt}p2mq|5LaQxLSoG~$1k_+R0< zhX|yQ)M$*PCxIDgQ0$5B$wh!Vl=xC)CO+G}3EFimK%#-Fyznbf3b1z`Phj8pWJH{7 za(v}(nw)o`FK%`?8LKQG4=kW&7N8_Mn_L3%_?(X`FUSi@Q>1IQ zugDVts4SU%1r_AdND=w5;wb2SI3P0Po(B8^uK1DO5ElB}5uHuPX}I4z52U=w86;mA zq4z8bQA>k>ZS>S}9wD(2o3*nW0f9M=qmo&qqm4D>=+&`Ak*SiqL-nQnMm2Jgf8!&cM(>4(SX&D4lv%2qxHLufMW`Kr&-FA11&-((B z@!%syvU{ob+sY3#5owaFE|$49Sog5;Zt)}Asxvs13X_F_l={)>Q2o&nZ{ zT9d$MustA87af6^aoqr8Q_;g@=6SouI23FjGk)oa!l)(ydm=&g0I$3-MpE@3ZK)OoQdaoH?x zrK2ZC?rXe!DFe0ds1;La?*nX&Hh$T(j-j=oc_0@xF+r%RzyV&$hJ)BuyO8iIo;fRQNuRRpV0zXfuYJsZ1A!Bd zme@RNa(S*!>D%^CIRmT`iMh=Ucdo0%W6D1?#r!_ZufeKVU|q|g3#w{xu}h^a!{o)f zVUg12&FCU__*3Bbrpv}*e4RCxE}nI4L|3Wo%jO*oLJ8Kb;kA(|E#ZgOij(&-%MpBK zbFIVXW?FeFdgq(o%}y>BLXsG+PX0fMuejbpoeKtml!+%8aSJ(9rs-4le!1bBi+xig z`C@$;t%JTr&C=-B^`%A<=QXq;|J;>@EsGkrytZdwUlM3NC;4$%QWUmTt>`tJ>(L_ZG6r@-u$;kgkAUP9Z< zdIq1I77%2+n^G0n7u4OjlkfDXicG<2&C+Xe<7Z>Q`_Xi(HO~=y%lK(zh$1eD=vSK- zxO>EQ!eiCC8iDq!m#{Jx)f8u}_w}ro%?XCrYBl!VI3R8wUrgwGYKXB2T-=Av=iTD= z%BIV{anS#?x_E%=81Eo=uM3x~T|IoVpU4JV&Nrd>nvJc?m^hQ={qKkOc0nYBA9XPy zvS39+luw=XmAH1S-d%%Tb)&F3D?+G!D(T0vFD|pVyK8<^qiF^9OG z4Ht%2j4ao0_uE}b3<%f8<`N2F&SuU#bgx?_dKQ6l`l$8PToBpMo4S!oM-OfdRU?w} z=Z+&kt_32u?(qN?9ej`~#m9iuH_4=l>c?wynFm;<=S)dvP9D|yb&f%>+G{RfE`cR= z9z55SKs)HG+I1e#1%C1bi2isxS=HU7ABq`b8cmpW%Put*rVdzbd4E%1$+;Ue!*bIl z@t&mvq(QMJvuKq{krsV^HK&TXO!$mK8EQ^hN>(qg=z!zJF(1_I)}WpC&wYI|xhb)e$%B@~vC?j2Qdvzf!nt_t znYYrkTm(K33@?L27~aYS5o|>4Z2l1gz%TbM;NRx^@Q&Ky;PMR^!grBfYWU~C(W%w& zmDbRJ1%%q_Na7#AtH9gpIT6?B_PL)y+nFJ3Xm3=qM`2=$*WFPO{#j^$8esH)26pt{ zL~&#%66v*<_oX*=|G?~8ouS@LE!Pt?p&uX^yW{kzV3Q&?c>Ujb|IfQ8%<=uxsyUz5 zJ1pdI7z zxnwz!Ek(&d@(mxp*$yCT6!ZdvhlVl{#WMt;;yF5#1BIRVqJdfwd-3Fap_h1zhT@NS zRb|aA>hXxm=Bkq_jsj$q1_}|09!A!5pN$kOE{Qx4cv*cRLyljkO?UZ6mQ+~0?Y?7q z_J?VUClK8E-KdEH@@@vS8&c8{Fz1kMfP*gPpzmEU&&5#4$&#UHkLNLmu^Fid9^X0@R|-_f)}^L3rOU|rsd9D?@W zm&e5-L<3+#HR&2c=GesDb8}+qdwyj4O06VvkOls7Yg76DE+_F}zEZ}Y^HSi~b@!2; z4$bIC<(gM-3a#(g>4g-f!bv7ue`~3yw(qR6HKo2qdfZJgvMDu7hkTNHl62H~PtxOTAafY+AGs`)T2aI}xI$wyBTuxg` z!6rrkwiwW8_=T*A&TIb`$-`MR{{dSl6c*pU#|Q3%XgMbJfXiA<{L5*TIF^Ad(o+H| zk!r?+!6(MQXxKK`88`*8v)y~*x-$?(Lq?vH_{K!T^CkJEi%*cI?8H*#H(LI8(zcku z<0q14JBte6u8dKB)N%YKvp&AH`pS(zj|M9h~e`0gQ(z=CWW0CoUcqr-$5; zApK}+>;F0G>1p)uAr(ibp~N9MVoAkJA!X35{olDYM{hzU5+iHLME>sGBq{2&V59*g z`T6ttZu_JoYoO_euC~zugBBs54pVo=;go^jSp9hyQbC$e35I9;u6<84bf%D?}s#*J1;4kRw*QZ-uKKqR=`NKnk`Px({9mLQiI}ZX!_N(Rnc7&;IDoR;%k{h#mZGO`N>6Ee+?5Z3!Kt z$4tkh35@}@jP$5VT&{*{=y2D1T72x^SvHc0b959o_>DfiyBh|02@DhA%`q*d)lQllpRw`Wh%{u^eq>-fd7Adf%t}53+P$ETpc{054)2w>_3(t^N-p?Z|7AYUI+F_`C z8^BQkjKVwh)cwCe2F##h1L+}$Z-vr-kkx66nm^Zx4TdVz_dD1|?9c_!0@2@q?59J4XQ5o)1UT-iQozh1Eeo!LE!HJ%!sRwK^{ZBow+iXz z{^)g18N@r>{sD#Pu9UJJNH6o*8y?Dv_AL}hm-58!LzuI5lfqog6ADXP8MU)ufmL}3 z&Kb9XG;<<>sE6McKzc~lO0KsQug@z<44)m0^pHNuiOp%o~o-kvjK>!;H%NJq;$sb=?}{UNC5HPI?;%Mxnw* zWa>eUnjTNV7fW(k!6D)8d6nr4+E%cyaG%Qme*9}Gg1}qa-h40}6dw}CzC|^?og8;Z|Ag_BJub*XPbWYA=B?eaWta>L9#xl;)CDt3aMmGOaKI@<~=qO%@`!i?ReS`L&-xnc*oH85lc64g7 zd7ZcVf%j!v?d7Oc|F3rpkCAdiU!FMh4gAy>9CR&Sizx3Tq(hr9sxK6z!xxGSEJM^~fQR|UN zGj#XY#7?{&;@+y|7tD@8K;({;jV%a{lRYDk5%^1Ms^o&^8Y zUD&J<8tM=V3gH=}-?IU_rVNop+3PoD^A#CwYmUYimLVets*C;x-L!W&VLka855J=_ zLLb^b)6MEc)6E(>hQK+*nUrIj2>6xHG{;ljSKI=>1?+;+YDQHF;kr%2WqT$Y+;Zma&q!Cd}DFwX|RJ| zq2Z46Aj*uE9lQ0^iF&_v?}IHdsY7$@UVBw!BZusP*f>&{NUS=uhwhmE5$L;TC=>1w z9t5B7TI`TT$zCwk#7EZLw>3~{RHTOE`3CXI1$NyYD6MmKLQv4gqCW8fVFj2muLuK7 z2reU*c&?mZQx5Ckx<~1o*B#{3{K!xQC1p)h=*g3DjZq4&tVoRgp{V?7Qb&Sj#N{xY z3&=~N`=MM3LEX)vVBRW{QLiivYhjRjwLA zna;}0+zmPPB8Lj7#i%fRZjOJI?@6>-=B^`V+>~c7=8OCWr zgSw)+$utdA1O1cfPLh~!m$L8*=-k#=h`0u8-Mz>D!|>#%K+VT;@jO%kSs`=9;X*Rx zuD#FqKpK%gGNh|*q)w(CMwKXon{?e(Y7tRLGCmA_97)mcUxht(R`ig|dmf)p!li`l zZs$Vf9~LQKn&zmo#9 z^HhL`PoaP-(lQ4N6}`!AsNW*T9moqTJ212~+8))IapcA^jK^*wdP@cR@TQXpcfcti z?2A{gvkA$BOdJIX%d|-eG3`Ha(XlxBj)p`7Rn$$mZg8DBQ*GgFrrN}Hn0=>)IehqE zrA6$=ek`hwj0*5<)n4?Qfm%Bnp*qy|#|l^S5=O|%?}nT_q15tS3^MbVuqzWI!dIWAY(^gF zJpk6?;GWa=guZkq68w3@KA?#092`&(*#=FI-OzW+icA>L_LywoFoBsp1BXe0^IX2} z;7=UBQoc2BmLG)><;{ZD{?KM^4mYS(HgAJ3M+RkBc2y?GRX#v??c?Vl`Vb;Ln=lo9 zjoxFsC^sgy{&k9){Mz-%a{{~V_d_m12!Ir~m5n#sQU^y?>Oq_4DvTFWhIv6vy&R~@ ztSx8pe0+uD-@ui&=ri`ma#>Q0vyZGD<)R}K(QgUhHl)4L{X+?E)fs3RF+SFNq?ctOI8fc;?^v0Dcfzog0kK_Kuqz6BBhL1rDDk% zkvGDN>c%s?_Ctn#S5vsrh05NEjQvaqJN8KpbAhUcmO?9DW6-@GHkG&>^*2~ao`T?240H4o-#0|I( zrENaGW_fF~YY+G6oZ4%v%5A42n#Qb>n8Ov

4kddaa4>eHLM>US~z}#%fG=S(FJ1 zOXsiRk9%r#d7@TJ))nd2XCC`a-cZ4)JLUfV#Ar&u5Ds6!jSov3k{w0xD4%Jn^0(8( zD_HETkj{Bn4zd)q0I_9#Js!%eG=V2YMpI!m4xd7``af6Njfo>+gx150)WVmf4km4j z0unL~KA2_?t3)w^hr6}!;fRAzIG~Rg86H4Ia1wWHjv9~N4XF|~h6V#s1G1y7&fP-^ z*}BGaf+WfE>RC6V9Cu{z52mWZd=CVg?Dn;mxp*Z1Ak02s|Jcp?+m3iMOVlt~AuQAL zSiiBDIfNUA|GD!3S-odBaqi>i#5IqQjKM{^@oO8|w)eZkkPCiHft-Wl_if3C>c#h) zv_6mg8k(%e%G*1QJAhUmbitlbi{T1MHot?xDYU+Q3Vo{ZBk}h?Ui>6C5$u}y1XC4) zVX6Z1ywChd5+y>s^z!tDg5O`9OaHcW0VuSfq(iZp2H!1FZZNB=8*g*Pfon4j8_&u^t%u?Zm=!RB#U}CKKIarfh2U8*<7HK>02Zt`r^MTa9j!q|&; zw5`371bLNA7ToJ}aiRzQH}`100;`1A%(!Hp{UYPCtS$$CaT(*}ddi(F!yhcot#5s< z;9eh^;6)~EKqHdZq9Z-(^K3E9&+PUoXs>*UB+i1;Iq2`D+=}H0`p1q@t zowF?{Gl{z|{*B@w0|{I(6eWq*tbC!gK|kVNv)QdN2K>l$KZWH4{Y2_P>+6L4L06*D znE1X&h_?ROVX~GkD{wY#IVQ^zo(wDcO;~DJo}v^vG3OF(H6<$X_Ky@LQ9=s9=$6#cokfuI@SqE1%iZ_ljxJhN!^t4+MTXG z2Qr?|x-OvddqMJ*A5L4o542O6|3N=eF=KN6L~2`1Lxa$MKo{< z)~*-r$$S)_JXC{P-$XHKAmG-FiVn+XH4aX4c@S|uIH2#y_|;HIB1|$_)KsFjo-5kV zlYtqqRHQ+^A3MKl?}A;wV*Rmu*+Xk3NFwu1wPe!_p2sixM)N0o8GM7#90sA(zr@-% zd7R&C(3<_Qhsx7wdTen0Vl&>weVa^OIaj1{AiTqYqYOVd_Dg-ScBul>UErQI9&23v zT3K0TVmUs>N#<73bgRq7YuTFVXb!XFK!%pK`q!clRc*Y191diRN@cNrN&`lX65j8L zzS=CaoSMzO07g?ge9nba0T!F5V57GQGds?1+N17xLX~jf&N*%6|SAlGQ2RM;$th@wL@oePaO?C#L$?E8qB`r z^ra`5U2AJNz=*MFX{)AZ-6Y@KD6_3`dc$erbY@Fqq;t$$w;924w@fH5dv9P|FRdU; zkteJ&k~zrPzkq!kyWmgC^G-QbgLlqco@_Ps>eD-c%3~~Qa`)#F23_N1DU8#vt0z8x zD3)c%8<`OmCgeSa6bYilxa0S(>riCHH+IpzBRuOL-@#X6^4>Eog*%sl*IfV;m zwXS%6t9Mv4YT=?^xR4RN=|`&zL?yqZV6uvsanEzNa6(*tN`@&hrqK%|TS>*EVXWIY z3Ci7e0jggcrIXjIU#*;6P0n#GN_3E#9Q~PXEHkk>-c0GN@r$Z7b@)OCduC@`e>7IqHm2q)~maw`JUf3PuHW>&8yiW)22zf#;tI8fG$;! zhHe|OK<>GOkAevVyRZv4bNav(O}*6AdZH5@J$CF;3EhM{L#mBI%?!=(X0$_u@YMZ- zzNeADi(;h4Wb0K~d+?@uxObBLb#TFEe+y%;iH_A88>F|F8-d5;gov9giRJ}h0fl0i zm@~R>P}|%)+^Z150PZHj}$JWJpYftSQ*Q(2!aT~B>ObBfYXPOgTsmTv@Z`%Ds^Mo)K@AF-cHa^vXsEwJS?Lg#b@|;+&piOQQcjXw|`;Ocf=g+;j z?f0`Wgwwdw{x9yEMf) z9*9sbx#$^AWGwb2!#1QH2qhV=V;V&@^TFLZhw{eo3pjIUOX1x&hT5Sj>4yd1QLODA z*6<3px%5|HCjdD_l>eH8Lpfz9Zw{yN+pe?SayIW$%oXO^lWk+_w<1=`9#>(V51_71 z6m$>ezvsv*Bi=Ue`RO)s_VPmEJ?XQWb!84!2Iw=2luZ<3OMyurN|@f}E)y-f5`FSH(p$S6&elg*BJ^P4{&odmdY{erVkV>EGzQLVnR`wBzi>`Gb4A}+W z3QBXPf|Jp(l3_0fgNjx&;W3Uz4d`DOel_+z+xTv$_gC@zqR7o6jNY^De7TtQBfrK} zpyC7N)OUJF3yvK$tXrj0G?s$B@vd61UdFFz7U|g_-y;?6gPh;k4~V%;OiXmqYz^ji z1V@Gxs|3KNE7A>(!7rXgIvaDWY$FmFiIGFYY5hvKmk;?Lg571rBo8TS2~4vvXn41L zzbORuitu?;MX}T5vb|mt91b$dZfl)n`slz6e_3Xl8>V9_9IWufoB0f8D=L)YP_!Ce ztFC}r@48>TC2~8W*w5cIP=*e+;+yo@)a2rcnc|EJRx?%VOI>wl(fUXDFYSUp#u@o( z>s1=mc3wPlSv0Sj+iEd}bL|)L;r_ncUp$2SSC*4Ex6%ZD&aTK9yqo-Cl{Xz+QY67A zFXXXpaP7lCo(kK)F&>uZtvA;#i5(LOloyaF!qe7byOo4}BtyPjAAP31+N6mhCEv~c z??x0UVdeC_K{VW2tDm#;_hYb)fojg#zoA;2LL59p+;it=_=Ab{1)g>z$ z$UrvFPj`r7_|#XlZ2eBdx?WY@y`7zZa5?@*6f2ysJX#L;U1*`{>$67756 z?gjUT5b#xDzFxcmQy`k$$H2&J{=LXn;3X)n%$sg=xlQP#pP^8B4l(0H)#~0n(>3qA zqZxH@Hh8l)PLutojv0FJz1mz#>*f+!aJXnkmW1!lgFPF-nK{`bwKMHlsBVVYed|ZO zxY7UFo+)bnV~1YNBJ8#V_gY_chKpR~!hOAY72ta$sNEFj3b`Nru!l!R;v-|znzBY+kK>B7!xoTCvPF@@2sjZrnjW36cM8ZODQyN~SI!N~r^lFa3#6<4o&O#3aVwmT;) zJ@bmeK-hhWJh=C3qKjH?P zXO+Ay)*;wZ?x3}G3;XsE+P2xY_;rLw=3p#6ZV`1UGddL`Mc9mD z57wOhMm^EMnNs}{i?`90#9kmRohA8`<_Z`+wvp!N01Xj0NAlPoNp-L+dL6Z--Hnx8ld1_aBvwfh z0;&UNR0yj9B%|bO@&@lv{@c5=Lzq;*fyJU=O$D2P%B`34-zV+D;oMOE?R&dZXEQ)X zW7miM5Ui=?8Zu}*o3ygTnuTmnpg~Kkeb9Uo1fVa*wTiUrz~412w+PUgDi-(=a zjc^LXVybSfO($dD7ThaHU2Eo{{{W)1-6dNBZ9)4h z#+{{rEmMTpltk_6)UowpJ&Y>&Et8aj0>{ahG=vb39ZR zP1#)*2-W%M*k@H-$4xB*RtY4S7{@r*bY1 z5!|WHo(=VdB;NmQApRs0HeGrP^Yq;DBtvaUgsG1Te(qz-dfk>0bBef}kJ!goWZ!oQ z*%)0bd}0y(raW6ZAZAAn?dJ9%i||{NBX1i;LFM~ub!$w5ooLYKQaI@>Wen$@H5A)^ zh9LElCE~%pin`xDt+%wZgOFzWk09=O6RvDfnDijzldcu|!eAjpJ$xH!Yz6RME>pD> z*!aYZ?=2pVn~_$eTAFGw15LqwjfwU3dBSO}FZz;I8grE`xr8(Mbq(CAWGiF+49-!@U;{;)Ua z!fUK*;?tI1r(@`Eu7300~lZcfC!x9&5+hjlA z=7?FKBgzb<*8UFakCB3@&=;N5=^Y#wOZ4;zy;T#7Lpvf4XIqp{y9 z2!T$R!%I%u*m#C-ktLzU5YIL=Iva;GS%tZ}D)uwNg+B#$g9l9KEN}|`_oJ-`tj?Fw z(X+RR4%ww2TSVKkjetB5W3NlTS6b$k|1Q}4x}m||SN;HJ@3ui$Iw;by;&Khj*qLE&S~FRs%<$8t+?t2MT|Z;r(bZ;-s+s+^%uef z8|S+837;_S*-z6$D85C2G# zBM9eW2mxF)SDWp-2^(=%m8%Dzp#`hp)b-C0E+Ekv*3`k!%VVQ&tH8XT-hGzf;ofn? zhX;u%unb8Fgq=`(@8}k{-Dxbtd7EFa&rU4KzH9caY5uH9U5Slx%eh^zJI_x?E_pO! z09&>BgKCLo+F~|CXLd8G>X#Y1SHsv><1t;D)%MbcrpLEiWDXd7!F*~`r!{)>J)Yd& zQLAop6AuBj2U!!l8t<*loJly%% z*SRpJzxcVb^>6Kln^NS!R|0(WV+R{y>2DSp@LfX&(RzAC^iK6$%e+us@ zlAOoV7?-epoX#z@D^${Yo}YzPiY=>BYnioJ2tHkNJ8u;IILmQ5jGcsS99`k1Q95a@ zHvOECCm!&$7RJ$-W+oR)s_EGVWmb-{WI%{7$5b=|R+o`=Hxa?oYZVL(o{QLRv2V7{ z7D)zfZtYA>%>**ixh%7m#1$Ek57e)DEo)3HdaB_z|;C^ShIx-GbKkIhC8$>`SzK z1RV-77ma+U*xWpM`DZ+3xnDsCQ7D-M#B5ybfV0qCp7hc)ZoWc#C!EXkg;E;+P~T6K z;ah9dVIT1tX1mTGH1%>cuFjdk8-`BNo3wR3?t1*Cj71>z(T_*Cwzx<^qYw7!q^~wt zB5LM&*P@xUgg56mAuk?USn0rSQ->6FlJ!?8j5Y@CmdayK1~X%mQDE7CJdv2 zpoK_`g^o`9@6VHdhnQJtk4=8-dd*hAjdxRd!lZ|*y<0;2i(w8)m|?z}LKtMBwvA#(@%PCi*h_C-t?Qt>Qld$cDW3KFcAvI}aDvrK4FaKl2U)B`+uE8p};ZH$_W1(np ztJI_Rd+>nRNNcy6y?%l>=ZP^L>Jk~mLTx=NG1-7E>Av`Lo9~2{WgPai+~E5IxHc@i zKwby;9GwLZ-7(2qvqL3X$j_fa`n@9MNQP5WI2@A)tx8qC1%oUFbK~fDk20>hUZI?f z4PATkd>NZGi7l|QXk#}Z9H3}4-qXh;)3B_Fe%b0Ag(Ts-oT@*xK8C`krvIMWN; zF%y%~2ltkiWif{&xdslhqo?}JQ*@M#j?3EL9RQ8YeX) zQx?gdz)q;XEz|67*(i?|+I4R@JXV*9`#{0xWzU6af%?z3)~g|*gZ2rbPZ<-awJzp% zEO9p|2UPUf<%inz^01FYe^JE+c;+i@|0-jYTI&}=c9ywubt3*}PoBgMjQ~rrSrD+J z{vCxeJ#l9Vm!&h{aNaGO$x4X72r5o1z^-e~T3}`@*iS7@{`!bF*V({+3RAD4BxDpp ze+u&9`sPFIqx1JJKYzIQp?#9}$*e^B`5-1wb@Y_0tnf?r;NCK$0VA}kj57}@+sL1- zbp2yIjM zv58izU$`~hk{Rl9Kg_kVE6AFgj?BB0vWuut=8G2}y+EjAl;`37r_>=C^Hg8jEK^~t z(DQ_Xq-Cjwp3wy}!#^t6$KUSh8l@P{kgtUkPy5{Q=CJtKAXcg$kRBaI1u8}mB$aWm z8vb;`%U>&NGCUHj4==ajm$KoN{S77s5cpWoAMg8r1wE|HUE-Zl%&s?3AB~Fy zS28txs|EcE>W1_8{Ia59EZAgqhdjf6mj3fERzD~ZjTFVu@^7?n_NXpp9qh21Axq`Uf z1nxbpM+M3W$ZLy^+bT%+GKnwO`VyR*;Bofr9cfeNEpj>r`KI}CIm0Xhd9~d1M^}mJ z0wUjk_>OyTubtn4%Q1MZRvnL=CY1{D!SnLY`#>wd7w;o{)$nyzSG09TZNit@0QF)o33-x zv1bZ3Yc~{s!$6vNDdUiqJWG#@V!)|9;`McJ&-lJtdDOrW7k;gaQZMa{W5J}8Qhe!<> z#f{f$tjDvs=~(Ax_+KL`QWqnB$;KBmU1m?gE(-vfaXyg-pb-tNlMK2&;`^v$^d zJ7VB{-A2t^cCjE>^U`13JN7Eh(%c)!6RTTdK4j z5u6Rf#$Uag;u>v8dvp_9d=>desKCByotC?NvY$%E)3DjicD#+8pztb6`a2b2b3aRw zzv3CTN1vdo-@rHPYq*9k{I96IVs=o`s2h06zAq}LY(GS;n$4sZbs!Ei)9vG=NocGY z=`?SB*;hr-taf-L5>UWLk~3)%`4#2)*B4wBwao^&QOWJnP zpqYy!r#PL+YO0GjAE~ys%g0IeV?m~P^}5PffMz`N|CG$E%p?@Dg@77(QjU52{>O0U zSN!e=8Y=CApAczq#(~#OHT?>Dp|f!fG0=;gFFS)h#16)aG;B2SRGFtg;VvC4g9w{w zTORpP?K$7aXq-^a^{g&MP{V~_RDy4iNC1L`9E`5%Z7 z1Xwn@_X==l&mk2ed-A)b(#v~?iSw0!-L-|}VQ zGcraCJ~GmmI+DOK-tFvGvj`T5ueK9PI2Xd8rPj22SJ@r(T?T2@M4?PQ_r$z90bKi+ z8H+asA$|0P@0Yn7;IRAc*dC8Lsj1g#w}SVQq}$c9R+%4gWJSCTSS!vyl9H=UqCT3Y zxrHm&z`w}Wi~B4YQJT1a8%su~O(8*)*wh|_jN&w9;FFhRv-ImRo$Jd&eADc3d&H9> zK^Y02YYo7&7LkO*v=3xW`VYVhARa9G%US6P@L;yK%>s1f%$c=18NKZhYz1Q9lQzdL zGSePI089A1q1e|PB|rd&uR<`ESU99^W?RnsDMrNz9jN5ZprvUJMt@A4rHe1--~%+UqPbDj%!d zQ5f3NIhh4+GH_swlaAapxp3tmi)~9$$H^7mxAGgrMrQ-0pWV8n; zqGYt*mbr9{z1^uXI(4XS=~-V*u#K)!*qBpDgl`a~wy#CQ%~MOn(;)IY)vxk5{3eJ& zKbT3H)VT!H19d%?Co@=w63Pu&-T56l(@LzX_8r-|{XITK5zi+-V}X%@Kn#rJ5tDr> zv9w%V?H97~{X@ODMGR|^rEzA8CCm4P&wog@PA=s!i$h&%13Ns$B62OHrnGmQhiU#+ zSsc-*>W}Tq-zgsWej$(BWe#pjI;1zWjL=sCm2aMDm$t0R=>Q>5Mj}T|?ZYoBrGx?4 z>)>9)A*8DR8E##t+jAuJ{v!(p5N=%>gK*N)vXm(md>W4|1&;FQszzOn^>%$NMEnpi z856ZjA;z}!=ISWNbVo=Pa#<{VYWJfZ#r6OtS6K;3EzpNU{rs~>1(MtF<=~POvmAxv z#lH96&4w@y9BQUxvb$nS)&g73`>hwkSjT@Poja@C6p^3ib`6L^QHr6<6AEA_8MGXW zKp{^l?JMMFGiD>bPstV5zydey(wNeI!`~x3@n2b&^{t>t?X5s0C`Y?gS zZbNcc9b1A3u8gR-)o=cf;!^zrmPGnk`rY%ckof6{Ogl(J=t&HcCGPCsIe~q?XMvbg zc%Js#y~+=XQNfa_Kse%dtM6jodyv_)W4b12)jPDSd~#D8R>qlz{X9KpE_+PsIR)|Q ztd3#PCn@Yd(^O;)q7ag5{lTXiwba@U$l6q8pReM1;hF!@>gp5siTQ=+r-w7Cx$m_O zyarcV8`uyaY_?o`oW1Jz9fpoE(YW}^ir`+zAq)`<^^P?wPb{$G){i<8>-*0Qh1|O2 z;6xi`o=<0Wr*L32z8FHI`ahnbCNt@No0WQF(OI4M)FOO?6?Z#!(hVa`9m9M-af1WR zM;sA2P(@fYkyZgieR|JxDBkg?V{0gOT}YUebm{|ERl?mhERns*i{Y~H(9-8b{`#^z zNb=k^oXJvlKd?jOsYQDh-L5h7sVSa{Td=zFBfb8l}fD!(dKA>Mc@D0<%IXoTJ8|f>4^A2?Bm;tM&d7p$VINV2H|1{Y8<9%f`R~vk z%msENG4j8oa>OeIw}WpWdN9n=I-Uwi4T$bKbdMrJC7iG}ip`DM2-bW@@OOI|g^f2j zSJuR3w0ww~MoA40Xqmk$Yzjh9+|qs0kmV>9{*!B!>H1D4kFsd^m5kvZP3jPXy@Zsf zj4Nv;wC1?GvbS|KJ-X#z2}j9mipgzzccyxbzt~W3qDV4kPH?_LMK|LvIA!E>T-u74t|3(A zo|<&7l#hvHJq3kJlO&Jik(!rSN5uW%euJQbKEiragO@VBO@34I;b2NYv1;hKKgU(I_SvCg1xVz>eTgr|CBAQ}0w=%wl%B?L z_GeLR(R0(WXLyY@t32&w0Ta%)3i{dH*l~aPuGukfl7hS)E@Ik0`2Gd6mCcxKFORa) zQ!mCz{dsA#)r--s)5M5wTjQT$<2B4c(l3I24DG$EM0cXTFU$1-4DjF8ulO9grjxC+ z5>>&V86F029~@XpqDf3p*_q<++LkxSN=V;AVxuMsW7T%qt6x;oD3N%b*kbuFYLpNu z-5^4#a%jHI<0YqO(UMTc5=XN4bI#l?g|yedW^P*(A7pD#h|%R*~t3*Lwl$`T-JDMP*%B}oBhPJ#77DG}P^ z8Co9s?D~0h_QyT9;7vdbO)GqoOygyb;CfWDc7)0Hect`O?A`N|@>F#E)sm3AoiS#+ z&m9UZ`RK?QvioRDKd<*D8_vDfqpWMBK(g0q@nB5=IaqS3;ShKu*G}jtt%d|zTsX0{ z+Q%?-AhO{^W=D1rQi;V&|TpwKT8nMocjg)bX_dsIeJb zgxPe?1okc8x9-&1rlIp#BzpmX63J*QL6C@skf^ig_S0czbNe4hMva?&Qs<}LZ)-(V znxpCOD=4W`cM3fZn@yhQTRj2ADAd9I;IZ3(G_bWDzSk`kc%;Tdc%`emgQtgo*j5K_ zsN7H`XkkadPv~E`V>^z(R#y%;(w@8osgk?PX02cR6qu(3(<^lV1kIXYWXNi+#rY?U zZcOJp^`vHS)+5lN&3BhfBgkX`OAZ@WCF;xKzx!GkJB9n{FecGiMj}7;T!5e|AqP3v zX@<|vSL_efyi}mxFejb*+w|KzJAmzHm86>Lb_rud!W(+)O?kQr59TT78f(d8uiU`S z5myPJmNF4&Y-7Ecp4HR%lZ1;BkYj+A$tza*0OEP$;%47=B;&fKHTs&j4L}^Gzv_}V z0qsl|OKyQ;J@{1j?S<3+OIFFdFH$SU{nmTlWmL6toZLA`MrmWTyzyjuD)0yi({^}H zIFtI6$JoCrVy5wB6#MvUfg)ZTIrg8REBEr_M-+C}zE>r8VtSU!0d{UE7VR-dqmd_F zI*bGju1mWB!G*s-hhKZd2+%9Q%g8@4G2VKt;Ah;En-7>w@L#=0XqNj5!a0++v2?WRP!0F@F7KD3Ed~?@rmRqWi*UeNF)Etv3Nb*F|lE zAu7mH#M9yelzgV!B!Y5`{Wb-xl%IB{9;?d4F4&FKMv!Vvf!{K`UvnOmSb^C6|)JI7X2&pkDNVjDgyC~sx#J2_Bu^oq~KM9O_>_L?zOTY?84eqMmiy6$@u zn~L{9;>TS9DxVW6#tR7`oa9pchQEY@$LFS%zjn9ucOL(2H%9@XNe?NE2%VUt{ zr*ON5`L0%Y6m|`ZCS=GGsJd0ud1i0GDM z%(5>L>gy=A|{+D9wo`!70y$J$PZ58)WHhz3n;bw)nP8q81#W(hyp|Lcfm;OOLx_oLWO6UBT48^zhZRyc`V>u@paaOgx zp@pb7%=>|KLFZMP{L&{cAy{h_z@SN^!gcW`4NKYKLaf6WIhwVA=3S8gBeNM$o-Is+Sz z1lwXV`@tLbJl1c;TVt;`hG%?D|AlqDoI&PAVpm&KugGfK0=)t`kXucD zPpP=zv)2x%(85h;{$Try62oqZNJw8m+IFMHPrKr)QgW_Xi}3yrUNwGf$89;d zE2fzMekJ<8AXrwl4 zq&(`T#pNU!UKjeTcFQ9x_Pb}IhsU3?Q5&eqBWb)DzZ0ezjq!TM{n)XxQJ^DsFxG+W z)g~m5yi?1NWnjC@3e8p8_`)M>D<}PkUhm94VRY`fK;FZ_#ye7q_RXX?8#cfI=vHSt zA%Oswc4oDhqbKDv=Aqgrj55H=*b%u0wnH8j9cwfI{7ET7{&nLlsMp!`)QoG=kq0Tct+m7n0+?K_I_GfoC`nnY+VJRjl*bkA1% z8^2M*U{k|CWhztAtVzPQz4P|keQYBISGywycRm#^f2S8-U5O~2Z5hlc9Ub#)dOlt$ z_-LSDTMnrzRQl9dzqZ-sBD}pKr^9bt(Df;ucDckVL|(CMY&26<YM91UY9(OED_je+! zGH?k_g>84*e_6H)1vtHyuei|JxD1?0m~T+KkB&;PC;=#!ri6{RH39w(_Cj34_qHcS z5WSfqZ59+3cV~o>8%k6>L|!a5YKWCP?vvGtL`RPGBfv zM7FSU@VMB&HI^Gps)PGPx#}UJP#)Tjcf3GPI%Q`+swXoM=k~U2bN1akUFnLPG?7XC ztxkwtdIzAIN$ZmuDUj(i?Ln=bdyqBrPvrmvX=%ABzu^sop(FkGn2KcJP!zM6lW}k$K-7PFIGpK= z);)Abq@ri(xEDigait>*-QM}3_s@^=chmJ&K46ob7SnRlbhjjmxdhL@Vz`V%8<7>9 zRS;(Y^l_~~sC*A&@m;GQ_V{x;X?D`BotrfgIJKW&(`4!&IG2QVtzLD3)Keln8zB%Q zoQ7Y~KS$OWvEL9+lB{~60z=B%h7TKB`jm{n2`1{NWIU#vx zhYd)s03c=j`}J|@GMW9oj0@SRCNCq`WT4zQx<1VOJUFSV8hm(|a{ROLymOc#5?%w< zg)LS=mdjZKvfUYki3P$T*kuorXIyoDi@e^vvEkf?rds6>JKjrI|BJUo*cHaVJH|_k z#2Fjdeey<<3u2WD>p8W!@S}x%L*^D;oPa}L$7h!P?XTFfnC<^{LO^+d+4}yM{K3ch zV{h*^^#(Ub3p-aCMuuo$VG9AQJv+lM(J}9q+j6o;xHS$$&lo95sBm3l`it;^BzKP$ zMk{BpCS19^OAi5c^#s5oH<-%=&GwIPLWQ>an zkzf9nC;*D9`T)U`^qpGm61XaQHXkZm0wJ3I@I`|Cwo=jbdXkk|a(ojpC2T|?DX0Jg z!Y%`_kB!#=0NMmXtl;p5Kcidc{ZV_B7WblREM`*WCsM!gj5-k`hn&480#risb~^XJ z@Z=<9G4Uk`16}SuVkdh$3g8W{f!(mNx4^ARM~%JhISy%d+2b@KCI@P-)PDtg<=>Rm zmp2sw+duH7ccpD2LR~1~w(&EqIIgxe-c7 zZTDWsJ<)KcN9OY5A4y-i1^3>&3J5}wL;3l8!8z8+HFgQ7AtOK>lC&i->WvXe$hlPK z^W^;?kLma`TKHO4LTOJp@4Cn6fk8zIIudKV$3>j3KE?bW}39hk)Azsnc~3EfI! z3K41mc7aHt(o~+&ivtU3DVlQ+k$4vnvazv9>nVll_IcXN;IBA7$e0GlEp8xZ~`#r3nHk5)vf4xRj6_mG$oo!IcN z==d0NPaLc)EBwH8Og+$Xu;Qx*(Ejr5|18OKVC+q))W$1<{vDo3(+;TD_$Uy6>Ccw@ z@?DEp46(_-#?BPHIC`IYrz}dl3Rk1{Mg5bSbUf0k>zV)i*%OI@6YlBrtFMdzK>r`c zY-bU5Q$p52rz4ddUZ}To@$Q{L(eu8@5M0zL`F*<*e$Jz9R!m;}s}bwRgqlj>z=Xpk z)aQN?c$z3`L`lM#u8kwELG@%Yk)vzZwSr2I{#!jp=)i9X1Uw@63vevhVo8?&B{+va zLxyAMmW>~MRpAH%#^=zfWd@WM6m7M&o@9*eZ707g>u>Wp={C^iO8vusLxuK+>Xz?E z<3Lw`SJlPZt9bfW=e#O+ymkfwKtsaeD~geJ!JO^ii#BM z$|c7#_E7#Jud~*F5zL9z?yR42rVxX@3+%I``vt%$iSisP5nH9%=2QeQ9T#J+gmq~; zvHykTH|!7dkVGwyvBLwoaA?59fxL>g=F0x_^rH*kHwWJmgI5T)S9UE;-~A4Ca}(-% z^uWZg*QvaKzs7Jo#=;gdvcK;ofE}thEC!1*j3;g9X>hhaD1TL&wYN22yqxke70sV0 z_#ziL3l6JO1-MqntP=l|JMNutxe2oeB_@1Np)E4(6N}gdbKz%e6?!~vs*ncPi~5O! zfh^kmIX~C3tmD{L&6oWvb(agKAyM!g3KwRdF>EXtW?!{yXFqFA8g1;knfjy`mi*XT zymRz6tL7Wom&;Wpsq+5F2y+WWPWye+iJv$-y?RPCf@<&z;B<0mbGk!rL1f?QE7m{E zT>wQ&B#UNuQL5BY4xSeM7EiqOTajn^dm5ezKa!|Hq4d8D4|zJh=^I@ZILhB?IzawT zaU_#tj~Nwq5^OxiODW(O!0n#!f;;qlb4ShL?$v_BH+p1?tDR1(<1Pz;@`s$dM)jFf z=x5-yly{fJcoh#LX}d(-Ct;-$#$@l1#6kQOy}m$$aZHTPq(^#@lmE@3Mf!202hcHu zcecuKBJ2eK)C{qNBnUF)m2N3-9h0VW~QqKV!IS)_TNjb(PgsT)KdVbFRxt3T7iE6 z*ktqIULwT7Fy~LxD%bCM8hGjT6U;GVm>0M~OO@xXfK^2N<`Qt$v|s-_RiE}QljA0i z(1i}XEzd}Wfw^{6X)omNEO#u{-tpl@DKkB$Gf$%pudQMACDq<-o4P1Uv|A;t~H4OEpD(7KMd1EQ#>C0I*=Y zc^(&XZ3cvAUX)XtQQKw=Jl5R;e^~VNl`LgQoKv&5gX7661Su*A^x~AfOI^C=G2?oM z^cZj%ue7KOIPUI9Kxs@kJ|C_T4`xV0t(6yPc}3I-Dn?TMuelNC0VYDPpT9>3t6m{} zjZLRt?PQY$_L%n^h~$r95=KYs@oV1nE%5A)-pZjZeOt1tAA9ZA1=`Qf`ps^OSOW)h zGQQrk7NWdK^;=&N#sic3_=Nz3f_3vm%^~xqO6Dk=j)0;VIvMKpVHUl`9pc(`T=hiP zW~<@vU*PxT@N)PCfDMS*b;q|nl|cq8 zcD;P03N!DttBrTo1yhkMsEjlgWfet;XR>L+Aw`qM2Dtgcsyx1$Dj-umjt_x0%gqheg}Eh_*+NU zd!=9+bA6C)*vcV1+v+s^nVxaVig)AE?Xr4`MEWCGmcm*zCyxJI-RpzLsomVG~#p1nhXzq^1g4Kx7Vn ze&TJ#>PGv|=+A@sTm0MRVy?_A*KaBO_|i#fgk*?-T#D1~AFHZQn2XV)pc?65lWvJA6-+e*=DTm= zSro3^f2U9MtDZ6cIk3(S$_ zg|4nt_fZkg)S}xrJPw5kn0buJ9pikv0GC1-ErnP9+FAt;Cuk3`1VoQlhcqXT>tTjX zxc`gH&LjyW380N`6<)sx_Hyi>q+9y_>G+Z(wzdl;4~mHbo6kkuZ8x2F7_lqL-{SC5 zE|ak)INtd$wF4vUmCP)=_Fs_v6GnBXO}yiLqXRMrDFDVGv;*X{da$7Uc$5Kcjfcxo zn_WSMNT2d>Ia!7d&9zs)e4=NwBk{$FP*!Oo&I8}|i%{#MQN^{zM1F`B zjdyVq!>$wZM#L=tQdQI=PW&aIbAToy_k-Eqz#gSExj(Jye!OKPsw@CXtpD~P+Dd-6 zgsQvgdxI5&X*e&-C|ZpcH@&1@eaJLkC%i3?6YUsciLk9cco3%T@!BIF+J3Yy#*37b z0ka1)n+r?tzL6h6ijsKK9+Lt(4-s~RO{xsDLcX5{8H7e+DWq&J9M`4CAA;`@mJ?A4 zLIlJPZo{L16O{{o%-Mz!;2+BlX=3=t`dJe9j@Va+FFFkHH}%K`S%eb=JFOCuWN|>r z`8RyXpsg27&8PwXPOQMvXh9@RTiO%j`H36IR*E62c$|Fl6Y~Ov`fqBe#wBH1BxmLH z*x-?gs5#!}8Q}X+8%*_I=+(Z%6tDb>T# zd?kQO z&9TTPxhN9nnwZJ$Mp7YJ?}Z*Cgwyt3Ef|#osk0WAi?74Wu7`Pp(1Lbnc`c`;A2=G2 z?Dd322F!1>ZKC5IXVs#ViP&4kff@t+Sskc^2uIbS00KoW<5j{l+=T1Q6RSWv#>{sWSpWNj12Hu{+EiO+*#?0pAiP8LcvntG$MD&d-3)zyj^^Z0d^211(8LDa> zzHTLTr$7V>FY!9r&~!K72YmvOE3-B)Ne^U>#ujUQ^5wudSxhev!7kWTVA6hzN7z`f zFr^vuckd7X6^OyP!-@`{k5tU3lTQ{hA!oJ1T>b+;G)OMqy71?SeDlGFcfC!l0b|mu zeq{Pmf!X($0|yY2*#LM3 z=jQQ18!a1duzM#ei@3f9N4dpP20~t|gLHJ^pW8YI^d`eioQu zrYF)G+{^S2&p6!((zC}1LxhpX3Byyulm|nRo|V)a_X21jn@vr$4Z({C@vo0r31=;{ z45m_`(*K8~%Y(cdII%|w1Bj#ogGrAyKKs!kd&K6($PSpO4~N`89s({6&=oK*;m^@DjQ7RR?HP-){*B$HIkD_{#kCU+rh+y z7%L`m9Sb<4$e97B1qkjvnr{iAqSqX06r?4B$fp#eV-l);zI z!*M!W!V~jW?U)r7dI4gxM`22>W;%ermYD`$9zt3Xd)Gp8))C-7!XfH9DYzfPF-O$a zx^XLnA!gU-o%`kt2%Fy@lnt&j5L#okK(d?$qHW%lYY4DdBYbs9A5W$Fhr#_*O!?Zg zVqyWGlZ6plAEF~Bhm@ETMk|L%j)0jA$!bzcfvuNNK6_)K_N^00U!+bvsTk+#0S^+8 zqNx{zY$*+&wkd6I&2aN-S~lqDjX%XUZzPpcIV>g!^o$i@O?|@-U04Xf)DQQ4OCA^s z&ioGKJRx%ML9A4bpl!+ho2J;^R1AO{WrSTA0!cFryRg;dJSl%VLott$UO%KQ04Rzb zxrUpyBID;<(Qma*#rDk`!O(7n z(h3@d+z!|VA>A+1e$wOXa`PBN*I8bWbs)kzEKg7fTXGAQEn=->%pEN{YEImab+g`_ zg;Ox!#21UJ1kv5Xc_>|liJw?~k9f|Yi-6pFK9~Z33&?)i;*$VooYz65Ml#Y*4!7$O zkENEPNEbBA^kd5HAH6O%o`~=bxQcLWg=!5_=$k6&W*mX8HGZ6eTrAu!6hmCLA=j?{ z^H_BLPlBIHtuX zit8}NiPHCnAwy{Y2*W&0@!_H@@Oe8{3}ZaVfmU?1=d+5`O&*9)#2yfFFE1mT`v1Vq zd`OAU8Y0Am!0V4ea)4n^oIs7j!v8YNk$YNI_q(LD-#E5hGP@*^fzw(AdtJR1HG*PU;SS?@HE^>6P5P*%D;|anm z!o|60Vk?l8-N@ZToN}i5OIohqmjiu(B!%DUQhql}2|_YRGNR%$A^w)dErE1ABw{=# zF#dD(5f*phG9b_{4KG9bh!@YnLw}A@|4^oaL5>Y$M9mWxAbKF3iW~`nYg{(|Z|Q=C zFA@Wuz3{KaX9y|jf5V@M!XEa+rhhJH@nu8r)cr1^ffmM6qmIeY!n8-GF_6IFEaPP& zMbe=Qw@k2TtNA;JGH*OQ(Qptj0^kdoUr;7&?-hY83JkfblG{m?u)2m#9$cM14}=#{ zp%~W#@5tg89nA`CNPd0A7V8^Ye_+9JWc8-g9g=y2t##!e1RzJpuWkQ?2}t2v_9FA| z+exhW2oLdA6|;UMX#&d@9z`hPNP1*%ZC8LG{>yB6;l3;SM09J)G zC+s!f!mzlQL1Vu1A;xk8i?MK1A+!W6;wXT5Ct^r)7k{Ie zPH|I2Wijw85UP$~_RrM?#CZ@sapYw^1%MEnUjT>@+*oF3KiKG-A18xifqmQ{M74VU zIVE=2`4$HBv43fL6mrV|Hf* z5s6=e;od=U=Rt_x9MKGD<0qw_jZ@VlHb`JyJ|7Sr85kuSu zYQVz<`425#^vRJI{f+nERV^%?1!2BH(S#@j5C9*)xvPaunyEqG2$mici$QNL&EU`fGXqMa z)|**RjpRh;0Sw>3oq~Woq`8kN%=RS_`$f8r9YhbjD;F-!s0$g;7lZNl~tG zmDF3814Vas3*Y6oI)2kpfh=veOg)#mguu~q{jU0}+`0N)I0pcJ-guqC0q{TPjO1+g z$X5eI{){pHUU&e`1PJz|m23O)oc2wz|I)d9V7@4m#>Td92f`{5SGtCUuIF5hCkyXx z#EDfTRt#iqyKj!hYi+#ADrZ`-&fICn&sli{cUmR;Y~gYH6_2l1{#u)!#ufBU)so$B zrDm6emk)dlj!%=<^b}KcKTglN``JtB=irQ^m_nZNYDTN#*gLFLA%M}RWvOw4U`eM) z1Bs_`7p7OYrmeS1j_VreTOmn)ZIMIgNbVIv6qt6q!=n~i?b=Mga=;)E9?dbo8SABy z&fD$#V6lA?0iX+|A2z%2o!QFq&|oqM9O%*9S3SG4WL znzc^3B-{jP@Xy(j{kiiQ?{OgZL>4O7)reoSz=nhs<=$bR2(Vddl?H!?3GMlzn=5-7 z{?7Lr3(lefxi#teu6I?w9JY+*92ivuhyunZ9|5xv*h1Su2lpw=k@-bKuAN=IMfJEE0%tFkv0kB+gfR zn-Wg(2r6e-X9rApjoG;kD>4rycB^ttj6y=rXL?6+GE6?_D{QVeC0j>cgqh>AilYk- zWKDiKhwo&cjBuGaTdUyYLKf&vfT*6USsOdYwa@x*%P3;-=-Fr zwARm{^V;G-tR#6zJElGmX*9857oAvN*{mWIa*Mm;E!v<{(j+LbRcx}|p6r*!SM)&j z!FT3@;TsoH5_&$>((-oX8;7!63kNW~Gn^pMGWMUBZXc40yD*+lEz_%$a!M;QV`zTR zh)!Nu&#G}+rWS3TkKE3m@9x2qO^P{hSbX$;^sv;|vn$x#(MO|~=4SiYZJu@1JWzF& zyFj%>v>3)3BB~Ogvsn_3+lpIp@L(=K^z}s&p45p6eg3VnKpx9Gb`_!W?3-=1O8D zq)K6;skLPa0^1s=tnRwG#cu;7PQ>Qd16VGqAQdd5>9kIV!Ys`$krJoOF zqJu+%lRthDy5)z)mZ-Xn@gs$Z=ZEZNr1ypm`8RX5Qa_hL;2H0AX>U}mNnL|D(6lTs zO+#=evVv%Z`@m}DhAR_WD`BZf%*{D^gEvyA-{}NwH8sE7ZVg?0UzdONHd(_b=>g}W z(s~|s=dIx%+dmFiyV)#XH<`67#;U}fH;;18zh-$cC1H$v?{|AkN`-x`jj#_X{1)Th z_5d?_@L*#+%lMi0YWSXsUF3q(>P%Q^x3DkwXp!CUT5;h_TiBSRO%2)hsJWI;U4GlZ zU>QipucHrK96H`ybk_!2optO^l}Hq+Y9Hj`xV@(QeItQlyzs+zuW4e8cg|8%O@rTvaLQiIOv_W|E0QLd}G zdpD(87x&V^>9jCHe+eg8A;e;7=RD z4{An?JMR#*^> z9|sPt4xYY#a@%MC`g;Ozysu#1Pcx;3?!FuJqqG9o20s3#Z)~F~cMhis9godWWN7d+ z(*I+7aq3gW5Po~&S+TyYlAdUE&z8zu{wdTC{y#fC(VW|B<)hgx8}4>fFyU?6yndPDUy7kIwLhiU$nN2*j%xjuBs}ZiPB`#Vdia%JVa}+ha8g9W4tx zMNkJ%q6S>SZ%k3H2#rr?%-+wWv!r|Aqu=2A*@24jdl3}cjjd(byo7=uOxa6Y6U)=5 z2TWvUd^9FhG%vp^D3vSFV?QI-xBil|x=fb86{+wC41p-;2j>E6NZf6?DAA7d(-UX; z7o}TbeCl?7j%?bd+iy2LZkr}F-FdUElSAKV5^CzIiF~MbPaxolT+dL(e&`P{%3&=vZ2&YJrcE#P)BgPw!nzq4|!iNr3DE> z7YFvr9?Tf7)jU-<=Nr1Z;)1ded9>kik>HJPPKIeq%>-X#5xlKi+dCS|wrUk`w8{-X zAfwM;?$^O~TTE}oDoA;zOU6MoD}T;cEKxRG>P02P{^i0m8~v+!yBtT&D3UswUXj$YlW{$OMyvjN|JnHf%bFgrwjM%%&c z?o5=9@MP7w6Yn3Sn#^|iQmojN+Bglp^LWZ)aaaDiNXyrPKxfwi6LaaaT&;^d>$j6C z3Gaz#OlAD6ziv}w>b`SM%{Fzl>TCX!^Sz3877zPbjsxs+@m4FoyGdjh$HnGc==#iV z*>K(NWT$|AY-O{(?|8ny#+8~)NfLu*!&AJ(GtO??-8xoT^C3-y1sXpud^O%6nwgqw zh2pzT_gfBDwOr*$wpK1RjCu`KJU~@-g$k^=lUrUIQz<-SwOm+mZRy)$=h&YXCwL5P zZ=}{^x7KFr4NVuvj>#ZAf@ke-vbtZVF}7BovW5=85;YDPsPic~&9crBtqC(6v9p}qJ+`sf=3;`@W^q7Q=C zp}aqov$bvJP9{n-lPyZp@m7Dxcfs?G&Ej+C#Ju_J3lwS%I~#SQ?PaWaR2RpD zhQh~&p#rr4kb2~eH<5_qsxaM&x}p%mFMeXUoizk0hhHCBwc$J~^h`*QZ&RziulmLA z!{V7TTg#@is1t6nt2NU%v$mC#rd>m;Hyk>dzo=Dkxx|v!88*oLVrKi)y+-hL_5p!u z5ZOpa$fUhA?Sp#>;){Ez8au74CBtUq}4}+b0E9p3rNs z_$8htSMW??`Gl^`(xj_Eb7XALI<%~shcT#+M6YvPeR7vCoMgah)a!FJ8Zc11eJ^qk20HA8_hk-VY4KjZB?H4sfUgzc zuYW-IC}f#sIVtbGo?|-4F(_EquX$6ItE`j9fZlt^2-g4)x_rE@j||dlkz-=XPV{13 zw^{HXc+%dsM$umXWl95AQ1JDtfu-`JY}%C*4K!W)5*wB0MV_TAqEpyJcO0 z`iDSKp8kkywwmK2M>`#o}8RwPr zIVsUaPzAKqSDsH?bMpJaIy@OtWFWcanrPKX*kHrxZG8_=b@GUR`ds|X4963_*1or4 zyHsjl9=e;owvjtb zR-s6`3%cDv`BH>Wcd?ctv?wUe+iI_8GJY-5^>Xa@QlX9Bz{Bl5-Gc-zflWp-O5C{pz|dvQwjnA$-ffQYu8D8VM8cOop&??xV9MldQJgJC`SgYt!X+ZYX;1?WG- zbEYrp>rH5^f>d9>U!KL#kQKgcY|Ub&S73RTL`bJmony`G@x`vfQMc0NGtwj_N!D}b zGrVylTfJ7}JV{ZXKepZM-V>fFwwSl#Uq>HwRJiZZ(oi#e;p=K0{B&v1BGPWYN0)~Z zmXq3WIwGcKI`&;#CboPu*J;IBD-ekpIUMfwJKs(3fOTjVRXI)L*)^xT8 z@~O+T#x#=5BQjM4*6^tkSNeqeoOZ7?6hc#h^H$d)ec36-W4xhs;=0{D0CVP%GpV?q zs)4ci`7|X?e=jP|(7fAnBWP)fX`6jqB*pL+Aw4n&eHag0J{KsSNS9nH85&D@Ncy{O-h?ULlpV+8Z+$XE#Iy^ZssO8@p!o%**T|@^lm`ShQ=aEx>IysxY%Y*V_zQtYYGBeeE@4|`W9>XlklJkY~u7f`<8*HjJLT;ID1NPU+ z{VUV=xm}ZLpkP9GOU&)SHPS6dK8C%qH(KpAf=;>}y2vo_xcMkXLGXC>$;4ndCWx$c zKbX7}rxZ~*7to1WLJ8uCT-9f~v^3&X>BNP_)K0j4=U{chOnb8k&DG4hp|5BCpM;p7KzS1s{Aa#NPKp7I?(+~2Q=D}ZN-aF4`_naBJ`30O(c0@&Wv!L{jz%v zG}mB5vlg9BohG)fW;Hk6kJn=DJU=a}ffTk!KFeF!U^=@#M8Z^Lg_X9htZUCmVx_dL z_2Z;k%&isYT^qW3b)M<&9zA8d>J9-aR9I^2iczOvohPTCa!=5F{d@5kXoI!7x%5W2 zxJlzCW7@|ydgV;(wk-M>f}J`6|MDoQH~Wi2Zhs%_&u0nq+wD|0VGIRu!br!l`30XR z-M;+W3+^sZS`8VPx=R&_ad9p%LoDeVRipg7qdsVrskjxG%4HGqnEUGSEynGNRV*rK z;?h#>)=-F{rA#^>JX%n$`GQZ;+|#=x*U`2-tFNI)XP@56_n{vdjzoUrzZY%YzDJ1h zyYtjUEkza88O6ae!B>!4HbY(wYP24l*1?CT0-Yqc9JzCNO<*g>qzEe zS7|;|Dszh%IS)C{t~Q)G_$fF0Z1IG>0IA`=4k^ufb0-$?x1|8#wR&h*2XLtmnrsc3haZ;!Ur3&~6xW z{oJMS!Hgj0UPY>NIp>mA1@L3MhKTXrVHQthNM`INvtbUwFJz1)`rC@@_MDxE6Ot+d zOC62e`&o)^-oklx+_HDQZ={Yri?K=lTEX5)k8C^*i>3IO*b*zn$5torFR4#2G!C6TA3N|g1+fd|Yb`_2@)ssV!r_D%$*TC%ncOGszAT;2_MC7M zmPa9!bO@+Kv%kIz4aCwHhAXJ<|yil78B{tS20BJ%nlP7O|gHh zCoS#~lYMcW;^`Hzi5}BqzlsvteT6i4(ArLf1{P2z_HATc=3mO$yQ}sA;O%%hUV}a{ z;8M0K;&)eNgqKvxQ%6#k(@aLqIa<~oLyb~LD}UZU>oz`bFOHuZTEq8pK))NlIyF&L zAZ>K#qn8sjWr>NalkEB7c&7@DxLO)^bw=Xz`}CKL4v>DJF#hp$*qL$#iA``A%S}@D zrp~x$C5RV#c!ekR@h%Oa>tK*P&r`XPeLZ+_imWS5X#y%0AS0BwDebehxsoA0OJ(k+ zW%^u6+!dPd^qQvZ1ozLcB53Q=l~G)yS6~d01{dR()@p3+T5VXv6=5Udb%KR+mf!rz z@f&X`p)`c%Ruy9mnQKoM9q(QsrUDso95}-9hhae#S+Ur}Rj49A&x1cfoG0CYr zf#_jbGm*isLoEw7sg9D6=gJ5s=vtA^Otj~eC`?#ho)>3;k(qENpdi15@=2U(qorIe{q4PVwl4RseG1ZC z20R?^UJiTP@;FC=ap|d|6$YB$FhG^lHdBL(d(jDY+C%r|`?70n*uWtT62>SUm>L&v z^`@Tq5%PVnoKu%SNlm+6XNX61DW z;dU@{438qu(bQ;(#Vxy7rxBCwDJV9#ftOh+w^M1bul8O07j`(X><0^9ZKh=Ny%l@9 zJVqD0z*HIo$Z|_Glty_nJ2ngBGY}uVsDM?YDRfr-)1K}X#Fw$)(z zCEuMW@E^}Mz^rA8+Jg>&`%R2>`TF70cZDAJ-poHM`9g-NCS#A^Jz{+a9NmwRsphQ3 z%cCRx*$0o&PvxH|wVo_Ejaq6iGFlJwv&ZXG2n*aarYItGEY@3?FVP+JsDq*?8kpu%N z4~xY03c}0C%Zn}MdV39uXniJ5c(CescD>(nux?sax*MHow8&?wX7L6hO({nr=qVVa z#k$T-s+=jG8Fk_Fj`!;5QsJs+i&;*`{^X7zGZ6g10l`KpQM#LR^je#9l#YC(jOYuE zCt;n$w&}``tCd-G)a;r?E~gRrmAuc^{}fewA$X~S<9)RkD?}5>PBK$BQ6ulhehRvs z&C(1B>a0|KmaMo@V0fRWY(|)eErPt#Ax-LOPoleJ53-R5y-s%kXDoMafa0?Nhq(wxqg!9bqg<&lm-9FkE>a_IAk_GEfKc{8uj)8S)XB6gaCwKdO? z2bIsS;+@g`xsr<;bB6U%eD36`^j%xO7I4m1}cW9z_im|ia6FciocQ$S+JaVq-wG^{_9>NfAz;o>~D|iL+P9~{y zQb`frLB5+|_MJ0lO(D$VPpBE8CqA2I{gHnH9X;a{!CLoc!Yd$ME)VCc)aDwDhc0Xa zgr=QdDa~D+0iI-yQ8RW9BM^^63nbmD^FuI&YZtyqK6xif@S&t42|B$7I!R&bg!{9E zbiCh<{st>b%Wm>jxg^&!IBV2u(R2eiDqLm$iF>hLTm zXLK?t-8)|yWsj(pv7}Deql2`{94gT&#pO@$=Lyf;nDg1klQ%b*GE5OGY709s}KQL^#?~aRZ|h%;}(EndgrP^6Cgf_Q8;{lBf6Ck!id%USB73 zFM&2yV59OlKYF|4RlY1VBt=iSKMoDn_z=Xo64Nlc>a(d~e6RTq!o;W?t!ww{ZBBM_ zXa!VN1ewUt2UVc>cc5BW?$i5OTe>Z|5zex13ejgdwAJQgRa>Gtz+;3~D_DQPr=tRC zL5K?bc*cDlnlt|B1T^|&RsV}C`tBqt*JwS@8^;-G5J;GD>^K^)P$`JVPweY54-7)H zMVLk3zdnobm&)o{g6O651{ZfiH_4)T8+4IsFZpm)M9ns?j|klv(%g`H>&(PB9b0~d zo_Hy4D&h*it$4WTt!W!)V_RKF%U68!7R*PH0hSFrFmB<4@6W2MexXd|XeDwvM*87+ zDBZhMd`33TE7ih9(YG`dE#I4^7wh$V-P`@-7X0|?0I6)A(Zp`qi;gh>S9&SB@JsAV zOWU!XFF)L}e~OGO?yuItCxncT{YzQz9+Ov`h++SvmfjOB#hyi-*HN0LByB`QM*rT- zsc7}ufmfL6EOg2GnqSy8wNDN_RZNpfu!xCy(O%6$-b*-Iww1Gu@2A%ZV%np|?Hm+> z6#3p~NW$EG024RrW@v2aXCJyZ*?eKQmFW4w$Lr6%egdVRU%SGKzdudpU5byUG$jph zB6^azcp_6nw_M*;HiLt{kZb~H$jd@=-#c0DpdkB?1tG+EJKuBH$5iu zcl<4wl@Ys&1~u$kX(Q$J&yCmqZs4+C->uWL>-lQqTGzV-C|-4_xS)fPmPEd_ZYRB( z?3enfa`HYfGKm9_H-KK2JR{Bxs|)e3hQTfyROK_*fnEMHukSU!HDN&Yczq$@$^p^! z_n563It{NlVTq4dxLqFi?Y-{kgyK5>Ot7Vh>ss&6(cQe^pj$QBysj{vzeUmwEs_aK z)O170#2pE@3~B(403O-5w-^XA3^*xP-y794+Rbu}AAYAX)wG#RPTR4;$uo8v;C+8J z^Knw?PgPvk^Q2}WjOyBig7OFbcm+T%@fg;hP^Ex5K-zqb5ja`L-bS99Y}|KSaIX;` zu8aU6v@}t{F3GwL4gQsT)d9yR`(%SYv;{OlgE$X{{Q5wsuyaD$J@8nnOq``-cV9xB zIz90B*~v^EXxk`ZZQMHHEZy=q7h2biJt>D`5C#A)Co~d`Zk#LrMzB^0jceI+%{y=u zNfgXPVx|k*^W(Iecz0q>z6W+l#Gjvw60b+qiga$Mv(SQ@mPV7=3Z9)HZ+1=5@ppsa z3dRebr$CAm5U-m1EEAsSEdeHyL5Y>vml+XeX+R@qa#FMU{#=pWMTcw%sWs(ksGZil zyl7%#`A6I%f3g4K&gh1IX~+u0e{b=LA^2yp;r#$uKM*ZcOlydrHBgF%2eu3^v(;># zuJ#g!ttarqxD15yG#G3(odL<6h1r;~uGHzw&iEchCVBQT(_zfHY>Uy>zAL5Y6SFB$ zZ?k4r7zB2P@H<&6TGQ^Psco`LUFxXXY(?wWJz%;??{`TK|KSJ!ybo^IIw zbU{;CO|i6WS*=UD{|r%4*=Hz_vOTG{VM{&Is8FSse;c;?Z+4?j(-936S!f$P(ofB7 z9I>12)LZX(pnaQl$W&XKtragnG)#+XUri~maX2cTJgl?z>m9TwU zR4)7?(qz1z+{V3@^=ZX8P&Z{YCDVclEuR2xQtTJ~;HS)Zx8ydo=gg}Fe*h*43lt2N z-7@3Fi!`6tzC=aWj8B<{eoj(sj=AZxzpoDM?|NPQUkz ze}u_%0dA?hhQaR7jT5c`L0z0;1cVMPI%4@}_U-DkT5zJvErOSvp7p6V_g|+Mdx2K9&`3TS9Z3BbI*45% zbt~(u=(c&g<>*2{fqQ(Y#3N>%)XAqF!oP`g6rTvoIXF$)1gd_BmoD2Ia;N!|HuXGK z_0}Y&s1imZO^Q?4H>B`=)~~L;7=&`0C3%~>cEm%IjeGOX;W0AZyn@oH z?6nhKsCLrJX9|opKvua)SN zP~`!l1)m81bk~oza_ExmnQPEPRbo*|uI`ILRl@TTXe)_ZP6q6Rz+QKzWD?+QNlQm5aZ@l_5xhq=pdje4A* zCA~~F>|ejXNftrLq}Tjho@Qs%FWzEKf8(^rtFv#$T$czQ|EUb>Jt5$zwfnGR=;a$% zbE&B{vo~)Ny)2^)KlYSPNoCNd2BU|=*EwR%2Lxtx?X*I3>;?3l3O*c%pOht84VbFV zq}-NLr`y^3VALkKG@nFpVQQqXUIL1Zf1J1GUNDS}M9sGglZFFHamwy`p!Jl9FzCjm zOY=2sFySU|$)v)xIfd$#^M9tG<9It8^F4zbcfnJ50C1#4+Vc_U7e8}zhHxpnQGegm zr)PKr;on{-oP2uuJXv($F`f6L_&U!ql~0&*k;o%; z-ihAc6*vazyLY9w63{}HwvBs#<07dcJTtS+0`{42zdn5CHwgPnXihJN$B^f^oWw** z;El#eQ{;i)el8fWIT?Tbk$K7eEj^>9*y}5fNSEr&<-Htq*k^5?W;PkRTGez;>G^K3 z>a`>@v43VS#q=eO@6l$^x}7{TK4-{WW-NLe>>M@MUBqf05(2$P7(FUk_2ks7z!->ue!! z?iF6!s*SGX7FBfx@pfUKXv2@2Q(Y*{VN>whk}xsuq!YU)n#p z39D{Y$iF3UE4XaDD~0&GtS9VkKml9N_0y#IExlV3*pJ3*uT^#qa_tu_WxE^?YKEqs z{T-wI3-3#t44r$zvygawJE0Fui~Vd%{&^D-j`jVL4L1B=XBbqCRE^D4Z|G$VP#Oo_ zY^;}&l`R>-znvk>qW6s~?EUi2%jgEeuwl|S?+7(pYJNQG-r9cLeSyGIV`yW|)+Nbz z?4}*>fxfZ*0C7k3FJXM6agy}!-4_|HJ?>0)o9sn}>iKl@+xE{r@VGSM42F&-Q0shJ zF9iy}nx9aCqg+0j#-%`}cN6nagU^+2qJF=;af?^m?(83Cmn4)!pi|97MHey;X9>*if-A{OT3br6O=%}c{<8m38`zV=|%FGZRdw(@{ z&XTLYb1bD#2fts$OFcJ4k6aZ-(8K;q7;x=AE~~onoBne-p2_AgjpHs7(bfhwBfDoq z4RL0-X=ye!^Oi4hl$5H~UHSNBFCs%h-J3-!316M^;C@WGpsUb)gbh;(f~ z-c8vt$Kr8rIOYNk(Gax)ez|(G2|NrOi$Z?5$WK(zi0GhnwZ)I({TnXx7WZ-4J=VNQ z2W}E)6y{%|O}BK&-Ws~K^EbhHhMBlM&RlU%?BHR375+2$@;A6Qa3pMUAG{@}uBym8 zt;PEohkjo_^dyz!47)AS$Jz@2Bv-2S`u$n%T=7@`zu)HyuvfXgpMj6NE%=Jkh-nh_ zv#Dz#AfCRaTw&jfI9L4TrR}vbv0QN>_M%O@IEM1*?leLZ@(Id)3t{<6BuLx3=lVadiGtA;QH8Gs>2&J*OSj%Sg%#Qo;^6-NJHvi;2*Q4OK z6LQBLF4uCwn>;#XY8Ss>$B$|X)ryo!Veng)5g-_n3epPoZL|I4iSQ6GN5EfFN56nV zvA@uS%oGiZrtJ5ge?x=%H4u@b|tW0Q794-GJ6H@ zRT4%2{m=+ax{uoMU1PJZIX>-?I?7{2i5)~ma}6AGzLd{eh5 zLr!WW5Cb#~502y?PBx7$-6R+Q4jDkA{rLEBIBiQ{w0h3)o)ank=cM8rNZC0RszT?w%3{%ej4DL zplQWC&6g+mPN0k;cuT|$Rubq-;s)Mv4#X?x{G@E}`#L??tqJI1=z}2Xpz3^_W(BylF z2F>PhZG!2LeP~Vf`l&Z8ihoRJ67h%5SDK3r*~c*tx)j*qAB z)^bztO*&Uzg}+#FvF~>;?9ur5b9M+GM1FOyV4kt$PBJaJn{w~q(xbG=Uanx^tj%h`@f?;AOVw)Gdm%~GV7?tDJ{l8ZZPM-7+h$a_$k1KAD@o+6 zxq0AOWL6^kpylYAEbQfSZXco(4!Wh>G9r{)z+*uUk8^i0{Y>DG3S^a6*&lpwsev~Q zuSnMpA{7N{Ff9}laYq2(x`rdsx91tVsBikV4$R4zNx}SEwH|vF|b3&}2@=*E9;|U&#a(hk` zjNL^KdJ71DRp~ia7(e*?asOi9WqdB_yXN#1^jZ~~MMjpH16iJm=SqtC48YcWE4YHl zKaqp{%8}Jzcn51QePSzBG%Tm05dv%d=JwQW`p`Q$ky~C`a_O>vVYEa1x#E5$ERgu+|(C6 z0&UW&M-~kE-p7c49xe4b>@#rA`c1K;<%f~`BVR+IT&^80(vK0`_wkJ2>732vk!5or zPIY9wkS{8F9L-a0mI|e&1f?d82Y5p_{oMr2> zk4r{Ioz$=Y@1=0Hz`#i?b5=CNmmV@VLTwtUXk24t&{y*Q*MY-DINi9G#cJiZQTIiP zlC&->GfWv=5A^j-J}9w2cNX`b(egK6=1mRLBb@}#;o^4xG?(p|NNzSdh4cE>$#_?6 z!;e;i`3}c9MLJs;8Escw=^>P^T%2L*mUk&4YG#U-QDvY#U=BTdiqJe$ph#*g-qzw$ z^9fmqd^%mNYmGO%16Eu_=7YH3Ev6uyW*(ow*x6!S(h0k+ye8xP`9mxI_P90<0|PVn zro19y%dSt)*F~=|_Agr2GApHgmN!t1%fCzj9qLy48~xHSJ51(>8YUxA@+MR_lWV0V z!;9?+d}r^#P5wJ+n=kW3t_hDU6TzoFR9em$}-)Y5w=nZthXNhXfVuyLQeq9V4- zOM@20SgjSt{!fyM@nX_9**Y6uzM1vK9fq=zlIM@Y!)R3UBz)NT9lyVQyYD~$2p1>f z{%;o=o;8u6#`ArUn$VSY2`@R_IF;d&u2lU(Cr*TTt6D;`pia<(!w=48ZJgbLM&*x+ zV?=-Gq{rvF@gxZP8s_SKka?mwc`XX3arW&;zr*Bm{7}85!}w3#$+eRDnAw;Ctv~TZ zAU7McNXlvJgZcXtm662Dj)?xp`H`m+Glahi3!~H-5+&^HnpdbC%(#iYZ|C; zN>oAns;zhO=Hf`MV%ycWX9-MNVjjCG@-D;t1gVc07DdT+d9^ zvbl@WhY5@32W`QZbU%JxeZ9=^IPuORKOvRKXIkg$H}QUlo}^Y2qQi}*LZQ9whC9Qz z{1SyW9Um1_h3Bu%a1=%A<)!JrcU31mg)?=%{B>sD{rChm>z@=hA7VbasOYJfxd$++ z88c`$<;|t`jrR7hMth`cu(7ciR}l}B4oEPj>8H7jQg#NU=hMCEA@w3dC3e3G+wBVX z&v_HgGJ?tqULw0`;OSJr(Q(0=%BVlV)6?ZuF<+$?nQXj7CyhvWLx7R2?JL(2r)`(F zrLwT!ByMx|5POrc#3;4hw6WP`LYcql+|Y?n66w0{6C+C_skcjSLLBK{U(Xvk*Y?r^ zbHi0osP0MW<{rj}X;a}YV(Up;g0NZKPYhEab>;Az$16Xd^yd$Dg}z1!C%}pLJ?zD7 zIJt60m&B}}em(vEcXTJrWh^FiQaPnHc{^Z-tNaI`25$ZtPS#etWLKT;!DGKcHttAV z3+A6{q&N|-VoJF}ruSTRu{k0_ZC9?T@#ukFyjsPI-V?|)oHO&H;AxEAc7?TNiu}fT zLtXY+-^)7d7rGg?n@f?}EkQ+RS%$cL0_7RlG7W3rq7Q3pwz~c`(l4l2F-t=eS&|;L zQ9TAnZ$48@w|Vs~T5ZU|>oc2S(nu^2W9-(e6(s-e>=Li(8?(RU-LpW_Mq92O8+a7~cSwDEC1${M_x1mew{SxNRA^bR#jA&ojE=Pq{l(u0hT;Y$SN zPaTO08qP#uuLZ1lUOlHze}at?#1D+l`FUnMYni+tZJ2+KKEknVkRAN)DS*J{x>c2L zGiO`vmfm0FJuut&DTec=r_suDeCfxq`?<@v>%LQ_vM;Bw+v>d6X^7Hd!qAZhz5n`c zkw!$w`j>xfQ?C6~6I0XY&$tGA*|O|T#wApGzX}pxtyijKDKRuQG_d#j$51!@@>rx{ zW*(g?82)mfs$sM|5?ok3Y$PzfzZo%clZ=?|WGe#idOf_XBGf3H(0k7@7;HE~p@~Z| zg3zv21WR??u#6qTbbVOeA<#yjt8kkPD}Tx#Y6NzF+G6P`D!Xa*QY)UrD|X&!vLNmG zBwQW2^p_t8Vo&*ha^(gOnt%@m_4EL5S`Be3mMVfsl<@{Xx!(VkKgZ&0(@y0wLE%}N z>k6qXuEM;x6@NLpULl{%?7LVzywr)Q>7JAHBWC!zV4BQQ!p`-ai>vU`l`HR+wZUZ$ zZVYIHbCCuk;1k&shq%jT)ObZR5ZT;Z6mAmXCYB`IH!qkL&|qIipZ6dNcPgwII~#cs z$C-JYlN83LUwWRqTd}%X?bX(hT;f>Nz!ZeA&(w6@6J9P5t*kjov2ay|_-9%v%wyX_ z-jKe}<&`DG5XYQ(w(;CIAGg7b4t{YXiFB5Ye`%+hw`gG`IwaXKLLYJnE81k;Q6VJ# z@#Cp1TxBl`hPCyz*uN?-ioD9u4O{xUK%bc5=8jk;1df=hihs@!j4WI3$G;3?b&b}H z5=FVS)=xiH4EylCAhCP#6wVmq?+s{^Yogh6QBT{FWJQ`kyfEU)v0c$GGCDW7lRmY+ z?moOH7FvlD@p!^*SA%e*?tZ3D0(f9e_IpEqgXnFP#v7UECApGMX#eRR!w*Mpfx;Ow z03~!J$bGq(FXJtJ{*r4!hWk%b6LX(qT1n^VL`k;Jx@w(Hn{}EhhG`J|#_QM4>gq?I zC@9xIQ|TQIS!<3!)Z^Vc$gt~E*L-|$A|lKT8(S4R6f(rxXDi=yYl@o#rknLQhG2Jh zrN)Vfx*+z`4Qz$(WN0h*-C8-iBC}hlR`UrwA+A!Jl3&d3UWz+*&9c^B`LoF1o5bSm6pFMkiAnsU{b zc3lUpSYPDhLig(foU!Z+(iP(TVR})=?_A~Wl%g1zztS#J-Lvpadv5F2zD)S|4&K%?($K*cU zpKI@qyM?zVsv4IP-oyAr+23q|8WtC8xiIA4m^xF65?5uL6OPVX%x42&+vTkjoZuLG zS^piE36NRNW&oT$=mwU+&-xR`?NH4<@?Jmf{+S5h@z`b1%}qWbtfa)g#ePqwjnK)- zArYQ>U|e&RI_1?pksuB&*MM~U!v3Pv^o#7S`6d`;>KRBYG=7sj>Mk&|L3bjK(k~@A ziHDy4E^qhs^iqe?dF^Dyc!9{HctWgG(V*Z>9I0T!BPZoDBm#hmi>j67+;Kg88_H@F z&(Ke_zZN4lCY|V4x6_lG-pHMnbvB7^{--Erbk+Q*XHPjavoCq&=xI7{Y-i9%|IKXd zb?Y3N@1-e@ttK%;>xuwOZx6R`Sl4o1DCl6E)fw)@9w!|xr!?ALd`@1DwTXOgG@4Fx zYID6O%`^>gh_pVOiYsMKxY#iMLR%rw&iews@f0fs`3&INz3@3&-S&S~pc_^{wP;z4U^I(mhYqau1fH>-*H2#KB*Os?5g9jFkJ_F9M|kF6rp0A$B)be(EMEti@+-MB>_^e$N<+V@h?Uy>FF z&1tv=HGpU{1sacfG~8O*dSK^iqj4dV6wq~TJy75}rQproUWvz*z2I zByO>o%-#0JVsR!QB1QBvf!|cN{-RS-RlVhNHM>Cl2ThKRGUi&kQrnysx<1j#>AZ=~ zd*upEeA30&6ohTA0X zh_zDO-g2(bs4D32&4B<8C_TyUUH;orA;T93N-DmxR3ebz#JvoD*PN}yu(v-iwpo12 z)F)=we8OU%9Hmxu4{}N-l&pB*V+n&BH->Q8%*@Q#wSKX|48O|zP&i%RCM|BrpUqE) zgOhabcb5D3Gc}HNGyu-oy*LiAU;wY~R|A~$6DMeLb^neBQ|fNndj#Pw;V&<&{7b=c zZb$!o#;w{ix+)^?CzMM~7rqk7n2_;%^<2va=r%SD% zsW%h2gLdg}g55}oFJEesni$4f{9WM;kwe}M4Hy>mz~7?>s2q+wJ2_{j7|9mIZ| zZn~2&By~@lgHL% zr~2Lv&y|XU!qwW|Y+U8sX_x%&*a;(Q* z1W!CvOBS-orOW#^poJsg51aNh!D`dT{GU-A2@^Eux{u{gZF(olRg6>u;wg^8*7@65`9+xY%Y;R^49!jB{`%LUp%JgM)srF z*XL}6h^vP=oQ~b35fmDDbW}`Pupz`^F&J}wdlQmUtks!cR3c3QOnsr-L*r)li`CT| zbJNd|*h=>1dlYOHJQD5~(e>Zyx>!!*jEU{E07DE0&u+SX_4tMQJ;*@cS?a}IN(fK4 z^fK?s8Yii`p5X89O8b49Q)X`tXDZA@Y1IpFzVArjH+ysmx)^FO#>?`a8lL6?-UP1>UkWoafSqY+tl~z zQx|4~@>1LF_BcinSed=4Sr%kp-j^Uv21I-FD)Crn)8}mPV+c{9#g_-? zUjXEde8#eSAFrG{pD*K)95kO4z$kh}95NI1y#1L!i4zR?_30V6o#7Pzz9P4s?-|d6 zg=o4Xmd?R0()X;oTAN-}mM8(it0(eN%So{#LiB2YfRR+aq<+U8Nk-Dip2mIV5qD(8 zij){`P!zt6zW9flJ#`=4jvpA|a)XUu>8$mj8A9{=~^73Kd^ zK|J|Wf+6RZ(YIG<9LipTdxt7AbeBE-Q>*^p*H-9s{Q1_7|2*s5AY-*8tJe?M04!Ztpsj7pyH z&W)4#t}V?>kT-Ox>h{+_jrZiCPrlTEvvNx{9Y@ZUlHl;2CA{kn+kY#&f8GtpZ}Nq9 z080svMLJcY+Wte>ti>sdu}eeIDJkL9BBA$;WnSpM|F&_^@JP4N{G|pVPbxdQQNBo-aRsGIySJV>ryAv86#?;I*^yLbvqd zpxXn;q7M$qY*Wkyf7RE$4==WDg0vJrMr+n(n_tfOWg53tp@^UxL7JyGK2$3|{{Ksq z@B<;Uw>)PcJl8HBSdPC5I?m^s!j~%9-`W=)%#cQA@a4D4Z^Map|Di%LcLV{+1aaC$ zc6PD4x0o-~tEIMDJZ4`0Ic@9&lWF^*d%}1-R{qOzCPV|<7Jgm|^n^9lgSmB!!Hr#Q zwBAXH*k1I%OY-mJ(b8GWPyl#nr)KM5;uQyQz!C;z3_yJZJH_?vwqmz8AlfoLafP9} zfB#0OFi%Ml2tG|c(%ek=oyKmy5e@)+wvW-PKm*lQKyr|#sv>dEC%DVX=s#esOm04C0-gaoyyBxYZJ>DR9X za{Kn$wtGpc5gzN8pXu7RiLQ84Lqku_gGUI+fsg-1#L$~VA}Q*FFfK>{Nqq1~)wTjW zv!WqCyshm0m*#<6+EoTjD4E+kCXcHFj6mARH+|7aVt7GDQhIe=gZ9d+nrCy{PQ`g`?Dh_@Ly-q&HZo9UtV*MQirs9;=X4G@Qz+}$G1G5 z1JgEFtF_8BZ@<6h0CLdA6aXihO(p7)Ju z^Az|j#|y&gKauQt{WFrT5!=JX>-oiSqsaY_N7?98QpEk;{#y1l)RyItqBzjW2iRVA zL}DN=>o)50dyad)+p*%5oa>{HSOc>AVbuj6wzVH`jM3}cCJ8XkdW;gqI*3y*X|1#L2P=eS{NXpnk^N!um7T9=%0qkygVm4$NoBuB z1Xy;g33RIIQUf4@k-vB6VFfXt#hRS|LbO_Oo)Ez`|4ML^2&t@IYDY^$qZn?#k;vhY zrwloXrxw7?mTMN^Jg|Nz-l9f4D>ECUy!I4<_$mwiC+D?ea!3->_v%s2DX_AQq-_-A6O^y zKPDUg7-cqjY$>hNw(f9x425ivn&l^>?GNt=2uluH_|+{XoE4Tlii@UM)F+nOI7>TDp_++PK|SRAMC(`B zm89!^^m6yp6a{)N8j-)f5+ASSM|>S2F_8QcKtvQDDypf3V1|Oma`DAx!4P;g$PB5C z>1k;4yYEzk_alVd-qR^}F4!#8_iw4bd5N_Equ4ZAnTW{%m15FrLOe(%#_#|`I1}hw z%O^NCbEPkTe_u^NxIX;D{_v-{I$ruE_Trm3wAn(8Dyw!^{i{~(GNhXnw9%g~nX$b; z?op5MK3?{7%n9Wzrm~KtG@995Jr33^8rzs{dsHQt7O)ZbM z$GW+0Umx1ud7Y0Tgz6Cs-@Dle*5%(jBemfH1$rMV)^^Gb62jq|jvhc5C-eNZj}>_3 zTCW8pM4kyo&vSGnK7Pi*_JX{)lVuXiZFm=i_cVeMNHkO^lO(-$8Gmlu2etuYQ--K7 zb|QrOa?n(VJoC3X58e-y@%W@W>4f@znBzHzGZHbEYeWUNM>ug{*S;G1X*)?aKkb#! z%`)~mMZ1qa1YteSD0J^^T5%##oW60kYF3zd03BC z?rY&?iTZ%uLM5%iNRsG$Co2LI>da8K7U}=MnUT(te-xPP#+WBQa(DDJdbwaKLelV4 z(&tswBDIfH_r?dl@fIJgucz-lm?^mw62}AD%`v>wX$CakMqOz6CCkr~k3O)@4^S(f z)5XT-KUOPHvi9oV9(4;=>}9skf9C6IAy=L@Z+9Q7a&WWz>%3cf1D|G}jortloOL25 ztlZIakxsByR2nABfD@Uf_q8YzRVJ{%BGb~UDa8KDAy9Y)KNNx_5>18pAYejZ3&$c= z8|Ld$#GG$D!Atua>;p4>g3kOh^t~WtO9NT;scDuZ%ztlaw%Q<8*#d(z}01b)~ZK&+lpu24MhQz%P0 z;B70t2?!m@{_)(s%m-dpC9xZ$y}y6!GnC1Vuz8?D1-C9g@l)J6K4=AjstC3_HTj>!F8|y7qng&IX(bNpya>50ir{Gj zMAHSVU=8??TX4%sh_8m*mGg!qAIab?}!Q2#IBAafUtY43x1ltM|746x)8ix^9~cG3vDsHJY8D%zscFK}iC@uQg?0oG={sI9aZv8J20(?7x{O!31BFKP&>a;-Og|J%BJy9J;-iQ!X z1IT=tZ}mTrQQZ8>3IY<^{A9bW-Udp1u(X%iVjqbNNIK*dw-<~oNfMrIlCdkG`91qS z67WmCv<(8uWz*Tb%ZmH^ONxg=ULf6t`AWz{{4NsT&V%2*0)7`u2!jLjf|4Rr)pNCWC!b?aV^$sS>9c+^MU6e<+gtx7_bO*FqIzs3iPjf;TB;>t}i5P zMGLR~jd*UkFyR3*?`zMf56PU)R?JUJBY7wjd5Akdt4KMgw5F34&ZTFmoKOj4N_svy ztZ!rI)RQ_|0Xox&r^pt=KVIj_ou^Eu4(-CF!bhoguj+Msg;7NHXO4Bki;q7LcVN6_~s(~lxl?&~J62XZ_ z{$2&hVHY^)k9MrI%u5Xw5b31UAy4|ZyMZo_~j<(6H~G<(a5tUR+w*d)J!rJ6CdcH`}fU$CRNxablbK^jA=ejQsyEu z*#?+)fuew9yIMkhYxs{?S3a8q9hZ+a%Z7S24AZ&qSD2^CMA#Mki+%K?b(;tfaXtgw zL4p>x*Ce9oBi@JSug$Z?PT@oha&ew~M*^7TCaesO33wpnPVI?KC}?;c=|9>$k;>*8 z>~$Kpra=SL$Ors+jQRg&EClc})>1bIGv`NrV%%KolQ1phEld{^*kvpix_+c+`o#P_ zc8h&_hMD;|q?g7~&+|q|0`GnozMj({f#`6lMqY?--A3_piM+IxaN}tC#{p^tZ6@6R zHwlDa1ZsaLDN+WLQ=wgTZ9ZPBLEVon>(iXb@M4zB))g#n5R}sS4m&$Wk z(?)+Loowm(R@XM_+|Oe@yHJe`=g}jL&Z8Vb;~Ac^^JM(C&&jJWKh>Dv6UH7D(8%s1 z@7`-<2Nh6dhpk!;JyF*Y*%%JH{&yOLUV4p)ImN;W;zu6-xgMPD@ zy1#B*_F82OR)l+q9ngw&UzFsDd2=tkcXdHkleF?;#FofFrlgB2uX3E0o0t77OkPSr ztxVrS7BZvZ6{x_$d(6ur0qIJ~&pi|ggSYE~A;puu@74aZ!$tS2C#l;!A(dX$ z=6g-xosb(|A>a6|XI$apz+A*5XHkQ73{<=1Oga|IPFd`kzCUxB$%H-kRWN*^`YEjA zyq7!n_$QU#^n#YVSD~7M!K3V^lYx`A8J9;y-is?PDfu<-w$xR6Xrfq8mgdVi^SRe? zrBI>tkXbX(q)eg*`x%dv-OPDl>Wp(t)qZ0u>ifw!82=r|0~p8ip|yx>L9;e0pJnpP z4J?&c-nc#T)*s%J5QPbce+JAO1=`rm_+@E^_oj}L3>Fe7&J|<0!zAHlX`h%=nO3v0MDYz^u++@u6Pm=6_VMqVVSgqkTDUOqop9#}mAyc$$s5*KG!p8SX%>xsb@z&Mu{ zor*D23;{)?EDP%B@;5LKfsXhe8*4U`^jp2+jnrCE@2nJP3?DApG1`njunj{tg8grC zD$aXW$F4nE==MiYcY=omg#to?gw_CqCbGW{{N` zJRauGCy15>|I=STW25Ti@Cz;aawNK((K@QzR`l|N$IT(7;$-|1z3%00W{HU~^Adq< zRk|6hhLc@`d0M%c@B!G9R=dg?d%t9j(Io7)+TU^)z`Z;X4C@Y2o?z3Tbe8d6eLpRo z-&c|aEZ%F?c(G!2A}u^a%Ypq9CV_9r_rYZ9_Pf8Jxr=cohHCC;e~Dq0`qn+y+Jdt* zhFmn0%WbIJ)&yyaUrIJ@r{>%&9%3WCH8i)1jP8{3t%^P0bP|8Sv*n){1|wIjVI;6M6tL&z$*(aw z(%fZ0J2++P71ui)IyM_>S_>?Y*HTyyEE2I9w9=EZ+s0wetINEZm<`NE>rGZa@eCx7E~j(MYH!CHJ1L&;;?RZlvfYW?{{RE&#`!e4_fW-$!f}?*XrQEXhx5)BzUBz$ zXk3zFxSNNO=0U-EuR(8}8R*SezNK;>eDl%c#dDhWQ|?@~6lw7b{WCJz6aBYyQ`FW= zg3g~KUe{?=SNOHrRcVUC!o(p)3V~;GGy^;Gy+E_C-0MyDXch9+Hr)!a7I-TcLcxLK zh&+2DHz~3G4i|qm8m%4@hy2I0KO~c8k-TQYi$G+$Nr}GXsD-V|O!ZllU-&y*Sl~Uz zqGzGe*S;APgVc!N@g@K|kbU8d_1re8)Tg)^anYMV9vo`dT$fJnn2AXN@6SLkyFlDy zrX-~^7-Tcq*r~T+{$ktvaV%YIsW`tdV81B2|HM38B@H&!2R-qH@5Q(cZG4Y}d~RMJ zdb)pfSh^~d0x^S>ZBoSOV3rW=I+QA?QuKl4s9uk`z#;pfXfxPz!T>(H{7B0z)AqjP zVQ`a6MOglG-IX)aLMW58mu%BKqy~1j9;MZ-YR4?SbKtN~r%G6uqsbZ%3p?6LK>Uq`)mpoQd7GH*#1O7ka`%15FL}}r z$7)RD(fp{xsLXV5i3LVy*Qc@1G!b8f(Zqn+slVDvGc^>`aE$LKJ6CL3I6`cxdLyLG zO4&BCKow$zW_WAlNi$TBhaKyPjbvQP)&gpbb!jPe8)-Y6I_yjCxk%=zX#-oXv8VW? zM7sPGfsj8zs#gRSY3yEx)-Ov zBcb=keP*_i5%$$@<@(^<3k-F@E7~p}dI6e{LndjcoS|HnpS%PMe#pZ@p6OMsB_7=GiWsLUx*kfks6Bg>GFiHTT03o*~S! zC7N>&;wW~_!SYBsj8*S*ecfGO8vL%L{A2lFxskJZ?ymQ5FD;mRggIz?u4W%r{pt}_ zVjtBCj3TIY;@8gOdv)vsaRB1-KRbcj8+S@(Eh1;x8!KV?AezoadzW_rhT{$kP3|7v z_bC0*t_(YwH*C3)W1G22jQ6A<*yCcyT4pDCU#p%EO@W6lS&{Q!B1q6zO)uHEwRpUq zaP7Vxj9n+3LU!Ef1a20dxVH$YmoL+9HQT8V-?N=xWs%ecQ6M#lmSgb9{DGf{lMGEn zDmdX39k!dXgivJGMyoPG83g3qe!jjct6q@^ooGSzsA;}T5a)G(PB_U#-m1xbdjONk z4uIWJt)ubgXeN`JDy!Sd#-n~(xg1@e>)isB1RK9QFk#lZ?+oZ0#pRFu)bU&f{|->a zgE9Zta<=E-sP(!a+NdpPKZ#{wZt>OS2}RQCB?@bI&8c1>6J-WHooJ zEz{H;Y;Yqlc3W@P4K10fV>s?IO$d7rs@8=%jo1$L7Sf^Z;RT@r!bn^GEl@zLlOtn-xdMuOo2(fuaVVboiz^E%Lwu#+%gDU;fT`H4-IG_vl$4h2fm|}a2?`5SUwKI+H6pw)Q zT)9+g`^-9IX2_Zwbx4D@c}{i>-HpS^5jT0h<^+NuQHYx3MV=Ct6fc}wZ}EIMkxCt8 zBTdx_0OA7xDFLi7E;*Ni;3AVgGe_C}8@{gSorj5C5{q7MBnifELlp4a>9vW7qfL|+ z?g($Yr;I)dr-#7NRPvou6%@f~r5pv#?EYIB1+xbw2j<3Tb4OY}^DR~{du!K@h$#TV z>pPG328b}8Z)T)E)3iqZICI{S!E_+%jb9QnySR8ZGBV@U2T>**NJy4Cgq$TLf7myW zeOrEW79|SFMIr=E5);pGu(~a${Fh*M(LY%2PxmGNDjBzB2m4T4vMapo46nvnVMGer z&V#Mjf-njhndiu8ca&q{jB5 zc0STZhk3fV4KtbRgsW_<2yV}Laq@SAkCq7AbokzJgG4i&0&E+JU<~vpuvk?FV5lWUfIF8Dqpu1dus> z4J78y5sE~m_2TY+*F0?rWgq==i8|zR@9deV&j}zCw-XRF+Ib7dUa6zK21qIQZ;T^j zz%wQQ^@6Alp^i;KDZ69oy^(Xp!Dk~7W1%0U#v?;tc1^C|+s!d)M+hh4775G3NRzr1 zlEGGM*%*|pyF^BXjJD=3^lYn+EG&IDKQryayT3tvXi%*Po^C$Nn=2d6cS$y%F&;o= z4!k6;7S8&f7(7&dZNZEz`bTU=p-h&}zTfEcrIq=5Z^nOP&4Z!`teYWhG4gMwcc zT9@Xxcx*{aKTX10`g-&AKqC|xyKwz8f9o(PQj}q`C6~(%%X~NtKLiqiRC{aaCb)Pp zv0IFfT9X+u(|LR%qQiy4$Th62_@rIhZPqVO9jB(x>KNr?{7bZgk2c@}G2BHr0MRGg$ zQ?eLl#tv{Zq98Kb?x&U`$x2-gED{?pQ{4pj^HHRs4H;l?lhYGrol<8)~&0*oHT4MV|5?D1>Ri3IUk zXlDii6YdAv3TRRTA${!3(VmXx{t`BfeVGKRYb#lN=qSv$!Wl>O#4u=CVVAu+Y9vDl zWGL7!b{c#YgyIXbw-nNM-7paq`^%0IP^=j4{To!Du;y~x{}?09U74CK(1`^-HiSI+ zt(!#ucf}j(rLkz&P9=r_voH7QkRCoL%si}%=jV|pPa{x76mw(SZX4+YzKB>B>Q_kH zpx&cPWPi1IheucQYm<7-K##%P4`E?ZL^bfvFkM&oFGNKO+S9>Y0z`VJsSYavs-PYy z9owaBLc1Bq7U8Yltt@YwwSvSfElf8kX&z~#rmmlUe|rYnp!^G(ll+&7XR7Xk#^Hj5 zl1oYuXcFMvx&|KUsM$vJ!+LLz9wOyvCQJM8T1a2xSGS4ots)L?I}S-Cy1_F212_V1 zrXAf74uT~CDByL1Tem&T&G)QmEx4%Jy%*H}Hay$>YK^pp?|m-|`KIKX{Kw~@XXghr zA0c=UYAL*1cg7D2!Dop0kOoZH;p5~=h?s1eaqN6d5ViZ64Q7Kx9>cxm`sQBYc@4Au zxbie8A(Eu0)D1ePW3M`K%{}(cRArN5UigC=)+=1`1dax+^ztH#Dy)%_ArdJ_q^&pCAIyUUMO3 zq}>u$0qFz-p}7bY#Cp>l&?5;x0K*Lj^4>NXg1{(CT>A11%H#_3tE`I0tzXkZbKZCG z9-2FRVi{FSziBX{OrQ9$I|KUbpp#M%6ncoj2ho3S200Noy$og*gyfbq1*%U>Pkj16 z9(uJ^RbD%5YUpJ2_7k+6CPFMjUNJ?l(TfzH*1+M@ubO9o5{%sabG^k@i7#m0k8*|8m7oWxU;qLg* zre`KFbUg3L&;B(~Kz-;EjP7u?49$a;>q_ue%|2ZBw3ZX_N= zV-FO)i5pb%NW3;Dgsvc(EDy#Tpo~fEV&1gQ)Su#^HeN5=*QB>^hUG<8njt`poK2bG z7D$GunI=Gqwixn#lxy+_8l8^W-{?lr6B)}h(C`pqOghZbXtc={2 z5TP1aR}QS9zni(U7OV^=LJ&6Cy&50zGhz@>rDvBLTeFPNTG9o%x6Uaj-|8`m# zC!#<%HSxp)^St@E94H1L{4_nwHyTO(Yk*ZvIP%t;QkfqiFZI67q@`jj7%IK=j-u>Cc8bZyFa_Ei|7O8_ zL*-rLn!iQ$QbuQ%MvUX3$l51^HeDL13@mpNj7GbGN@%0NMEKzoA2V~NQq+C$hftvR ziGeTxEV)$lVD8EAgx8=nTesx@aAZ|>lY3tZ6;B+V(m@sqLAC(Q0#mC``72L_K zTYF{z$?FbK{b3w>l?=B5*bx_!K4u&>&dN_6@;_p966Bk0cKsm z>9FaYh)>U;xR`pu#+U)*pTlX(2ko<8YLmrMYN2wVY_8q`e3Sk{aIG_Tqb6p&Ze_2A z85%bbgFAE^h&7(4Y|<$-G(c91Nhejk5^Iuqo_zRSqCNyhcfi`qv ztpoNh4q2pL6Y@bBSf__|^?ZD76K(bo6p;i0Dp!fp(K-P;c{Pn$4;^D!hSu{gNQ6C3 zX*@aXt>QM2dUB!L?^1fT^(j8g1y&8s1Qe%^R(9}waWQ9h6)>vWOp>xtPZ#pK9RVbt zLY!0Ut=8~&;xk&eVLhF<5y|uY)$WY4IOOC3(gm?j=(5nSEScHdoMvonNK_Jx2cZ>d zHJD}2-BnHR<3ayO8V{c;qN$Et6{7quljW{#)h6q=`4|M6BAxko-zW``*LVAo*y=Z4 ziH)b+C>Q}*q31Y2AX2mA7p0(10Rdw|`|32&99L9K+ju=CKDwwBWCD%kQKxV;I)PJa zIy2GX^mB3Rluz_2Q<0+Kp^mARwXnRYl2RyBJpd5exN}5<-h~3n1`vV76HY2CpFze; zJaOjy2FsQOFOMR8xok;4Usw=#Bk|ERru+KnUyp6DqZ?4)(uXL<{${P}I%UwA+$WIJ zG4;73ly(YN`mBcp#vf8%b%<(v1jOlJkrs2IRiV9+jA|55+kh`ej0^U_2Ox9G`g7EP zEQ~rjQ&;@?uR3qLb}b$tpGgR+s0&ND+9Lt)q7K>}>UJugNZ#DHp?GBbHw%!_ir4aa z6Nu0ysea`9$lD;rA&8B-?SG4%`sGhQU7$Le)Cl`Zt*%~DU259ta~WcK%T=hrr#%jm z+BF$=UgN-s+UgAy8_t=hrFOCb|F0y7e_9sRm~V_ zr16P?t{Nnk4p95+gX$K6o*nd0AeaiZ5rC$1!MsEAaGE5&~y`YqMOjT0Tk6vQxZKDn-Zv4iD&qbBNbF2=1MPA98Dd)BtJOn z#DoGuW^=$cUkWY9fk1(*Fu5)KV&1Diu)VG;SJsx}YYsx41 zz_V6M@PD4;(E3+MU&r6A$VCu$WaZe%H86?SbX z`E4q-7|nqgMk*V0=>)mKwK9rGy%wsQj~s8EaADzUi7PYf=}v(u_?-9*rgqGA$I@?% zRLJ^#Hos}yx_t358^NU$ZgiKc8C-g%ciW>n-~s)>K#lvHw&qy&`drhY63}N&%V#&O ziS+2;iVh#8xqkm?tl9=(O{-g>+fU@)kh%+{xr8 zB($C#zZbXrooae>p&R17BP>sB z{X_>C&TTQcVAez_=<%}2!S8EKHrxJChk&qT4Y3Pxd(Afh)9I6 zzNB>gJHe?ezg24hwvz#*As|MRXi_XwogNG+cY{sWI7Hu==o_E3MRmrRh>U_L+AI7% z8G$1&yRJGU5=Oh0R^JFp!TP1?6`MOK<4Yr8<0FOBXdyfN!a{?;OCTN5JZ>FMChFnN ziJfjH)#1$`+uz}JD4oMY=ew5@9}7b@os?i;i2cBFV0(~=m!mGtFpSg-twr+bMgl&R zhLNg53-FshzT3nEQPd=Oq7YmC=I&;~+5?XzTV9qw7pvG?aA?d4D+{ct{>pNcyHVHf z6KkZB@m?StnwPdzoTTNBt1@cHOdJy;1@{VhRr6m3&qZ%C>seGmD^GYf!06d;BGqaX zaf-3g!bUw=Ag2eN-}&u#AzNxtiMh>u={UppqmiI5-E7nw?Xe~x zfola8k#pX}JGY9&ygZPJJ`v*V0S62{MpAQ?r)EYddG!D|LNM(HHGS!}aEk@G1*9-{yR^_Ii7$>Dr8)r6`soEre`1b~ne#d9qX`8WP$gJb~c{(2}JXPsMO zYSbw~>Ha3ERv3Ra7Y`>%FcnW-Jt!3vXkfOfWZcls_LB$ZTW(8Y!E3IT>Cs!GGqp)#=ft zS~mI|se6Z)9TzlX=$o=&Wi`WrK$w~emrV|6@i<4;STqW}h3CXSO*}Lzt>3B+&vMYO z>XhbaTIGj#>Vpf=2l0T=)rP`)w=C7mjdo>XT~L1TFG8Ix6y^52=0ci@3th*MyXF92 z#@o9EG@{)e|D+PtS3o^^A z(uxOTKYmcopVBovgqeB=e}ddzON(3)oGMxUtX}CF+ilAd>I^o7ePOVIkkr}bBr{Q` zn4~3UkcgMpWLMVYj@!Ay0duNMZ)$gRgg3dYVNSue-j1Afj~@wksIUvV$t~*1Ox_na10`oqq~LU_0P z_~`+~!rCAWC%}qPpe?2kLg91-X|RilRaMNQr3l^T{w19EP%BC9POBrw%wHXe`$d*~ z7V3{{DpGL@=Tt3brx9om5@sV*GUp_{CQ|J@M!uy@}T-=Jv2WZ7Xq_`7&!1Hjp zhPsfpBBEusBCA<*MH5YH@TG8MmR0f6$DAt`-m|Gs&iu-`+rcxs(g7+{&7FEde!^fA zm{_|ybEdBEhh{^>6pyf`7IW6Yphi{sWkp?YnON_Ri#JprTWeE{4}qJ-6@k)=wm`v8 z2uaGIzvm-OH@uGOVUtr+^Dutsb9xXTf-*pE^M4+Gh-T~I05}d{QK>~>gCq5ibL(M! zP$l-Nn*#r|0Zm6AB$t&KRf<%7-r;3op^-+*al+}Hw~E)eqz_+LGIJ_Y0R#Ot2bE(A z%ooCuN_%93+VI|3CaloqX_Q7v#}V8t@H>W{Rwb*p=uL8UDyhs%oJRrOaxF0xnPab z64I@c(Ev1!=Nw|F&|qG0mS}Bl4Uw03+!FzPFk1Z{oa~U@e*|kpf}z~~=b`4&M&hGQ ztQfs&o)f@dq_t)|l*1^U(Td;>!uCR8hz`0#5Xv>1|4$p-zf(6h(bzk93r9)|8c1`; zy9n59Ko!ek3wW$E$)`^x_@`7F?mXl?(4&RGH=v<%;C!EZpT{2pWieQ4kPaLnL*CIr zc}vG1g)%fd-0V%LQfIzx!2>lEQfe78_#tV z9FVmqG`hIP#dmW%p}wsWPL(jA*RTu(!sI8*LVr0G_3!>f5QZecNkm4fhM2SF=4#Z1zNnIp$k%pBg)ipxN3kJ9($p3#72_F_MMUpS?0 zVS)pirigM&)4WcfKGWD!{Y($j+Sb$uM^Pj~m!qn}g=(l|jBWG(Kla`;D9W^J7j1P0 zXACfy5D-vQkRXWUjEbNF0+O>5B@0N7Gma7@C{aLyAXz|irVYd#~l0@QmQqya3prGkJOl5 zY@^7(Q20BiWM6j@`+OC90?vF81OpzU82-o+rOo;G?7hYN4*(73(cAxClM|8i7gugS zt$GB)5$}|Oh7zx~8i2Kj1|ww?{%3zuXlzW(-)=Vxef#a3x|+J+e@yU&E}jbblTrnk zDh?p?4elHUDZc{rd%K!KiQSFyzeOyGaZXld3zM4^9hI4ow52iYq^Z zzh~GSD+Rw9c>%EL?R~%R0~4eTgMT|zWXR>o{sRXF7@Ml+ zcC63HuB{N|#6nv8#o;16+3%)By77=x=q+%CPkRGu0PgSb3uVG?u?;Paj+-jq~nTyb{+KLRbcP>=J~#CuOF`|mpk*#gvIUismZE1o`R0M46p zg*?D;w@b5ah8>XQFyA4JyI8&Tf=m2`HT&0rMsu6Z^>(7a?+3R00%Fh=;skEvw|?Md z;%-{HSdTR^(l2mp6*d#yLOTJMoZ^g`$oqZgFHyLViP^C+ZiG0;Bqq=lpCKUj6a>W> z8CFWc5d>V`G+AVYL;VHj9W?ZczFvio5Ai zrDVDoB98MR!K(6BSi^+a&yekpGIG@KwkdJn(q*VG7U20voKRVI7d7o10X>*|nm2Y; zBsFI7sJQSSkHpHoGMZtepd$B>S%d|5`Ys4zfFLBB<3zmSv?t{F0G4QS@_n!L0&j|V zsIk#ew*hbH@Rl3daJqS&4%{8;yRPk)gQRMk^HDw|#esTJfm8#>PL-`N0}Dgdx=gZ6CZ^6 zz6%{}g%ov;+0L?ANfC;mo&j%#}91H%FAbfM}m(AYgf07n%Fu- zi#2y&YP1Om3ozXD>ZaPV5W}0lJFx$n4WB7#5CZsC8?Z`o1_;)>#D|(dEk!o) zc5n|Dq1Gi@5g!KWCm?1KyaGTFxB~KV&8NBgc>ml}*t7s_iqw0+XH+cz`J&t*MDEEB z004*HRoGMrPQk1oC|Dxn5_~ns%J^ZYmTu4&6bFeLKP8*}0a@elsHnNT$jMiiKvd*D-%N=nCz4MBOl8d( z22xEt5Euo?kN{ki{mF7>Is}#ysJ2T`E(7Ha_R*5ItJjT6A3nSu3OOTlNKo+X%=XV| zOzPqRHvt6@PWGnXl6_2kyGci_TU-F$ zefmwHI-}7}^1&z7|B9J6)QNMu@{oyf+=&)2Z@`}H3|Eton+PQPf*6kt*x9Ukuhq+k zG(9yS3=x+B-`R-{0+a>0pSm?5>Zd@`%^3Rj#b=GMx^ADZgZGUnodL02y3gwumtQF# zvwYEIolH&~@4grH>!ll-AE0Mj?%O%=U@$R{FYsp7tiX1=Y^n6%DD-XfK}8!FMg4A` zQ$>HPV)Tfdun%^ zb#}ja!AHBH%&rQoMeHYAwhp(O?(&a-EzGW&f6D5aJf{w6S{c8QT_ZH@;B31>^bYC2 zaviiu>gGWSDMnJTT7FY>wQ0fdXmXQwnrLg0t9B~q#6@HwKwAUXAf#!ymUu~a%@~kr z=%LTYouyYJpf9ny%{dD)Pf=a{e_j|9@stI-@1oWJXq-*zKqp^t{G&5htI4++KCSQk z`$(s|K^eRgt!?|;ynl{<(%xNv{w-$}d#O>LW+BLM@PSE9?%AJl1#<<0D%97>lg!xj zJM)7-Lfxt_`8#||5(8P0yiOBn5OpjoiG>}MmfHLU30Ikau7e7OGceuRsF@%66mziT zNG$@MM%~7c7pc0sGWxx_OfYQm(wvu1jA_G{Yg{9!RO6owQ0YG}F1G%FT&i9w=w;Q; zA1!Z_ele|83gho+{rYP#LIy@eT-Qy~`VswFJ$l4d588|L62LbFe zR1kD@cecpP9YykV-ArJxpy`pjqnb z(XXIcRCju4{>Q&N|RhQ5CFg$#!pg}P25>zY~LFfTZ_LbCrY&c}rmRSQAas|rB!KEVukG2L& z2&B^204fkY1UUDi7p0FN8{KP7sHcP@5Usb{F}ZhpOhq2G+EJkB`QXrFx9{iRkL&38<2gunySbs*k!%O3>FE!5=ldwtC*^`_&$n8P3EU} zQ2j6{_Zc@8({{YZ-+V%G6w+bx05_7^j;Fb9Sq)EM?;k-r1Uv&@GJKyyx%YFTBw($P z3M69=Q=ed;LbV{;xeHI%>+cZ zgBz+5gn=NZ>VkPwkIo82-!h-K0mo%^me3vvrhf}59Xa+Rly9vF8K?(3`{m%{@n%|J z7bLZpT2r3k5EY|^1xp-Y@Lm&49fEWX+vis*J{~yPCn6o~8}g8pQzi4|0}w~~C!aUz z>+;hsef;MO5trbQUmRd=gkd5~wl{ zsfLri+Y5gbwDfHd^ksmyS}Dsa$(#E?UhVt7<{>M#<_;bHYJWwjp}JU|jE_Iwf4l#IaC^B8ilIW z_8uR6w|@Mf(W?Vq3DjZw_iQrK&6>AI(mxP{v+3BPA002U81Jx`- zv%7Vk>ul@CDSq;!Ut4eGd^}pe9%cL!E2^3T!Kq!1c&S?Inn&G`3e3YFoOgo4tK|(# zTUtq)&_bw5&_^A*yDh+blQBEq6)9jD5^KJo+8Y$iSE!K6-}OTg z$y8tV^XodkCoCV$eM=V{J37q>8~}$VPm+xwQQ4{lP-Aq&ebKfnU!+UkCu>Q3Yj4u^gRveDd3otcI&_Ra7Ge zR}C+nJ&*Q?V?|09a^>^W{qz%qfU0)NB#^$CZa1KKq>3aXaaA7ea5EeiG`%9T1PL;9 zWu){uq)H1*FQUto1CnMz<~J>m{Cc!IE%rD%V@&W$tlvxmIZIR%Y&&l&SfF^#&7m?XQ%NNgt}!e^sfp z+a3IGa_O51>aR|!&C*RpOPtZc5{+iUXHSU^6Mhz~DadWqne;)6odvY@O}hTWXhvu2 zU~fbF!jG#hV1z(~8<0dZ7kuvt2wsCg00wi12Z(9_9cA*HP-}&XkpcKd>oKC|b{{@; z&3_dJLH6=gYzcrw$kN?+@`q<7LU!*#i2{8g1Cn9cy$N&?)YIYQ`qw4ke-??Al@4_4 z^GB){#(itYtD@&)01dQofk;uJ`rda>g#QjZ7R==H6|r--lV$LoYmJ9d^+>PDzwak~ z9~2^Kmw1J_t+;AJ^~BUwJlt07uem6GFKB`ZP3PZZ+f3j_QPCnyP3qT5s9Zn|qi%MM z{ZKY#=9Ka8k;#WbH4LhRK^>Q{1W~TQ?sT)TAc<5=y6G-G=wpv|JW9+FE5QS0d=5IW zG8|fhYPNe*{xLcVRILMTt*AL0dP>@f1)l&0qaYoEjNN{CscfUYt@42$z82;!GJ<=W za4BE6;L7IEKZkn1s6WrDL0X<|raa3euamz5zFqR~N5lsxm=kxWdRRM6&VuTl%XYmG zq@Fn5kDm#J3OI|)NL~%JB@kf+<-Q!qb??y&wUNT{ah88xx_}yCQJuQYto@T1eoL!W zgeLxaT=Iq9FOw$W44AS=^Ywpg-F<-;Yq&iB?&YO^Mx!s9K8~nWNLX>|6t|4zqryn< zzBgA1xBksuee(pXz6|0jAoO*ASEppJvpBK623#E2iWOiykRmeF>TCJ`^DAJglYuu{ zDXS>iSjGB&fTfi>dIQKoSQKgS55TdaHCKpTc#DMjo-1NI0r($F`ujd0VvvXWa=L{_ zugjgLnIZbzV{EDRwujnZO(o`_@fP|P(gUGyLB6mBLES{$_M>@L&&?Hq+Pb<-qxxXe zsN|&tMSIbz9lhu16_27V7K=Oy)t-0ch*5&`JL{_*h1MD36N`S?GLwExfX|34BD{onHV|NqoG z{hy)!&tCn{z5d^r3;WNH`k!O9)Go!tF-9$xvM6B@?Wa6B_w!NdD;M~wp2S23{5iZY?>Bks zr}ET4$xEFuOC4QKrC;0r$lKprKsv&Eh1cB_KjEMU>GjH4cg4VWj=6K-(EffjXwm&M z!|U@p<-eqn|L5u5iTa;u+1oGw7j1`#1R~s1qHweXF(Z6zh#BX19EkM z4Xsr!&o0Z8E*TMfkX;l$d354gLzYaZp3Ta~gFC%@x(K;bwRO) z3p#T(O%4YBV@>K8dYHVVqlDI8+->{u;tAb_xuLI%+d&HJB-I77putAFP22jHT-pBO zpL;1G?0hKA2Qm^b!mjdDsir*&`6T52Et=0BK+wJQ0RC`s0v z37^Cd8Ljb0)!*LUkoKzfPVH1>e(6Wm<8gx8u>-Rl)$1_4kq{IR8X|YE+j2LY^?9aT z=6c^fc(zTPg8WcvdD1a_z=EL{mSVuY=K#+_aU*SshRtm04DP|yp(0gn?NhM=HUWMN zwwS&l(uwbz5aQfh*Wkrqq@^3{FQV6@A3GxVvwD*E{2+^tabM9&PFt=wq0sRtG5A-N z%*&dps*85Fbw#%}T(;WGdF*hdESod*eFMVW^|d#0{QRtw3y2S&d`8nY>WIx$yS7W} zHdMR9{Gp%VIFXt)f1{Y?!^6HzZ7F?Y&y-+TW|XJH1xn@BOyv`3VF>~WGz9Z!BiiX} zfizq@I@uwL7mh7-Jos!hG@y|=n7g&<`e3%hGy(PrnqMiCWN%@X>g6$R{$AzP{^HAi zv9`1kU8jd&VvRba>+dooZN3~dBn@KE;F~=ptXTrkK-ioIj??JbUsE5kWuL96a7n`} zcX96Out;^}885U8k!BKVcni|_dw(~lh<8^%B1U@muI^DwM2|^x#OgFbkWw;9u5zdE zQ{aIwTaUgx<+1%Z6BmE7RM^FAp*^lumi+yrq^VWRrGextBW2uTO5EG(RPuhCNm-{nNWhi)jRhlBc$$UnmB^-bN8brBXtV>3<_B+IJ0+`dUCxDcomW9 zkvebpIAoT`uoK_Wt>`|3H-FL-?xAaVKPC=lJu=ckyj+&_$^%bq9Q%DD{v>vTY~#lx z81#I2lkrZkbGJi5?2M26(I4w(`d@!I$j3i+#@Vlv6;}ss6VP!F#F`l5NChxgmo8uC zorai|&tXV+LUSAmUI=$RTx#C=wUAj>%UmnpZg`3#SFYD-#ZkjV{(aA5 zY``&pX-;Stc5$8MSZHpZNG^QKd3UOZ)y;Eya;@90%EB`tCB?*UDLs!rIJvNpGk#}@ zcVWZwaM<*rzEd@DQfl7#Iu5;|c&4!3yb7E^Bm_qB%z%dR?4(@u4l_yC$w>B-TC3hIY_8OjK987jj7#V)6a`#=A zv+m9rGjUPT@fOdE8!L14HxCvPY>qde-3_xdQmf@1lp+^Z8(J$j0`D8~vvmq;^<@lQ zgk;sb6rU@6N?Sy5a06S67|?7MUr`~ z2Nh^dom=tvkncUZjEZ;{0pW^|ZQ|witmK^wCfH}09AbPcZGL_h(}&bN>rW<(bnwOp z6+ivC?ak+X3t?mlNu#^iMPY;Z%{!b1#msO7qnqcL`Zr%qwoRuOx?jTLu~lM{BO89{ zZB~7-7Ul(aj$l^*^(spcCaYW6@uHmg1;{=tZoU(MI!V z)5J=&&gILOG@2sa|F?p~p<`oQe&$GUv)n`#EzSvyEUZ`N>>eFF~B! zL}nH&zhUEW3J-j2spn!gZS0lI%*$||k0GxmpuDx3(|<39J2Ug9s;)s;oj zH@3R?O3-FNmFOB-RUwvbo|JU)c~o7J;E=oy_Wln2!slx=rkt~Cs;~igX8vfJCJM`Y zkB6j&AgAoZVnJRtP|)HUNPa(*TlV-zzL3L*L<`dT_r${`u{wj)a0*IgT)Wz^XO26| zzq*&@;4HB`Z9dI1Bv6K1DzvGZrfm6ISs9%2HxOOF+uClQ5v4=kMrVP zT@9SJyr*+%z4Su0b6=uMTFla1`qtJKLLW(FpRh1*c6#ronnFik#_qCKBiP9?r-HyI z{PuF8c2)jnXt}zb`tP#wmx8^vH&cnc;45F=x-hj|E*L@=tNt4;-`b1|IHrZoVbNrx zr)|-9B)I$=kI!Xxt-FIYD|8$S`US>)41kaFv}s^@F|wR66cMMX->}@(yfPtWJlW}* z;9mED6poY+_&MzrJ+*BRQ|Urtfy|X%WU3hrynoEM||}}E|`juG|^usw}~SbTW8R@%_8iQ?(at!UDxu$ z$8b;jI(-)hEWR^7RU217&&)_3DHN%i1!rTl%w7NX9Y@Ibr)7$1WAdyp+3K#7#ny+f z4%OH6v(&#>;tu}N5g(w&q0!@7U0sZuKJ=N3;hu@!gT=QMD#Ky`vBHUHgHlfM!KOyw zA}!7cwy}8-m3Oo_Yj*KG%$L#kVQj6XZS{#K6bW(pL}zT(#FFKX?M`|A;!1Qe(GRYk zc2v_5oSBxnJ**2I4O$mI_c>1enAKzMFzlmO4_}A>@c=Fyj+xF0cp~D6aKOnBG3D3A z1i&Xfz5F!I-si3P(vjQk(REfUwAT4euY%!JPf)3diTi>lRhPx%_l#A+0m<%<6?F_? zA>=Eq?U8f0^9Tt`a?bU#tN)X&G1cdp6M{%LyekFEokTe|sDy-5C70?8>wGI_E1fGQ z%HVJ=OdhXY$R2U4O;$XSb}||{kg@faxF!2Lb{Sw-)>>+K8b7sM12kkiSAKcy3~7*; zpShS{WTt{3vCy?mlIz`p|33F5^|OM%Wom(Ma0Dbd0^V|f=fRymxtVB+q6{jS>0|ij z_{ipL30`;YzQbE!`}ER!Dy=jvhKh{RC>u}r0UUbHRd)6=b`va4QF-0v5nEiT7xHv{ z-+N@Swh7d-k7sFbv|@#JuDah9?EORQ@Qv|Mny)s_9 zP^eCvu^3?L`0fyGJon1w6z&Nmc^^@+cvpW;*wBAVB-kN%@m;;`7ZE z{y!R$%TrDspu}A<`WX9sD8QDXC+lv``nLn#w{$et2VfN=)gQ8PT+UiJybce9OJCX7 zi}U2QTOB?bA$SihEQ}n+KSwczZpm8;6@QK3 z_2oIrTlDKzI~=(eN$w79I&A$2kq~>;cZ4rh&%G%fFVCWz=|u~I=`8^>^$KF4(M2$F zXv}NXab%B);Dkkx;Jy}Htn_kc+GwgSLa4T_n3+W$3!Tl* z`QrVdkt!KzZ+eW`E{!03 zD4GgKB>cLn-bq?G>lmNZ2gqJ<*O=Wam3=U9btjdgiODNvP~Uu-axNx*E~mvutSEvl zN{5D*=1gbC4Y3VryYR@!+753o78b>FQKPUsW&R}!!M>>ybN~!&UX1%2xif{?c|vG# zFNWe&)q-h}>yA7@V=OwDW5~Ie+2V=xAVLvehR)PNiQ;gV7tL)#VrIjB{~-9 z$8PCzvSAml3;goah2eKtQ>(YHT>3{TXydYmAAdhdT!|0|`RKk1$NZEup~kFrF^ zu;DJdJG=IkPf^IRYa|@FanmX`XcQcMX!k&pIUL^fW-KM_m~Iq;x{-vrC?(#iJQf*E zr0`}F?~vP|rmmRV8FQ;JHNS0<_f{e|;`X|q!S=z|XC#FtHW3&|B^I1larR!EQ?w}Z z_7q6#j5K}DocBxMA)a2&-5O-_RUZLf>fQZ^Ot5;p4RLuG#|WA(xWNv`H;tZN3JOeg-<$! zFHekN0TrIqLCPv7h!!udZuawAlQ}L$(H?MnmY(rFG@Q++J1ld#(n}^D-NQ;C)Y>?< zafWCP!4@^On!ww~L?_Ly>b2Iwaeo@K?IK*Ae`Ww@L42HE)>n4?h7wmtgNdW~y}p;S zj&ijAmJplJ8()C!0yfY5M-SF^z@sT$L|8*jxDCBqeIlC2)3olDdNnq4DE`L84QzaI zj)d8yUXi_H#LAywK%k&ow{F~jD!7U7N^8EeMyE)z{EENda&PLi+kD~yO3phvBrwSI zR;gh)xXZ_()HF&3$ruOF%j z4^M@gp8jUqC@R;{-PP5!8Esz}ZNHeMo^!X!x@Xxdr+TqmXsPg8TS~{vwz+<@8qw!b z>Sf+wY64HMENKtkNS)v%NAy^1b7op7Y29NR!WH?%MVR}%ftaY^ZmzP*n8I<`-f!Pw z$!`eeD8HTg7Ll|T_fe1-$%JsveidL?>Y3uyr`PCdl*h7%$FwdxqY77z=32;Aj;TzZiMF~xcNm& z@#pf%u4+4sqTM%Mru38q-`zdFb$^)DrbYmo(Ga!X4Bpz+{l=7K$>t`vcdNCgKzv$9 z8Mg`1l=(C})d^KFcX6%1D7#|f<#|nX1*}}|*lgyA&Skfi=@eOr4TDNObviR(rAawG*?- zukvS!C8yGeB^F~-$cbrQAqQ!~cB_l2Uo|Ae$I1pNSjM1m#!+Azihf?i?$RwsUw7sz z;ucZRTQfp|mZk2Gb=w;M`lIP9fd{GkV-B^7Su5q+J%F9lo*EhKH`%@ICsGlGuuS%c zPFTtdhm9ey;ISBOF|Y4>{5Z3KA}+dk7VyZw&}4giK9CB}ogwBx;BwkKQX<8@*3=(R z-7StfU9r)CQln4dqnGZ}P?Z__#@CYW(x2!^6F&(j9-JzJh5?vr(i(X7tO7HG95lVN zKW66Qqwc+}g!dWS<$?|Hd)c$izPPlMB{or6mfPu~{=$BYq_=?2caBOUYPco@(F=C1 z^CAa?nNkNz&-}pW-46yf1C1?KCMbxBviy;6>vmNKMQ!IMQ?NAi%jS+#1d{D4FNLKTi zARckrqt4&Y5BPxid@&Sz0(TcGJOZ=2OKTN<&JBT~U)k{73=C8dIJrGrLh59H22U4$ ze1-5I3azhp+!~V(Rpga9#IV!NE>_y)mwbVQ{A zfSaGc08WCK#3efx@KybOrmkjsj+B5~b5K`xp@A|?BM(FYh-PG)o@nt*k!iUIAU0GW zV)exv$p8rL!t!l~t;1Au5I-Q=S!oY+m=R3CRf$bMKcJg!WEt&>V9|DoQn(Mr93AkA z2&2=^CGP?2&P_buafEF1h~Ar|pjg}6wzo27KJznO49U1V=83{Afb3rKLBI*kyvjdb}CXFI#ub#7JMA%z_&D4y?d2Q&}WNF9Ys^VB=kD z0=TO$k6-Otva^zslGcS80l4SP3?gTgvX+J<*1JcW4@3vh14@Y(_(Mexg|;Yu?0!gi z5Jj1>BDaW0&p=?f``#Vu?*MAI^jp$WM|Z+woPQUiGm2~GEiDD7Yl^U^8Busat!(mO zj#TU1?b>mt47mMZOYfHw5$>tXz1vjVT$h98dEpzw;GtSrH8AyF&bQ{<(!uVj*MJ+d zm2HZw`~MKZCQv7P#S0YNV0r3(qAs~3z_Ls13m70Vk!&IBy73s@>Bt4altEjCsYBRk zp;Q@?N?YIrW4{ehA@NmQqZ1SL@SYCSt0)KoMgfR?p80`-_Eu$A7Qh}p&ysfMViJPB zJML{&ur?_0T_ft1m~if|s=oiAXkrGKESJaHc1P$uoN#jUXc&nf&FVqLXv#!2-OmrA z2@d^Nn~x)&#zJIY2cP~Nfb)IdRsvw`h2|M^9<+Z?dEw?9>l{LATS@|PE?DdSQ*Tc^ z!J&|70Hz(GzqV9`X^Ro$P1%|ZHWs6XljOMk(9&i%pqWONbVXvL^MeCE0Pw~sn4^}j zKPm4psPcd62CCU)YX_0aRdu^1=zK@v6KW1SB;0NK9XLsMv}ScQGaPtz-QMrAk8e}P zs|b_a;gqbz=vWWB^&lP>jnkZTBJVOm41Pl+7ws%?r^Hm$FZJ7KSV_?P%}y0X z6VY%Pd_i9|nbf~Z+f%YJce0l+lo(e2v`pk4zeX%T7m&o{!*Mc zWGbBA3I;LhT_LBFb(LjR;7{sa-Y1C-RV=_6K5CI&h;VZ6GG9pB+L_)E9ejD(X;kzQ zcVbtM^FfU0aFGVVFM}j;OvAv_ad~!7wEufUBW5(QZp(S|omRo{c&u&k?-QQf!E2`5 z0^hstss>LTWHlNic+HgMlf3v!frp8558A6$u;JLnU);?1>r zQ`+TVzDSTTYlo(5N#w@2iA<-hETC4Lq`=fsugw49CScHK3(Moi{jRfidu(E&r^&&> zZ!;HvnooZB;B+;14OnNrty40P41*`53!9yGU-S2WR&I{$LgT;w z{h|OldnF4P_G66W2=H1kT`rPG&pMBpAqeVI_Yk4W1gg2dizusL<-2!xYT5uoD&gqb zmjNqRz;F!M%H%h8`yU<)2naA-UmWYDJb;-(*|9PQ{a_S6>h^5**WZNw+da7kZp_7@ zP10~|GizARVCP;Ob^vQPlB&7Bllh8_v!teO%ig56`|vyQyd-vZhZdaj@DEyi>btC_ z>#d0J>aA!pg7+F?b7$!xJENLxRtWg0)M;&{aSYN5@}fCg>zuA;=9T0j+}hO6=FOU5 zK`j(-LRg*luH*eashqEtxmEda(|kf$GNwT-!l0F4mQa;!S@PN9u@wy4WG=_=;v8p? z;?DN%Gak3nCLcFk<8OW5!&eOfNQfX!)yX(2@e3kM8!Hd{ixcm*R-y54b&KW!qF!jk zN&>gLE=R3gQZ^7!Hi0hkc-l*PhScS0xg1zWxXOb_eBIV?TW)WO1dn{K=>8%2c;_|u zwWb+iHpk%1oWmFe1!ZOB;v1O6VDs0Qm_N5k1OwPS!X|L$?0VmSM=7xI72tuaDxUiP zyhQK=yzm}JL>>Vg$VbY0^}V#+34qwf170Z01e{BpO(OaTJ46NPrEwi%?{}90YO|p4 z`cS^J3b|rrK1VM!p($3JT|iy6J5R;8)TXAZi2anl%TBGiBvmw>049-*os+ZK=@-nG zZ(BPD&i0_Rz~?94fxFP48jOE`%TqY^r=32I@c>UvTS5Z?4n*}s85F*vEb{&k=;zpP zt}cG+f9{QAAgQ|Vpp@ez+1&`JfzOl%$>nCMVFOzP{rH5f0Wiwp)(~+70~E}}Ey-GC zala;wI9LowA>cJUd`{zSc8}0LDXy>HbIj!#xa}j3Oqd4{H2%^?X zke@Htk8fMGUxFdsX)I&%s+l;jKO3_42pC%6newu$=OOKC8BQhub)ZWwP!?Sl+n30* zjmm6kTK5DQwo4niW-e9!q<$3Q!xm`O7_~SIbzZ*9WFCOv`xdww z>dI6_cXp#0hOE=qW*~Fp571nV-of0wmy#@xkuoBEoT56<3>jW$ywfGvI5=-|1X@1;}C!HuK=#@wp)dkC&f?eNBDcdg6GHMJiyK(s8QXOfUib7 z)ICxpXb^zz4({@9(_y^#Sdn%d`K7Olkr?b2gim-ZTLWK}+;>8RA#N2Qv<3e(iiO%K zX4U~cEliTf$08Hb6>eLnLruMgtZ}9XNuy(@_RC7wJX@j9XE=nJDTLr@1klXLxQ>P3 zQ^&F4X2U!t?=Yl%va=^GaZSg0cW9A5dXLWxVvt&jOf-xSgd0vb3~xPmW#z49r+zeeUBT;W_3@_)*vvVnFx5_8Rx0V=9;o z5>(mUI>4*F)*S-a*1nkJFj1*HvSen_j0W7O^(TrlFLQek25b2x$h-4-hEDsO^APag zc0(cf+oGrfp?i%kf?gQqxe=ePD*=pA;dlrR&)-qLc$y;tg*^!6HV(J~wpoDi^;R!y z#}WFI3G3eEwf52cN&!q+>ehDQBB=}0z_8v+iAiK}8g$fY2acy{cXq=O7_NqtCd+dH z{s?mczksJSGtHOvepYYy^rU?x?zz?S5!4d5E zqVa=w0?9Vkc<|L7GA)@NbDOgziiq4_=WLSYwgken4Da4Vj<%Ptey~5#peY(G3~m_ak!TKDE6}Y<&uW*EGjes zTa`kLYNV-tFQ=_vYH#CZCceHF7(TZ6(Sv>CqcB0Su|-mRq_;-A23sApP#a1uJSpSFa>%+;ukxZ1pN_1^|87@0c-6vVgVxJIk^prlhhYb5>|BU zNO9WYFZvO(-`IPgG=Pm%4gk;ZP|$H(Y>|)&dAqvYR@y37*^scknz8CCfySKbFW+*K zni?_Vi%Y;dp{znZ&>LM%1^axg)+PcXsHyEbm1T*e(U`;^B2($f!%u1S{k(HDX=ObM zYz*>$@_9B7;Jp?Ci<0gq`yx29_&(bzY!S!S`G=fWrl{^k9%dhPBAe zf!kwFkLqpqG(t?(zA17l2dPkwvCwmM0~gQM6p>&F6iXTQeD(VJObA3!(y&+6DE|nD zv?UC*Bxa`i;La;Yg!rgwu+y03uODI0(mk7%fjdf*i!HvgUIwc}S6>NOEu8iOF2pwW zjgla+GHfbwA;4I=xpQG&T!v=g5I?`F)jp2?HyEkza55t&x#|}{W58?1Ri94CU`w=D zxvpTkoShBkI(^gkc)#iO9I^iEsao8bDy~Y&G3f(V3*Tcxz+Eu8-3r3>gy zQSVR-FyK}M!){fZ(sZH0b>OSB7FMwk1=pZ|SeMmoqIF~moh#E)vtCEdOVoT|@ptLT?PQO(qLc|`1G_MYD; zh2EQTyPH~U`R$T}g^orxbWv9Cp;+pRj}&I~?INiiM^HI%wgg$|z|T~YV$94aO@mJ6 zYZX_%OejWa+FH?Dws?r3if#qtCzX>FiU3cPgoxf#HCD(cxfR2T2CJ({> zlA{<$o32djApe^;Z?-`K!OHglMymsU8NC!ShGp94Q?6o1@!fA(D>_TehV>xFoeRh8 zI@0slcn`~3#ac7d3lm5Lo#_0n2&evp?K~((Y8BsPHJ?TqcI&!8#8n~=iHoo{Jw4_4 z%pB7Y`Csni$a#l-Qrm0~bzT(b*dM>f!r)*-0e&Mtbjg$0^>ZU0tk+kYBdF%Go+QL3{6xA81^p;JXrc$Z#*&PmD7b`@ zd)1D*xfEDgOuDVLVaF0(SToz4AMhrHW;NeB_B9vX!bm zs@Li;T|pI61=~WH#JkPg(*$PbBr|+G!jt(qTcii;bF!F+cfl)F40;~(uc1sJXKl_! zdsuIZMP+ZJ6S$zm*1XL%)Op!LPUAk; z%#-bq$w7`Qur_a@L|(p^TtSc&&rVb=(;C|*sk4wW1|Sm^)V1MAZ#Y=KLQTC;l5E5{ zka^JQeuq)z1VLHVR$eAI%?b993gEp1c`uQnNN70m2(Nq;EXt%o@NF(C7#&n#v8k)Q z%5&?j`0<1>vR?H|@!63N3YagaFMC<)B;OBV6i5DhMSA3?FK^Gdj=tov8?Je^G+ZfU z^1*-MDS6|1@s0gH@6v_JRU9ouRBqN3M;|M89zvOEEw1#WytDL>gp149RXaBWnate9 zGbc;b_>XC;)#gDhhBk3|6cR0{B8NEC0ihG?bIrpv^wB4LQr~#+5l2EKB|!WRAy8vI zeSQ5i-dhU`pAK`^3}AOI-<|0Z?LW6qs{5V(_BE7_E86TdjtsEhoGEY)TFrXBIaCzM zy<~IDAe$bo3ZCH7Y%WpTa@+ zDH4&Fnb{EPACiHDaGqMnNZnXlmQ1L7O)~*ENb0~eC|oXJz(`paTJ~@S1QZ7y(vuLU z!|)wMc%-khpPu6+C)8^+zmniJ(X*zbzdPf89cQ0Dw)m)o#BsdLCsx+@q92CpKa+lUj<`;|~o^XQ$oS_qO z7YR-I(}GP%Gr)SGO|aJVE^7EiYus*t@T%ZoeDuAqrKFsLi2A(6g@8@?b_gVgQ@-V) z`Y%+l(K|7&BXdzQ;nDB{+XQyUEO|J(w}V;IyI+zX1%TbJ5I@t1N2O;__Q}?tTRoep zeKN7wY-*dT9x6lRxyavM&#}s~HUW0N_5^>ImNf>8-0X}F54p;}C* zZTC61vm<;n{q*OKVq%_CsptB`kpjs7@gUP{7*22e7@DBDxztnMB57m95vSct?Q1pS4XyKLf zYdS2cXS`QG@Tx>|OvF(Er;DnGM;D={!1RoK+Ty$4)EdJ@b6>?u{s=#g3al%}2VbCl9>qZSS`DfRwk*N7^$%cTDzMFN5PeofQAo`$a-U6X z{Lx=xEB{)EC$h4Dvpcu{H-mv}1#~FsGQ={~SR%|^zd|W@W8D*6(9y93MYsf6~ zbIW!M5^mYT=Q`eY<1taG%-hV;zi}4sLdk z02!Tt?7Dof(}&-0vNgdqh--_l*iWTiEnAONZj|gQ+rUlVo5k~uWBB;Fv4z&g_>WHx z%EIACNJHj4X!cQ1F+$Chvq9xn`2<=~7y{}yBz~ri0QmBc_>k1vM4Ai? zlF8s|@IIe9+vISafZ5Rjt|ipH^ z7*}j=L!pQE$tb!zfYgKH+facu0IYkd=e(h8Nu^k$_`&BoD*_{i&!Qk9;W#xlfJ|jo z)xt2d13m*P3(m&ta|)P;l<0hU8F)-Mk?0{yrOi(tZVAZ&l$?Tmye83W%=LSpX4S?M z3Rf8j!qt<_mZ3UQC5CoLX9pinWT3i(@7IXu`3bW&kVanTGi`N|V3zP^0(cJ%Xb(e0 zoM&HiUfK3+)9Ix=h@q2rHTnR+Ab!=JjE0M{bC60?N&S(NjgX%W=m{-PCx{$12guCx zaK3k;;dpJ3TX+T#9jHJNWol^?+Rzoc`KYNOBf|g~uW*UWHEpA<1e$>QD_tGzRdeLH z$}aSO2Z~;8$K8I`fP5-e(6-e{2=nDWB1RC+gzBYJKE8qYXcE=ENUV34PKF+KTH8V? zE*O&0*OVJcMk&|4Gn)6Ti-odcKzth2hR>WMf} zXLS9}f>SyrHiI$5voU{!DM|=4GsnA4Wmx&PPr9o2lgM8E5+fVxe*YDdC=szU$N7sW?=MP@2>6<$m?((gb;8UF!6CB2tpaUBe7`TT@hi;c*3<@1 z9{8fuqE7GX{Ix9tgrlvNY%Z^S#H$hchSc4Bh?4_l4ku2Wkk-=Ds?7T~cSs(?CkMr4 zEBb5ZxTh(8G2+QUR;elN_hBe>T^e^;RO}DUliX+v*>%uv=(pjG>D&-j^0Mlg?iG59 zpZ6zfW#&Hfx6js@>oY!hfL$ZZtP`r#g4~`x#5`;s(wrx0me_d0M?Q?fJY?C8jpKNX z8(u&(un5vUXdA-fLx!e+*S3|TarhoA$=-(zmODQGmlt^(PCPGrtodvxgPMzIMUcD($HgtaI;!RCW&&lfvWGIIa=5Br79-6w#G1g45q;x4pQ)@7wJCu zE=DmS7-|$)Q}6*m3Zg$SGtX`gKFNc1-n%DZB1(4d#^niETMDTqAch)#&DJi0d_%Pe zGc($?;gR7cq8HHBwWx+j58vsONE|wJX!xMy+O^#QPov*pwQI^9r$;_+GPdlF`bEJV zIh^5CRfx27O_zoN16&ga!3f_Kn2grR!3t;Ol9-uU2Cnu_>cYj9sPx@ef?T$XZo*Pc z8<0i*K5kmBuCBX(U}o0$wth()0ed2m5oHzOy>Noj>{q#yTH)fxzt{bGHZAZp&!@dh zDzXPR@LPR-e~FzPefF2plW+jvKlsf2DG-M~l8L=FNzAau4+2!FNFWaE?*MTf*oxM1 zC2`SDH!aRd8zG|Cc75h)(aN;&_o-`RTH#Pi6#>)Qa17l`hL}jtqRHIe6g_MgupK&s zjeVR;T?V66d#$|g95&k}24lvEny=@Rnv;%5g~BLV)y~9O4%?=_>O<@1^yvvnoK9{? z>lC%j=zgD#dv-EoknMYZaL%0%f)zL_VQSjx z}a$0>@96!_K3aKV3N) zaeqNRFetms&j4DelBLdn(6PrSUQwav76*_z^1|JFEBGuR9bu3%B`3Me+e zUZ@;L=PCW^%CtbuWkCf$fXb|~EW4|BYVWFPaMfD02S9!(h82zU6uW=|Y)4HLp(Mg3 z>%V<`a{l_>$Ent)`hyK9-I&VaSHQf03cLo_in(fc`4~R76xSr^_UeCtW+WL|E8r6y zT7_BRFH!~Y%fwrL#oc`K-YZnK??txr@tC*2{pv{?EMS1~pcAfz{xvdNF&CVpS5XJM z)@Zpw#}F1LA6@}zX?Apo2nywby?k~cvu+WC@!=Gic)>!QUEh()G`qETA}V4nIO88dKFHP3-HHAAIq)UkSYEQC51jR50I^@xJ{}H zb&k9#UGp{1Xr$qMNVAhB=F1ENikF>czWVuTF1F^c4Zd~XGhC?ri0&!!CM-Lqcci7! z5keoZd$u$&eAi)Hm|g^|i~hK0Y~-s*FI~RH`v!f1T`g5m?9uCP*Q9V9vLH=KL4{{P z-2DEd+tSxm6BEzY1vAj^`bka92l5m+jlloa-g`%NeQn>OUtjnzm`(PUkH3=KR8r^20vAb=ZE`!T z(x#0Y+>W2bn-61e;UeKiE&4aNH+bH?OB`H5wu?N~kqF@(3{R60Hn{TMgAB@0L%a_x zHAu+FH)=h_@FpM$lOKnI2YyBZf&5bWL)b3Q+O?SVs$pEDC^3PB9{lOvJ$r6%*a4Nb z)jgaTOYls(qQpoluB80cACZ|QdXCeVG3Zau@8#w4Boj+TL3;1$mUT3I9srsIb z8oo5Fi)v=1+V5G-YVM90Bq%_dImF^%`^C#0a{H&-WsyCaG$vRep`k{FqidhIzpaGy zqp1Px-WLJ`#6-sm{?w{2pspxWp`k9v<^A&v2gCStMl%b-58F;q3804^D@Wm zHjy=en28O+d_4KG-=e9t>U&~?;~#HqDrUB8rQ^^2{Oh5aw^P?g2b%WJaZ2BfSUXc` zdmRsTnp0}IGJ3qvsIri-95OOTjvV=E`vEqG+0oFEDvIGH=uMUq+w&Y{!3cGdH3z#q zMBx5bzB$K`g;2k)mkAvLgB-Y)f*OgPK{N8iUETelb}oA~dkBT83Nkq#))Ob7WmPV` z|H3P`ZNkQ9ANuPd@M1T7Peq#T{*Eg>(j%4V)zPX;j zLUJ_uzrSVdX1~RIbd|L=UzQ*;pc5%@e{+3~`)V0ENNT&hIP249*C9!!c6t|l09gs5 zz)5=8M9HGVdA5iqPTC9W&DZqFT=UAJQ5c;2lQS9xSC0}3wT6*{FRR;EbnfGgWyh^< zp-~p!J^2x9x;o3MkF2NM`QFDy8#X(RP5SqXd@K}wdGx{gy?Bhb*@PY`C>U2ed4}tf z=9|Jt24O~nmcV_sxTh%bn(qZGy<}OOg(820(V7>~ckZ~u{EOq5-b129N*)5ZV;tkt z-YFO*>387g)Any<`YJ+GnDzE&9pQsxUkRUoTBXOW(Ui%TSCdU@i;f_kquQxU^}$&35sU^}xcte(Mu= z=1%71MVMU#XoA<>MdP#(uJr7WKZLLyJe@h8(>_AOpd=600@*PEw=JK(qui4LA|W2e zvsO`pH-KMvCx70Qax3=6BAEaB@PmQUW$~TXhpk5~PcT(Ib>6%+UAUGs4A_uBDWx@e zhR4Okh)3)5?875&d(zAK#-Fh)@6EOzxU_2*WzfHPy&H2C9ERw`TUHW&yj+)ubjLeA z`HS&RdVl`Dj@*T?w&efrm7I~8BGH$6XHump9~0Ic5lg<55y$9;8zYR3sFwTV;umTd9W;fq#2)S zF)#7t&)>$MKX-|&Z3M>1Wf9qu8yoNDHIHo3H7U@Qkx4~;pjm9gP8e_15*b3h<%JDg zLo3T;N<>qVgaYKbq~Y-KQQsaTgSX~#xN`AxibXeuH#r|eKO zNuf|T_d4dem3;@-o;|=m;Rp5+iyFQ=aoqiCTXxYA8s*Ya3Yxr>&Wf3R!nM!*q3BfA(Jm9+#o!}ul(#5|Qf&5ONs3)+ zG>Q)0N=LUkwz^y}*I2N!#XN6X4Tzd=W!%S=ZPs-xZ}y8?Z3n>!#3L)YtV{$JFww9$ zT^mjV`*QBwwvpzvGC1GE-p#-b3Rh&@U9moFg}WV3%fKVBnOld?d(uwP1M$^*WKOTEkg= zVKy%1VUmu;?15U!LtUKmK|d3yuJIme`n@v#0_c(W^5;7H>xU*|1np+fU3#yyp|BW| z?89q)&1u}Cj^r~#@%F%+CYYP-RB^d2;+W^9ss8HH9*MDBL8u}8Mqb7W;R{S5Iy?4Y zw%w6GYXm^fCUmPMw~m#p2RFGLbP{^)FE1XoT#ktj3s!#H)MV0d$75Yg^J%Z<8ST|! z18GmNRL5loE2%?re@AzViJii{?fgvh3ASJMTlK!bK3%WgHImWcEz;p6NT?Xc(JTYP zpjYQRFPh##qt4l*UEg0m(!Ro37+@EELbD*vRIc!GChHqXyG!x=y=_55rcpP8B2!2eF&E*zs~4tjXc&g&n4 z`+>K6YPcz-c(DRZNxWNiE9o1UPIP5vJ?=&168CLXd$nWV)>5iuaI3?!>Q&W?2BO2;pBvai7PhNnqmU{i=Pp`}&DQTT zUCM&z={n{vroUP1_Jc5pz3x78GIzHGe7pw z2DGU=Nl=^=^Ye^+&CQqcXYNHmlB!W^&8X2K2| zN>g~GE4>TzE){v4%ds^JJ#+^@<#^0N=4US-UqZDN#Z609wLS9RZ)D2a!PlXqJ1#uy zw1@@bD|pg+poaa24U7+=;%bajPwcOWJS8L3{DPly-?O{rwDp3g8H)wnca2GjaF$YScqn^jz< zae(S=hk5S)nRdsqxlV?HZC~oOo2l9WByQfFot@nD3q5_NI6Z#U&LH7@)6MntorUyD zUfQ-z?4%PZP}|o1%|?kA?+gwYRz1-u(aLu%GHTUKHKfZKPCjKhA7WJ@H!9+~veey& z!%TDf3YI3y{1zKkQ_v$~-xnHax^0`7<>jft`nY$_>MzdGafV&LlxkSLXQtUCu{(v_ zS<7Xz;A=f+I>$eWRbLH45G5oUIE~`<;kv)7dM9j)| z@ch(3EvM8%|Fef4GnPH@))%Wkc`n9am4dNR4K8)ig-1%yk)+ zkf$lFv}?CFNb3uibhMqA1o^3w9*UprM^WbT?wAN+lZHaEz7Q05r{iiLL=FxH6L$6# zf1Z%p=2$|vLt1T{f?X4CZd!=Wd`AB)RT+QLl>cHHm9A&+zYBNTuVp8=tkKvYHd$@K_ z$Hv1}oWu{ny}3+`2#RF;xog<;)5kiA+fFp~)#d5$F!4zi5?C#3> zaj;A4I*k{VR-yo2S{(~x2};_9;HJ(dt**)gUiWD7={juCXNc|VAzhE1Z?&pa7`5vQ zwJU~)W+Z#EU`8@m7KZddhm?*yI{qm(K0CJ;PBa3>wO_B;i%>t$;8Td3D}Hk1hVqX* zsMLlJ4#u4%A#`q`u^>!q6sDeP-XYbTVa`G>nql72olaV#RKub#Js6p)Rq7bXgloNT zIr2!*KusdH0cA_ya0WiDZP6i?CzFGM2JF3=CDPwn#h*{%052HEWEShZIAgIq-5AYe z1qL~qNzkAo$LLJe?yd#ixZc7BUK^2PToj?>hz;l8k_t22(ms91 zqUzWv`A5FCPV+)tbgD`$I&J?tMUS+H5t` zYV{N0J`?}KO^-rZR@1)elVUjrfMx|HhD{Ip+mr`I@Aq|ChQF@%71!Le^KPq2)M_u@} zGPFQs;x|f8RXuzydyLqjQTWiW+PW#1cE=^dp>jy8i?rD|$DX@eCiIJX(Vmud3|cR1 z8*|2sclh0UD&@RTND$`8%IaK+v~RfU)H4>7oZK&ju#Zm+$BT2$DkB)HyWY?Kh65>L~V>p`+SbDN(G) z_~%KQk8V1jv5zBzB@_lNa3h%;e_ zGugSjLuaSe(O#N z6X+Li*J74oJUap?h+0OPVz@$4C#rrX#!f3WH8tY*p!vK(!ub5y?B!N9Rh=K)qU7?K z-Fi>tYvVsjiTN2|HW`%VE|muhlNUXgdF^6aiZ%JUr)BNQQ70%&@=TXyhuNWoi* z_6F&pMnzD<2R)xhM&G$zL00y59e{k<#K!I0+{IXH8aQ?Gg!8WrLc+6&+EISuQE!&r zSbP0w0it%dp&ZFEv|N{`xmpTPSY)ddahw?z?Rlu8eEb}vxV7QChxI*+{y=+WmjDg6 zCrX+$yb#YB!|Q4*3FkdSo<~nS9f2Wa^$~cKicuNOovgU~+~wqKaOPlaoG)t(SwzhP z8T-(^W;QX28cr-PC2x7AMOajCWH_V4rL@u!+Mf7JG!$db@xl1*jeX1q1dv>v-h|}J zP_etE2mkGm>X1UkF%u~oRSV*^U9e`wbqyu!Bzf(XA?9SBu~#aBTP@RH1k-Cuw`}9J zH3}X1dCilG_aS0}^Y#$08Qpp$PZ04rSOQ6{TxL?jBiWt+DO8b(AWr{k-gEMVH!Zx+dq(wq(XWaMvNvP-8MLk)A%g&aosw-g z7RHl*Ik+Y-3IN@&&kW1y-E(7Mi~gr~IHdW}ZXqVF&Orow6IR-il^)V>Hi$V(QiMdv zBWtRamuB+fHHfF4K1^1C40Q$MU7Q>ts;i0fKW+d_k)eYQ}cZ9pMweu>mJ|QJAq0&+F{UM?y~^HyXWWK z)^2=zy*x>;B#H-e@X+kB?EEW5msET7-qEgwQ*DU}GKtNONh_l@qie}u1VG%oUDKw> zZ;&KU`q}eXQVrPxXT~M=vOL)5NAee55W<-7AtWVcsu%iLGn%CsdmfRl<%PeV*{M@_0MJ zFa-RU|(!kt|TLLC&L z^HMyYFsBWt!qYXI^%b%+S-sz1{q!hJIX&exEvEe3bm}M7?u(SS8^{``nHaGF#W7>n z-4X}I?QODt_CWYl44@oGmiRH)I{V70os7Q)EHdv%8VaL(T(i2S!2VO{gN_k2Fa3)m zVfOAJpve|bu9g&_y5r$e&Q#y_m)G++yd^`O=XMCpdV8f^t3?S=CQ*(eH5DDpo$O>; zos*?%1i;?(*G4O~UVF2_;{E;-wl08qt7qmN`4SI*O5AqJrZJZ!q^_$g^*Sk-BT~y_ zmlYa>hkv1w#=X;J?o+p+Y<-)nHi6{W7J+s*v$*wLuuf51`nikGNC_`^Z?#Ow9*liB zP(N0%x{|rNvS{M8RK%bg!enoP)mj=JNXL3y2A(ylAxS|Oc7U)8_qdgPf0ov9yAacYtj}#RZ**Juw zS5eiQJAWvwWkP_`%|q;N?flG$u1bEM13-FZ2Ka^{uFAoQvW(RZKcf7G4EPVlF?vce znF21&mG%jIlpRa9DutPn!GC)b>vcw_E2QF-e+`&j!Djn`T zb3WdC6;i?AL$=*-9~iX&>V{da079ub<`bx=zv|&i6p&u#$fUShfRghePK)On;&wpL zsF{f$GTDf??6JQr-bg5oRL6wt?H&Y7YpuRoyXg8lLpl?6j2G5k{ofBo-y`5|aF)?tP z+lt5CZsj2=r-l?*X7>TCO03J<ho+mT2C;eWsO3Rr)ya6t{$6*Y%%`?dJ__8GTOm6Plf(~N7 zgq+dr>u`|1D!SqJy^qF2$DBAfign+=>;xXkQ$_8XvsQL8wURI~E!;F2RbnN7s(RCX0hwz)BvPC8sCHcM9*z zLF^-0^LWiEe)g^xgN&S^*22O-+LYKqtTR^|zOtFTGEs04piPu+ zAwam*a1YGEJDnXHe{j=M8|hc43Dd~&TT{gb+;+e0OT??KH^|RRO-*f>p9yu&|B@?a zMSZ*RkdpV^yU}3|+$~Rq9K!0oPrYYha91}k&m5t>vGNPA-J)^&(eEkG(?HMgAbmtX zD-5w|qXKrdJWa3JkjE0f)fJh+lDW>OW9Qwj$bi*-dknLE_~--kM922{NU6E3*w6s9 zy3c9p1k%Q}1_U`P07B!E;EyiT8Nh5jL@9^!V)P1mmv`LKjmObBKU--Fh5H-Xja+BT}tN&s=)-pCw0@{;1lls+F`SrVXX zb>M2*nD7CO;Tmx$g{s^D2HdoE;|@YX^R~Oxk=`8V7#r%7@l2;NXq{=IRWE7abtgXX zbR?lEFWzC^O8729gSdm8fw=emBSF1N$ypL?ph(DOrwh-!W>aj&+q{#>URRnEce%fg zyuS*NHsvx{$@^tOiicTiBlKN{Enk}-FmFvgDCM~F?%y|IkN%Ng1RMlOq)Fa>{|))| zT?G@tt1Ue@J7hcquu%Y=8xKG#B^YanvI{KsZ(61rgr8RmV^_=XNJ~i9Nh~H-IK=D=+P)gr4nd z-m+64n*Fb#X(U5q9N2Z$WA*Gf%kFT=)mp>q1kKdek+`Of^psu4VAjtvGeui2QYhtx z0XAbL29>L+??!T%>{MVePw1$RyXUWIEI(3aN<+Eaa4E1M=~O{ZZ0pKEc>WH}47Oxu zB85AwX4>X^S7~*sjXPtkW-P%l>C}+vo%M%VK`i6fr-i{BW#KDN?wxCIRJ@yO9ujWf z6_qyL6z=*wh{!R7Byg$D6zNrgOSR2jEtB~cF5S)}H>sBZeS#zID}w7)Br_4%(Uomj zJ@e741t{;?m(%z491B5?f4Q|iV&u;UIDmR48}-c3V&vx4xVaXlV*Hj0%X7;`Sk|8X zc4yPy5XrFN&+b{zVtG1cWSlqOA^RsyeVXd zJS%y%?hvFsnJ{W%8o*4|+ z-d_BYBK9=*ZVHwq_iX86@jTY@@Xudw3KPJbDJZ-63`L-972BGR!{#cNB`=j_&!#YQ z`V2UHj=NLdZKoa-=0T`cSWr*Dh&fLdv8)NP{oA>=NL$6QGx}i&$BBKe$k1% z#Tn|w@~+;6*E%!eLTr0(s;Nw#os6cC12Lsq1AfoSuvMe9#U9s5j}MWJ8}MRv>%Uy6 z5xmJC;4u}nTr$csG~YK(jM9&XFFF?Xx=MwQTqC8X1I=(!846ogM(OKE1OGjw3~o$c zjH>&)d0V&lsdtZTd^=`qPsj9;LD zfbTRtFKm#r=tAs-I>~6P2?7rbeb`yN-`Pqp`unUJ>5EsE8to@ZE*sZoUKT4hZZw{; zXTPhK>9VOFRggysj)@O9^D11jAiql2EHuKBm`j}O-PZ{zAlxJ*R8g4zCs$y48;y_} zIDLB0$vU>9&)lw~FfOCmb#x*7cQRmAPu|gru4WAlJ-9yIFftmB(eI))klIc~hdde-0zam%LzF zs}WkdUAyi)XdGBfA~62?@iz%;T^l{d!>PC%{tOb)<4;p)3Q~h!W z2c_;VbqHTR!~7)6Vo3>7BQ$Xi2@EBulX_M5uEeUX3$@fd)!`i z#CqBG-D_EqBR`|MS{lmWJ?i_M4#)f0dZRNW2ETZ)dXMG!iipcL&6Dlkyezp)nriQb z4v?0K)BC=evn`0A)MmbqUyPL$Lr>d5S-3ro=g{>QS3~EnJ4rUD_M`{!wyAwMFDOld zH9^J6PVZbSKV}|^k;*drKFD2U8BN5 zM)Cf62k)KykUbD8^Qr%8q*h#d*ub%Mg@%^F7wAsPA5Hrq`}Uv(!_hz0_-1^9->hRd zVq_F`JiNAt@{A$n$0G`QId?~FYRYXg#Adz!kodHCr(|c@PnoniP9K^|Seq_OkIheq zRKCA?(^(qC^Q)U(tHk|KD8(IjJjvw#`y-&U`5$7->`3xuI{*IE@fMNZoWDL#u5u~< z^>^~8%_*`E>c2nFH9ep^`1j{-FKIAxAXh1=gKjEJbn7Ke;auYftab8nJX7AT=)Rmto8u1Yr2jS zkP>kXQseGQmyxt@-?r_9x%n6kzMdyWMbNA{b-$|)&8D65zCyynJ;5dk+usR4_-W(D zUXgUT`Nfy3uMns$f%x>_fE;+8#J4)09j|D?o~3~8h%I#SIOPQ ze)G5Aep^CCrvl9hj|-N{3YexBXC*r36>Z1bC9R#1D{XSht(892x4@*7&qqIRMV+4M zSml__%xkFclaV13sT}jy`Kp8iXOC{?tDe@%!veNH1xz4>wx%#WQnOQm7SVGUIT+yC-Tm+go zSkpW&ZE)V&#zz0s>szeZKB&QUQ@i*~o0KQDQZq98N;$)sQmn?8$6TdxmmO+9iW;@& z+Gl|sNCB6z-~Pp)fBtz0e9t`8%371cx-Tyr$p^V(Ff-hwH*q~LFAsN9AT>YBEUn3L z!dHMNoLoCLG&O0JzRJ=8v2}T6wL3lMasSmwE&Wc*tB)DTSF$UERqPdo+elfRt}&4GPcI-Fp4=pEQ$ThVPY%VXxkT zkoq|F@Np)yret;qXSVw_W??epEG>B~?YcsJMSu zAT>Q*EuQEBShJUXT&AAIrX@m#t`}gAT6Y$BqXPm0rza;cLssqQboc^E`425i_U|XW zZ#|Rs>9q=9)Y|Fv`OnGhaKA|R2Op3u+Xr&)bR15K9bh*|c9sdQ3#3o{#y1V z@0Y&{Sj1wG8yXr?0yx{Rcip>KLc5jcd3FT`*{VrD@ZOwQSm~=*hcz@cWwl;C!s~9A zHm5%EEftey!E2xPDhl*U;Z?VOkzjG8L3N*KYz7vF<$4Y*Hu!P2L3yxELrYqE`W5sW z9F>k#9(d8nA6N#ON!D1$7N!wyp=WPmViLfs89?%Kw0TH$E%R%n_D4KAL^@d~!wy)~ zbgYbYsKu8*7U9>{)*cuhejz@VV>ecT-ona(BnL-FlK>8K0cHu?%T3Aps)6x3c?%)3 z6=SVgDT6lr{wHzDdlXcS^V`!ZN=}%yW+uf7RW~;WlRHY-4nOB+@h|HEnf=*ob{3SA z!w2G=1f~{Wy?PZS|44KIEnji(q|DoM4?+7R+(FZ0nRVsMx3y=!Ovs&h7s2}Kk0{YU zGw0D1T>00mTBH1>7Ju&#QJBS2gmHXIiXcQaVnZWp30jZvE}NE@M(qm9uwEvjrI)$z zX2PDEu@s&+UtT3^R5RT)CVMp3esTf?Jia|lw-QVgS*gR#Y5PcNZDy=PcXEXVY8qPC zPLmJ$&W`m~1A~K%)61~7Oyd+M0|Nt)sQ#q>j&3M>jCNc_5xT)DxMpejb5EzGgNuY4 zk`igNR)J<9JS;4XuI(zDagP%!GAYLOv8~p%3QcJy>h<>f0?Wjl=01x_win++hfhX& zdM|oD%TWWcs#OpnPnQ_XnB+J+DyVo>^!n$IFT2vy)1P)YIy%Ok+|6=!Ma&OYs^)y0 zOcM%r`U5qQ=hKW;bsPpFV_TL#-;q8PO>GdRgh($Med>H7`e#rM>K1-%1sDrYZ)zm- ztAU%3JE-q-+0Q<{dc${Ruhn%8k6=F zVUjt$$H&pzp)I7s={pcEtfq)L zKXZn0657nv3=EcP&+k@EPjpRcNG}U&aQnyVOddT>NDhk3pE-L;MF%b9emW-oU6m_e*kV|vf==) zAKa1PYWzSCtyaS3i&aNAIe#ql#Emv7uV_nfVRVm{r2bJ=iBir#QsCZ zx~A5zCtlz@M~vz_(b_Akf&(KX@!UD2D@i!fv5Yt4CkZL*{?qkr4>l>A)Rf*6X+M{C zQ2*US1gntgTrZjU%0CUHCLhJ78P!IqZV@(CxEeFY}mQ^Bj3VCMaTJHOW(?PhUaK}mcoGl9hvj`;b> zKK1xeGpZqUtjuJT@KnY_G1GuA0-F02o2H>cQ*jw_kc|15%WTe9E3ZA4blwSaqb95> zdjm1&Utd3}3%>Ljtv+6ZNyZA#=Tf8>Q-T}gRbOl$x#_vGvJ#sns9-9Z_k4fNq-89w zA7?xwU(2G%Z(PSMw?sO3Y@HnB41rJjv_s^4iHXODR?1M}%g5KE^RB6Vlabu7=2b#2 zyk9O@on7^1YinyeCQG8Bo16(C3?`%LWtwG{Q?U^Relt!Z2Sjf%PbD?Z>$oi3yup?Q zuPQsejiHMrv?6u4tB~;)I%9=^69+i-AFM7UuEuKQOuXA?qC-@L+p9-PY7IRZ`}E2J zcvVfJ8B|sV6IYBsjAP-HblZqs|9qjo83F@eIA_xEie9$L5~-Oa61m<(tV6mE0hn}N zS`oZXscWdM^Da)@&y8^<2fE;G`T9LH$6wM9iLqGh~sdbrR7gcCzy$c8j+{pb=+Yw>Ai^W zq+mef>MrbA#A3U|;5yEr=djAT{ArWx^Q@HtC0B9im)^l_l=%Wv;A038N`A6MUF(dM zGSwokT?`Qy&WMSL=@%7<;ZhXf)6mfHWh0d+kFU<70aWH4=W01+$B8#EeYLc7=n^L# zhA|Xym!hbI0L@s%@&Q^g2mg$ni2UusVsWB?dd9IFX^(o)fw6rbE>o_Ef))yC*O5bc)xUr9n+OFFetaIO^(@#^L;y$&Z5Y09p|`~_p**@Exa?FF>& z>V$$&!FRZ$prD^Lb^=_tS(GrVniR|x@!xh~VPbkuR;6}6fT=}GCY*^S9`8MBPljfP zqG`Q~q0^{butKFJf>n{ROKkV2DK4JAF4AiDvI_u0{?P&b*5t;T`g(uqQ}R?Dnp|3Y~sIyI3$Q<W?7wyX?DJd!DvUHts#|}?#Y8v8K z1IS;42o0CLAs!+hyXq5kQ)^hbw+zNK=W#h`0U!XYrAHe?X0bxKAK1>-`T{n z)3&v}U5f9KUvr`!96kbysP!Ra96Z|DLcq#pqis2Nv@^8$bcNX2$?ygJw6M5X+t?V$ zHs8%DecqZWXi7fhf|k(1gHe%@>~a%vy34U&7fFodcp?28Z-@v&VQOrpm98t37X$rI zMiMoL{LYNDG~v+D(556kS(nwt4g&-wgVxNv3xEC|3%8&(6_c~KPTYVLM9POYZrrFA z?+m%w&iXEGA_O%t&mAwmYwlW(p1rC`LD1^7Gv{D7Z@iWGciyWvhz`(5>_Qu%`eZhd z6V^8mu;Xi}5jvb~?Cd!0S83H585upi*ZPIQLM^B?PHmVsdI}Txypw_{wRv4xhSANg!^jbU6qQ6TW#z zVTZ#|eDDy`F!SP`aSWYF0?VQ6pMRGcgK#T+*4gXI;A`00ZRX0L{dyn9(NKPexdUZX zhAF2d?A2mlKCKZ>O@%+cZqBkY@Eu=%z2!ppX3lLQoU4aZ&05mWa{EVgk>>`OCesG& z^r0C`tG1=(F)<;{0yt6HQW(2SlCc?_BZ3-p^~mZ#_zKsZjm*Ti5Nq>s9@d)=be#`8 zqu)O;AU32FZ$4gd8ipn^JSX4RlTom2R^JRiB0GI9e6El)wxL4kQzu;Y(fVdXkM(jR z$$viL&R*;AtuA@ZWQC8}FErv15^V&G zjExyHOsUU*tpvL9VA1M^1~qG@UGTZjkUhY;u*vB__43zC+5&lOk|4bR0C>Wt@h~D( zp8452uxw)AG0P=i`}BGfj}mcgBvbklVYt>C9Ds?WtPnxbeJejUD7&}W=E9){KVEkI ze1qjD2|oXmszvU|Wtbq``A``Hsh{$+2FY7*+_>?kfy`>#n2X&9G}cbWR@4so*erA@ zptv8YZ1kZS$TBvp1sOW=(HBhsH+5B`YFUP+W|iXC^8gvIYNe&4MjM+3{ij*~Y;Ck7 zl3WXCpE_}+v;!Ptu1~8660&-OEy~bnOQHN^XW1;Hsri^+_&3j+u+Kr{ZI-@RZu4?q z0g&=z2#f2ZhQ2_zfyY(+si+p_8k^0IwizKqMzJ{d;3#J)CQuL}$=GRlDxjQ~Regd1 z#%43FNJ5ZS2@Gq&>*;^63E(-eY?FgLbCdIUd5o@`Rcx*2!5&Mo)hVS_p(#efB%ofJ z82t8{!=J2j^?LOVxwTfK?RgT2css>+Zrg?)>qEGL#Aqgr*xY6Eacqf3zSI26Au`~` zzn4JQeP@gK4?p}6E5#BWczPqY>=~Z$_V%XB3+U@YcK*Uan`CTHXaD^8@dCD!&{7qU zE4E{#j)p*M>1tfwP(lvk*-|3cF`6g&<)IQHO47^L**Q5@(BQ%OY-Of0LLBjAsZI~p zA1#SCcPK#JmbP33%YuMj2*uwtl=WDG?(pkg{=NaXfxK zBNFj)G;!RCZ^JS?k2-8s)+5CAmm9{hv`T^EYnqxK5rig2u;6l-`0k5BSIUD`(`Ep_ zdviLLuVOTPQK?qTbM>v`N%AU$s{G(^-Xk^=xKX#C#HOb4gUQ{?v#+xP)^jqU$oo-oj zBCN5rQ)XgC#vPUwdvDypK|w-7qH_Ka;vxIu>=+C8i;%N?ft7RD@sG-fTzxYJcOWK> zN=Zo>%&)Z8IT@*39`hrsFfqLqqN`;j^m8eRB&gx&j%K={y-(^ZaVdm*A@pfPPH+p2dC~PZu6oQBeVZ zKbX7I96xU=a9zEdkc07)k_^9;5dxPq5rx!#5$ z%AM=BBrn22$RAJ`9CB9?;P4*N zr$a8ZmIv);#W!mY3=Ne*YK^c(4)tq(=fBS+p%PM+e#19JxCYtFRq#%g=VnA>;1|ir z4<#13RLci%3D2JR20A%k(8Gj{UJ%9g|Y0qk~G&)cOlJ1a4P)=q_ z>zJdPX}(OiR}dq;PHYw%w3M5>F1Bdls4gkti`T9R5JjDDH?&>}+^0eYKYw~--|5bI z+uJW>(%3rTXlVEr zl96yW2w4o2W6pYf!GP3rDSh!;dl6wWi|T zFGq`-153&I&dkhURlsh9$?-x$Lfz0>DfpT;r*eV1=_kzp*Uz;I7_uLT54KW~{PBA@ z#Q@yHI$=otF-@FuB%A-o4LA{>E8)KoJ=GKB_4M?rAGisg4*B@I1ip52bhKh$Vy^PH zCu~a_a~^Y)^FpUce0g2v04Kv!4PnyRYP)@;<1TG0~p2xJjkDWaz@a_)ba&i#ah1Tt-Mgq4Y+zSy>PMeBcTtg5;X zg~}iC@x0E?&gYXayH9*mzhJn9K=G452XTbk1+Uo}>PpkP0m)mPKdaPVx{b?Wd_vs~(FheO4YEA4cis(xBi2j&1+Wor4Vy~_k@qBfa((>_o zrit$=4kmN)?C)iKn#KjG$CXlFcC5Tpu&6LdquvMYf7XBQ)iz}e7MT;shBh@;vU{Vcs&Ew zawCI#LRMCmbX7WyId+sGMM(j{W!jN1Iosjt+FKDCH}a*ZK`#61K3pZy)d2`A_!2h` z6`gvJn_TBnIDFAF)_2`Mp3+@V_U$&1UOZoYMzs6^t86mx)711d`+R}x+s)J@{mT<_ zWYp5q%UKS^XY>+PK5;qYA48ftq{KbwS-bDqSj1r@GR$?u;65*|^FRc+%y{aiSn^pPf z*KbVV4sy2?>_CY3cJBAgq`$R(&<|liFtVQ_5P*TNsjhwi@6RM=$p+P!768^A7vI^E zeFUnKR9`;g?@qa&|-Ra)&RG$A1`8v zTRCD1YzThFawM&hTlw#cXm#Tvp!NgMn<5Nf6_=fxmnW$^|4!W!J-d;lmq+_`FmXbfI7P{+XtL+?*Sr7X++vUjwl%$kK(@Bdvr^?HgmilpeG z37|k3iM5Ecs9{PNv@SNaw}_)~W-Bw1^L+WZ)q*bS0iRT9)2JPYAPATG9Y9Zwv8m~MxYYv)NaRwb zi(QXb@D(_mB%q_@=T8K_a=wkau9EPB$7HFw0`-#59f6gyKn?n_scTsrlfrR*2=L?Y@yrzOzc_iW3qpb z4dsGwa%$QP=fj3P+Qh^Az{S0aUR8v?VJk(?k=B142n{}~9GV6LH#6&#dp#xl!pcp6 z58wQSX#a9eH@QI+c$6kw9b4xw!0FU|_z=VfYMo1*iq^m0*za_tvK$bg?;lhemi~5U z;lDx`qPXF>sk<_KJ?w%n;a(P&yRT8Cf;tQL!tUASu!7b8`D~9!ho4+cd%KSH!}Z53 zE^Q{Rm#q{JsPP{MVpmHJIg)$+bs(hCY^CXDEnk`6FZX@LhDBA=))x9@FiBhD@t{P=NgUENvh5OVj2%`Gi{Yy>fXp&q`zOAs4!_#n1NfM(Ta zIGBpu&n&!V$iL6llx<`39|xwJcZA7UbZTKfl)*6i{t+F`xxBpmkD+-|!3@WVbqvbA zLRDQ`6*q@>eh6N)7H)=(kc8D1U++!+cy0w<>M7q=%Q9XgL&Lq|6*r%WT5Qap@K0o$ zFF5lJ3ZV$>^k$I`15?KSHKme2;X&W`vD?ruKR%8@|wABUffIZLo5n;h9QBceEwFpxT6|W|+^qY)NWEsKlIo zhcZ$y+x#8ZxjQ6X{w9r~2pmC3`T|wo8?gU{XSOm&UxmStkV;)9 zNNYX6q`hAT=hgQ$9Ub8yJ=o>QrV5a~Y+;TeXFLUq#VLpII|(^`>K7*Z>v+mj{7D^lCq8UpLHwzZ8S zikWZ3Om3d?uCA_R0};0Kxz{a7vqJ=HJ$sS6MHMh6^?k{^ElpPbBXM%`Jb}{)@r28g zcnU|xgBvbXfvr~D%p9RZ9*4BK`_8sVgNWk(!uot2nRNhCpt_6zmTK^51Pd6Mn(~ON zwH>gy#6;K!Dvl)S2)h2b{&_Bfg#A>t?46VJ_`Z&_!P^Wx=(}D#d&cU?z^~{_QZrd^ zrvEra^n7st=;%&v1?s%TjdCe!QSeZV+)9Taj^|MNdjU}74@3uW_>wGEH8}IIlyzsJ zJN>acK|IJUk^w{6N;``@Q&2tnr@dAHtr4J2Y!i78c|JklhzLCeMkulb9)<9n#LE~x zKm3%sh4t6_oh~3C?{cXxz-VMvmKfeg$f)x>L5m1Vv|^Z{iAfpBGDrgVO$J3NuKEID z86(|)=Th8^J_lBN(x1YH8=ud(s*OyfI_aA?5>q&6B*T~F$gr?uC4Yl4%10)G43Vr+&5^hy(z`@O{RfS3{tJ*1EUV)zDJZ$H$w7gD zyx!dKmv20UyZ~xKCs7^{nd({ak(@b4H84E|2M>A%_wbdeX#0hM=sVsD;om%O&^E>J z1J%HE*pp)q^0Q;I$e9@Y5o*DS!GW^buf8EN8^Sw$lQdDT1p_<6!~C@P%QC(jZ5P6t z74=z5R+U3C|AqcuPAo=d@vG+MK+LVr4uA8U*XT%+^A*~Y)IbgdK(b}eNfi#hUvc*s zw4nDnb}Z`5VB^NrsBcd_9inl|9TFqbZrG@8r(HcRy0*yOQ!7iW0-bT1s!uXeXGSBj zvh|_AU(zkx4m>j1(ns}{`{G!EG{{kfqeqWc(}~d*xv!5<`z-?Y0M_g+HpZ;|@Zp@b z%(o|_t?vQx>_l9qp%N5yeKRLV5C$k5?SoAyOuU>%n*Tl=-%)R7Ms)=of1my8CVa2u z@P{O(L)QgJ8912l0UH6ZAc41VaO}eE!Bup_Ilr^2lnexqa4}F=M8p95G|ad5Nd*!O z2bcfJV2*&j}3xJ zMR+BE_P<9=AOXfea3Y5sDVk^j#u5D@Fv~*((ul7875^dOoc=GO$LReZq?-Mo&11d^ zuay6twZi{>Ys&vxarXb@fXAtpAvFJH9Q7uU1Y#~+jf0tfc< z3JCEY*nf7vu(;5E@%=*k1O&td1kBYg)coTFGxN(vSM2})PuNNO;VSWka>o>95`Mk# G`~L$QRt{PK literal 58890 zcmY&;by%BA^ERcpQ@j)?(BjrYvEZ)3rNs&qDDDJ@qQ%__?pmNg@Z#fc2Uo~spJ!)hcXnp(dqR|f(%2ZUF%S?Cuw`W=R1pwfdLbYnCZQq1B@H6KTj3w* zb~2wG5fE^?{{Fp4V8$Vb3sIe96(v#E(8-8+n7*dtrT!z5)OHeecKUAXfKXg9Bm);= zIl)B|CXU7q=5|izwl)X^=+v}uImTbPxUHR=gSpvvCxkNGA%3_N=O3wqiQ(U&Z=KAo zO%Og^VQ!H=XVrbjP_ToW$0jI zZexb6NJlW|AYS5o zK-ip?l@L{TT{vt(byD9+c|I1Lf8g%Vh&UJShnd!x@c^sqs$RV0eoMv!MYow-U42Ea z`)95PWwGkTqLVVR#D|ujIVeT6>LOy;m!bTMh*s|SChn8Z9y_6f9IuDNr8sjLS9Uyc z&75`;lTz-NuQ^B0g+@K3Q6r>s$G>yEj@Wi@@~3+7f8U_8|4OB3K@)#}{X1wA`0poI zs*+=&zM1kMc4%oMr($EG?oy1{gC)eFMEw21SP4Hr)w=SKrViofNBaOj~@jxW)cEvCR zCSK7sj3s`R*)KiEzW-SWI^SYGy`NKFGA8Ym-FZY0RC}QT=s;9I(4VZ+fZRSqmzOir z(wbb378)FPfSE#Gn@2AHnfHr<&eyM5jF}24ACaN2-n_vI;`6vF6Sgk|<}ya81`8M9 zVn+jzz~IQy?oR%Wms1D5dq9n*3*q^h8DcWB5OyqsMcZ&XFCTn-{DyjRpRloi_T<2k znUV3s7Qwgyx8t?~$I!9QvxhIEzCt=L{$g5MnpX(UU#K+J0DgzP`=XyMdDIam@oVNyI&7ut7j6tluY$IMKZRd5H(PaYSsRG z|MPTk?5c={l;ZeixkiOoxv}h5>8{S7ZJ431+W2R`EOtm53m#F*8!h8b%#9jf+7XPQ zUu-V@x4kolSY5^$)HHwka;~D)^D^uU=`2II1@Ho+(?`H~1B3p&YYLy_qov2+TWPUV z6p!dlW~-&))7w!#JIv7i>o;Gt)R+?ba!}Z*-$HlVuPN;cTOY$M7Vl3)8xi@tFI<@4 zr(k8jNd1Ms?}ts%Ba8JGbOH#8`*;3f$~%dPuw?V4;EVZ}uqkfS{v@FYKQP-maIwnu z+Zel>!)&ZAhavH1q*8P}{=f63J_eCxt}-Yf91%qBql309XW8sEqL(UE&%=WEIuI?k z1y{UpX^zSNa}HFju8;uGjZj={tUwZA+B}RuF>052w>ia|ut@vX@5$+kT1+v35+8o20Y1rTbnsN9LCtNu^P|_!-qY4j%Qox%cQv@1laZ16qvG~VDUGfJ z{l8R%K1*jh7Ba~caaPJD7Xv2evSUwOvj4efqz)pe4b3cCPjO<7HZR zl5*)btYJ@I_5ZzHB5a*$jFk}*DO4qW%0fMrsx}$%-w+u_71t^Ju_-A(9`r|)%u;6| zD_%Iozv_BA3l!hPq>43m&N+&kN-nerfE@^+Qw_3y^Iewz(>g)zv?6FytJ zc^3Jfu^i{{ETsQX%)@MUfVH}gUlZ6K@XHhYz?dj6-#G7l!3r%!>Hf47g7NOLj|8jT zrOee_S%1<%C_nU0n|nuyBi~_A;_)_jPI2Wa&S-w}?AHHRn#F8VN7c^_vw(rtd*RIz zOWdOm43(f=F0l*UN@=0ECslHw(T8oe24NKq^{P!-YsHVpr10<{GkosLNGhTTsdE}}XQiPVCtA>cZK{7-ts!k=%9tCcP3wv1 z*331)hAqt|T2H0ho6Uej=IU{2|8NU@lUk>IwX`In;JokYFGX!NVV)2}P?h$JyTG33 zPZ84-`8@PRY7Q&7u+dXar%mg5BYQ-c9jwgaA@z0vHp~BNjPt=>&k@I#1g@hPCu#K5 zcZh?WPFhYsnhNYj2LH6#VJ|N9B*yd=_j>sem0_Tvo^j&SnXLc5RIuo1RJ2sCTPtbj&VuPAbwH(Dk{D)M*d*4HgoL~6G+{7>J(Pu=#n)v1z8E$<1QZzVax3Bkg}SY8tN?}k41=DwOh zN|T31QgGCu0XFayxF)9G9V{x5+dSzO!o4Z#lfs3>52c-)LSz^h!@>(US6!wutxp~4 zgV7>O#joFF3+v&c%gj57aNGJ?+4yWFf<)sw5<|gfW72pQvorZCd0$$53o%g`6NM`+ zSqVf4UfczWt2edo`*I=#$6Jx47oVdbYEP$R2OaES&yE=56e+?awh1siORk5G@hD0K zKZ50a8YOh_Uzk_Z6|41@=D=5epUcpBNj2=k<26fpiY4IBFnyH`X~H_g%(&0PzZbiF zoz4DDiRexYs^n)X^aSk&&Aq;QrtUFBUufa?_IG|uP`0O?Qas)I)pCC zswC2oY82)|ap-6W;{Aqy&*(MJt>@T)N4 z5t;0%xfIh2UXLwSSHZnL+#BLN!74EOES#&myr5N|;Neur`GrV2Ld9}u7jUf5nhZgqq$~|R0qC3Ai3Jwv%(b*Ym z*dk0McU++*0}av?4sd>Lvd*G$!a;uUi~NA9_9tA6x=2n_+% zYBUA19+}0bt!S`#m2d`mU%cJ+-)Dd0&#nf~t8(wv3i*DiavvxS^r5c{q11}C2#Zx2 z5mHW8H(X;zDp6;873o<*P+tfJ7f%w;rT0Zq&6`4sf!>NbuaNd|dJlAJu*{f;GYSc( zJq*)(mP}et@1npwh7ShL)}L*>3$%AJn=(EfVct!4d*6BK3Flfa7cM-2ytLnbRUsl= zCAD!$7}$N$ZEo+Ni%4>|2phBCxO%>i;GAI36xzc{y#Gn~qVEv{AAxHqJmWNN_z>@K zp7v>*%r$7_t;hu}q}QqNOaMcWmWHN4DHE2;+w>4>v}G{O4F>lxr5Qaz*7iS3_MvTU zgTg0yuv6E|lUG7Eo$@*{pVT5$lR<4y&WEPT{akLACzYbhk^SHjhJlBw;VA) z_iM(lt=`itl(4?!4_=%)CEbCZbB%LLrCcFfAGu!zj<9b{s3=~26!78L>kH{Jm&)u2 zFL+ODPpuo7*}(9y@ZlI|r{tamFJxy@$->1QG{9u zFOIwDtT`);%Z`3`@)jEM9U^dJxCmubfO$&zR4LjSQjU=LZI|kcq`X@jrA4m3#YGSl zjWe>qum1U~4)BT(yU-%$gpCl`QIcjq$#tKI;dQTCs(j76L&bt*~*c)Qub*(u6)A@aVGs;oZCPI$P&}k{%5{`4A02-Qq7V&!8zF?A>lDIMUNcQOz4-kn~@7uZ2BpV0Ljrfv~LB?K*1W3dKQu z-yTwGM7xhk26$WiJOOz2Ei*2QE|<>E>w_KT$y`0w`XLoT-#w1y2hto1>)vZoe(a!x zsaxNRBty+PiYEO{IG+RdGK{|J`M@|zAcLkWVUUJ)nVkJ}A{nAr1wUr!n6+BIe;1A@ zN#8HC8`|Ky`*dK}Jt7$%eM@=wlgS$;Hu^&Qhh8~EwzD>rN*`9?-i!>xBFjFi2p8DK zWn{xND4$P~Q=vQ?YnTaI!)^=H&2Xl^M1EDcx5M66WXq}|t+aLdWQ@)?|c;!<=RI zy!k-DTJ!IIaEGe6I2ST`0AD;xO96`%_<^E8eLr#&lS1=-r)4(ULkY>H^;XC4p!K81 zjr^Wl>{1mYwJ1W@@-I5zJb*q+xL3sI>iKKKC0cb&v3#ZZdY>3CA9jHP_`*~QQOVdc z57Wti5Z+`N)|XeAg8{fZIyc8OasKt}TST2lTb=s>B!SXHJswWdYT)OGuLip#lWtrF zwcgEaL$x-*ut+6cb;!lIr#Gfv;g60DhAgv9k)+WZiEnYO=mTmduaQJhGCmNEmeaB2 z&8JCXa>G zj#nv1x7Id`vvLAY34t_e&PfG!xqJN@Y0ELA9EbE;o<_h+eH>dh~!jHg=`n$7EzlGpm(9CXnA{c`4F>jaTV2) zF=jWJ?&%=X?mo+LoWl_Llc7pDDiRsV)29*9V^(*X)e700h2O2OoJ#>;F+!7_*P7oV z1X*J(FErcUoT}=-izmakOhliof@Zj)!jQc9g8_>Nhsi69Ebe@`%-!hijnxd2U5H+X{T3CODZtBOZfk5OXr^(8bY@oZ;KG2K>PpxYE(=GIAzbmDODWm7d$(byCS59t- z6K9}J+AQ9AjB^Zm^|Xvn_a5q}2IS!+eg}l;$5)Q@PqgbVkqtt4$^7aWx5|y-m)?if z<+Q!cL(Dp;x!EVaK|lvp9ff|c+IN`93;ra5eC=DBYU%{bUPDCwjDVgA+n3?YcUMfS zk)~)74fcsE^7U<9V-)EhF3ITe?~#M-P-Yk_9X)fNjCY*M*b>qNTyhHeKp8B<{I`#G zrBFV?Lk4x_k7yx}C6K)ys=E%kJ$Pm{O-5av@?08zr)^t?#qM-WKom-pt0F>a zc!5*f?6@&+`h$){Fd+Do932@On2Xqy-#;a5pzm58oioOHY7a^AVTQM1vSQ-&hJ97o z4-%qnf_=U@B;TbH4~nQouIXB-#R*cMBeC-Ca4x<%waV3>p!slp`eCcFt$4j{T)k^A zGU2Vqgk6;)C`V2wlTCqO;UUtfU+tssUPrLIngM!*XxvSU_ER;E=U)8xrW0cphb-;p zlrdR1XAqtr0*uu~M^*I|Dd{c}Ouz@?@*MoKN?WDgdE=A=+e6()R7RaAYi-tg;dq@8iSni6Hi+5t7fQ*Gd?*@f7;27n_I8IWlONuZQMbT(Y1`R|($? z`CZFdE@>@Er1eN*u&`lNjhe2x`7`Rv6Ds_j9`rV&lnVJ^oL!K+x%8l>h;W zqa@dve&P-xi7&F#Sug3<(r(CJMo$@lhrU56<)g{bLT$?yaO<*E7LJ-&^?Wt#&wMP2{)Cd`IJ+Szsz_!EWS=u~65U&!b`U|)oh!tjeHnXnuj=ETN8%>7;8KZ4u z(CC*Ws7yP7zxU=lF%F5tT#`U>Ki1@@Bc7Qrs-z1(9d}auW$!~1*ylD5CH%*&xV%S6 za<>Wxx(yImeoNgd$Vj>xT2ixx#YkKsTgHNCzp>8-e<@E5plZRSg4cO0@f#c_ByNCM zx>NBlH>|8I>GqEI5n-uA%4?^)4DLA}zQ1}Mw0#QL*AzU)srL>)@=98B9ss=|fUh-s zCYgK?T326xeK31`IA7BOuard%$m*Fc!S`%KUT9cmRX<-5x2TtSOIB@bbXS{&N6Ez9 z$x-9_;}co-VwCk`fv|U|*lu@(1G& z@O(mDB|H6>m(AC<3lU_Q(@^xTyXy{mGG4IJZpNR_e8 zT%_U@4LqbdG?pF)qVvP|?8%{1XhUJKiA*EUQ<+~e3JgBPTyl%4%oJsi`uR)8-etr? zgosn4m2kw?}|b*v|(}Dadj@zVX2Mj9RI?v#I_OxsQDJhRW)&5*#NVh zsOhs4`f@(N4z|PuKON@M<_$N;cY2#p;qqaD-1A@C-K2V!pLa;IASH4cxuLfTEj%(U zK4ki6gNW=ncpuk~9Nluyli?!5ma4ftqTgN3_FR$&Eo5}L z9Co&TRXhuW*X|$UROcx`Y_I8bI7pX=(=vCEr$_d{#nChS?l_tiWTnCytQ8Q33Qt2- z$;+Q~9{EPM1`$sxIyC};`HL#_-w4dyT+&p2RLe2YI5I`yBZTfhHkTf!lE8F@p3N3J-7J~S{?^UUt6eU-#qMQ^l?$MOp#1__ zoU3~g@c0dx{M$JSdaD9JYn*VO&C3GfDW_H?UuBAwbKb|M%0iXTx@5zlNypvCR_x;S z{{HH@ER$eZjRj|HyL>O&V71<~0YIvS`I|nXo)a-z=m*v7t--b;rEQCe;pwF&rtrdc1p$36^5`uD4&uq-eOXsWJk zf~9XAtj4w9YwHNCd};2OBMC^Id+1^rjS(zecqBrcUy47%68V5FIY*!!Sj2f3$FFqt z*doXf5MV^HMjQApFYAxarQkM>a)59)!6-UbiDFE!5Y3HpRforQpa8YT;S`Q(tS-C1*8 zyVkf;x4b1Nls}0}^2*j(;>~?nGpXJB6p9#-l7tzACV#1Kb)X=>@>pwi^(e^vj1yJ7 zO4GuMj($=C1p9CvdPr*3lVp3w3nso03{3VAnXL^QliAu&B6|%}1VI|Cmgz1l%u-Y& zZsqY-b!!1HthR?z+S}W`hQPT}5d(dFcAWO0BHNP;__RAL={$#+k@o;4D%AiXKg1N` zEP`L8gjqn`83TUm_g_k0nHe?~cFI?z4Urw81{}qj#s|NW7bBy~7Kn3;3pmTkj>>9( zm~o$`2w$NUW*cDlL+FuQtR=#S1ypWto3a>8B|*_a%;^;rFdo9nb!+KcZce=-f+PuJ z13Rd!W-#e>E^%yVK(ebZzej`U`#4R?iDy@th7H;ju&m@vgX8kc0Y#r#?r*E<1?a~N z(v@;g%e)^hMCFSmqjKQ$mN^GQ3JhUOiwq9Wq&{ zbo>$~p<%u35??u(EDXZE7h|VGwn+>Q=hy+dz9GSud;`roENdwfp3EBgk^{YaL1+1e zd2!x<^`1jl3;#6T;gMV$ipF;wR0`(I!I~Xm+-Swq&8RnfjUItT_5MTBusJ}RcRIWG8;q?(6qWh-Xii=Uh?)$p+1Y2Ru`>z+=2cO zYadBlbAAkw+q!G(Z*7w9ySK-1S{`uewdnK@{3FQZ)uT9@Y1t6c5D{9tF*Fe#AeB>` zLj8}qNnd1bP~Aa+Sib-)zx80n=Wx3Kzlhmq~0!z%mEz zzemy&z-X>dKOH*B1qTg50iwa{uS$xdF17ecvQ&4Rcpdoa> z^+jcwg)zax!^6{g?Q`y*JNwqA>rGFCa(Ty$r1%mY)=*7^K?BOX=11C7t~`jLSZmG= zrP*o@J|k3RBRaF$DzC$aX3>%N6?HQYl70Zk0OJuW5%#_$2N=JcpUJ|4Q8E6h--bhGYgpR9eKHrxKCYvjppuEe>LA@ zKX_ydc!d@U?!bn#Q@R;mf50w@xJND2)P&4_yOAW8mTJ^n10M0E&qff}uD5{E#Yh^^ zng9L^&`7Hi(f#K_+cLgFOYf*Ky$tc+ihSVl)#T!WTCslcCNT7j7}m83#QW;u(WKKr zuqPqI|| zB*Ll;xRh%{Z(P!t$&sV}NZQ^3ggG~W@Nf^`dhotD>Nl_3Opx}cE3|>8Z&DO0h!CQWdh6R$48I$MceMnt%aA~?lLTOzUzHCFKA#oQIdjt- zUwJB}TAGnFoe|{ntOI)Lg)Hy#-ea1*ld2q9u6eYxt}Eu6U6r-YEozPBza?_sx1^vT zX`EC%#t~*7epuj)YLAFD$s7(Xze*$ zjh8RtwQzsGF|oGW$=KrYv#BI+`})ghzGmU>0+_UO`l`DmX>&xId@{&%B^Yzf0ZjdL z=fu?sv6?7vJmvWV_DDR}p#`bN7pVn@iR4%&j-)+}ue4|V9LV6;-Jphs^n=@Ohi#z) z;I^A?_A)JO=PoX}>E*1*6NFk;9y6_CzhGw;^sXUR@q23`t`lZzVa^ZVV8W|#CF9Cu zV*ro4#d?s94!^}ma9EHbzP!c*Pagx%(*#k@(EzqBM)B4;3Wm89!xcJgxbncapGmob^ z{E%Y)Sn!rQv*n4ZbL{KCTIJM~n}m#8uFC1)e?;XJ1>B8DMZ8XkiCLqANxULZO-WCe zamrD}f0BsmIM73uF8;{7>NyhhNuFfYOw8+enSYq_f6ig;+#LFwox%2H$$1cpxv4ri+wUVw69B2MM8&NRI(m-e>RxgF>wQ|{?RGJpK&qywg}W=wlZ zh(}XoyYSc-#)UDEVWmDeGXzh0?8ei<0jx-$rcFw?MjGRB*hkpSpBbr0zw-?&Oywu0 zm-UN>;|ADRSkUBtZ^!E%Ab}Hs8UUdVCj~Q$UTI!dAR8V%+qYs(26%~`9g~#mc;giV zU>sOW*8a9R;Qa{OW4k&UQI#9n0hSH!4c#J@kPnm}ABYD7!T{xHY)YGhmJUg0rultf z?^7~;tDzLmt053BqkoyEQ>L&CHwfX?D7doWrJV!w^xpWt<;U&c2}*bzs}>fc;0+z` zIXJS)%ZI0-A@We?Sv~!Ja8Rikyp^TIf2kdeX9No+8YO2_KlO%BA;i8Ev2l4S??{im zJF_)k_zDdEPWd{d;Ow3Tq^f=lkd&3}S#8JF{@gop51DL`+_)5;c|Azi6auK~X!=V( zkoW2&!q1978`a3-C&Rvw&$vv2QGoGxTv+hx@>cQh!asu%BS$|N>n96&rJl=|FRJh_ z-$KzloO3X>X1`dlq#e@1)KM@;-7lBt)3;>Z?nO$=waZvj25|=(xwLdJG!+(~^`FVZ z1O~T4da`7{lcoksou%yyf~uvJ4+#rGe`<3%Y;GV(kYw*rfS_w$(Bd{v3{2zKgR@IG zKa+84cd2jJv-P-fS}rSY3V)9)%o(oXiFUXRnYj%lg{xa<76I?%w8)Ji?ap(IwiMrQ z8Rv5`Bkn=1Jk2f(Z#Ry0l<;5s(`6fer);C$aYFqY>2u_V1Uc*=VFezIQGliG=w7;_G(!*$B{zINZ3-UyYts#o z1T2q%#5r_(J12&g%5nWdrg9VB$?zk8E@s{T<8evW+P3$=nDkUg4V=6mU?o5<=<2!k zj~8w(8$r`7WbN8_EIEohsowz@X}rBQ~p<%{Z3@ zeE|LV+{7zH9e;a>hO5rz@kOn=)xZ0k!J#l}|BH_7ez?|k%k1-AhoKjxwe-s|EG`s9 zvCf;LX!wo?f^#;+baaRY1_2a;Ex~`AGNjPHD^YxeI(T}HD?jd`7*cOEw!k@n_IAd! zB_%K!6GG{Jqr)ZhLaKygbb_Ad`ys-&&QD)WrU*MPF{K(4Kt)6yVFx6?R76I*#aRr3zq4J^303T?<(ZU^6;OB0qF z1l3G_nYn#HRWCm0e}q%0iC#WYM)RC^1POknzwHQ`vllGdS3;(DzO5{=rrk=L45|A| z%^QySf5eYG9xDO-X3~Ii&4&vQm@efnw<+)@NKxZ@DE#c!`Ml^Qo8|DR{W!0>JWO~# z@1+`AGmR=ncl5@`_RDk#Ea8h_QPK)IBQ>!gZ; zN&u>FS-K+$b5=#l{8^ft?wJqY>J~iyc33))p^qJIFlaaue{AS%jMET{9QQ-DE;Icd zFzzy7nZa15x$9f;rhn=F2(oK`O{hrrQ#R2?Tq)lkNYD0K5T?(S_1IVL2R4PGpESBu zP$JR!r55X`Kt=Pa*oB|RoKVs6STni?ewgCOn=4ID8f_dupRY&`)w)8u&tEc2q7bco z@`?~-%^(Q=$=-P9`?)PH$9)v6tT_C_RS>K?JBbNVW4F~R^H{=r{WS~_+$SzY%9i=+ zO**P(zv*&*=6;E*K-Rk z6)vHHyoZZmq0>*KtiNu@1`1_vP)g@*7lxcW`SZUMA^R5gED|c(S?lb91Swm=1QpPk z1)emP>ry@;HD}X+FwOxnYZ)Q8;E46iv-e8yG!Ly(Nt3aIvW-lGB+N_b+YTa3n@@Hn zb(lOA9*#<|&St`}??0NhRT&=&%GzE7&Mv?5(h{*HpB8hN;;(H&kk|qS*K#1g*RCeW z1lLCZHaz_w%;NyolyeDy_csKijIBL5P}tWS$g3Go0=)a9L!zZ9?ABVcfK<+wiu`GE+KKg-19rGaV^Eukd9P| zxGl*|MlS*0;YT9z)M@#a~Gg5N?6sq$G;)t zrk!12MM3cTK}B#fzh?JQ@)ryK1_D+3wj7{W1XNZ9xCYEW>uvW(<>ukJ=LgLcWa$@J z!veOiq{kJ9j=B0O80uT2&{I1uhBuGDtvn%*I*qTGLp;Ue+Vtbm8kK(znMvnj!6?TKVeY2*j7cxl7Vsp7tV&8vx|k2hT(af)$wFFQ~gMUr}5Z~ z*0HR2(@M6vKOF5nxbWgf$_h>ELf8Aufkof-Z<|HztB^O_z)6aCHZ{S3BfhbL2jDoE zF>t$y(&qGG!e^K(h;4Y`w=1wld`Or%O`H*)bi#h?6wyb$$z4{sxIlpk{O;9d40yfn zxD2*|&gDx`^mr@}h1q12@a#+ytprQ8x*T6sU3WbkEr+9D z8=pFrm4>`?%F0v78CrbrTM+Z9irl4#nintF*5fFHwQ@O(VEy+}1D~M5AGyJYor&xz zxzEafJtF~tZ;gxfX4~$A8~f@=*n3$9lFHw~fI!J<)S?tBATOx` z!88euri1|Vj5-_u;(|SA)j5F7W>ii(xoZ~2xqqJ+JxTp@Emh_>$J}#AanKr`k*Ayn?rMB`Qq7JJ2Z77fM{0vZqEmIXi96!(C{9 zW3vjhX8vQ|SfNVF)@4mktCejp%;lx0EB}}c*b3KnMxWNPRM(pZQSEPix*Gvs`Caf_ z$U(w5?LT_2ty}G@rw)Ejq6TUIgDrs@j`aV4&2VP76e)|aszmG7%i}AXmU|#7gKW0rYZ%*i~RB(kc(E%|1=yu)UYwF zmFmW$mLWXm5bxYuZ@0mlo|VcxJR3mH(4klA#t;PcgV^Y0$AAvdG_GJd(rX*0|jC#gh0NY%P;E#`_>w| zq)trg&1G>7QMLGa=c0 zG_1$IrHm+l72C-%7M_{GsfdHR&aJ&PXz^r`15GQ?wbbB|1o2Zx_jj$KC6iYq3>{%X z>?qk9^J`QG6%^a$3h;a`3{e-6e`R@2+apiXrTDW;m8^Zfq~qn!pBWFHeQ-c70*W3% zb}pu>8jI^dui$p+Fq0D%eV+m-elGqjZo~3A)Qa+3jQ=x~Q5S!T~3o zF6*&zC{%WSbL1@O4wJrgG_$DD;SP@p+q{BedN7he@Gsh@0`Bmho_a$n;2LcUf4ldV z*jnl_Ph^9~4*50Q2cNUeanqCeHixcp8`U5*6={#6K3y~8v3^9EgQM!FLIr)`c%oe- zT{Z<`NX@U3ebH;I6s=N&INs8*Z;Xs!f#z#Do!=V>IIh%zf;;yh zYYESeQFi5XxKf0bPiG2}v3IJ1wgv+_nT!uv&_S@Td<@{4f~A5tSzkYTMm^4>uKblF z+%}XSy3T5H<`|(G%Kgj@1VPBDD7ch!HA=xeZ@SGe?!_`4%uGcM&7U%2o2P;X4mrz- zHi7V4&kX<)%asxY!!e)@D4*kY`0DC0+|Y0z!+@m|PolwC*!oeOh<6I6;{JhKnW1Fl zO-~U#J@>pI8Xt_$>Xd!p_iiDMZD}ZiSKkpXsNiKE;QNyWX!+K5-J0XPlo9g&qiS6& z;4vK#X5&Er0RCA+n-7M{!b?Kiosp}nTsUk8ZXE(29Ub*NuOW}F0pE5v*+wCo;E!QXmRs$?%O@YIDCy}Q!WO4=Z#>y{q~-OGeS;_pCr zAfz|h9@@XwFy7mUOxqtqs<+_GF&^Eq0*txnfVK9Ngx6G~_EWJovj zquy5*yWVzYN^WL#*C_v}8mOSV4uVFnL~ws6L{^!89Bl(p1fGzGIQjkv{x&xwNv z-=cW*xwt&`Oo_r$h+!E8P+!@>ir;!d9=#hxgc({5%FU|0b|`$bGEPLvd99e&~aOy-uwd$_oh!3&v7wwntYF zL5Sn*vfydRxU##Zk!XKwXrsR?CV&HNHRr8}!Su0!ZknLajQZQ|K;|J-w8WU+??=ko|lSO50XJSdG&1IX3JY zUKRkR8?Aotte~jclhL)Q&0uWcAZqSn;)UNZnJT=0GOh6OdCVUEE^6>FB8JK9Xr+^Xmh~wN^GDd<)S4=;Y%p`0 z%WSmn?;!h`5}RJ6zuz@p9U;sT8KDc)gNAgG=dIkl1@T9#Z+6jR3V;KE14OBuKHGWM zD-N9^2Q=`dA(RNm&uBw_zjy9fo1=eU+a;p(NkUMq_UN`Fg59*z3mM+L@tNw{NNr{o zyZhiEHEbSPmk7yja2G-1r!I-y*PQgCfVtY_nzf5>w6pew;9|+;UND@ssa1g#?73hPD$hG~aaz2)8nUF`Zp@wg}zh}455+tBQc{`gEkxSkD zCv$F&MR_kS7$mfq{(C zfGXj1X%w6c2_mK0aZ+U?GL@oX>}`TfX8I#sM%*IW!zis|cx|)ISjN=s+-7Wih;4vq z>?icxb;(C5XWWPvhiD^Mh!9t&Kk2}LSy`EXRK79XAcB5Yjm0M=UG<0ZIcyR%G|0ks zfQ0GdN4Swl@$w0=RhFy1-Yu7>5O`+Dhvpl7x3NgkE9i$h!eEe@cC_*ICCuJMdWjMu5*v#Ao^$@_yIy%$v6d?w>mtMtf zzH?`m=@Dy;u!YiczpOK;%QwakpN1O^f#Hy?#D+rf!+6bnQ6en+oY>2BbiG-L{+}0r zohBnhpeI#f)3BDDc}P(M^Nq(r_s$aLJp^ZRNU0AxlwtT7`cI?J51>lj4A?sG84Hms z(dv)W5T$6LtlzkGwU^93QotD*k{vIaugU%|ZE%>ogrfZyiIe&~ngQ&EYU1&$Bgzpt zb9VywAtXir;-!8tgGqRa!zT3rvu*}A>K8NnLLZbD9BGp;)(<1TywW!wT3VxAo45mO z$NcPGW4uNy)gMm2`Z1}SQLzT>qnw}xEfCMxbvnEbpdJ9f$5Iho>^uP7>EUHHkTUMr z1dRZXJc)stC@Th@v)36mG&99hE^z9b0e*44l&g}IA&Q{1 z3Jd_W-F>5(oMYrUC{?1<1!(P5Imh>bN60MAyg!*NXl1_gXW+q9N3A<5D#1s{2b`+mIj4TBI!S}QLEkxDdtwxlH{G&!aNxub%NwnWOPcK`5Pz!r^3 z;6VXJ#fJE-D~1&oY8F~&R8{xQ#+FjYn+QpS2-I6WtJe-jbcfxJ*@iLm;UWDp`{|q| z4Uap^4PHbaemc}})V?GT=mW#SFh6a^pfgGnN}1c0=UZDXK{fa5IXDw9;#dVvSfiK; z8ImQjG+AWq!%B)ywV)l zYTLtLn=2jYP6-boUC-S)YVxbtjQV)0}mB-8a&`X4W#msst=)V4W6==^$i}KZtgl|5W=M}zsHcFgV<%b*K9HGK<0$2ojERHqK~P=#Dr0F(R@ zm^iGvM(slO@o#nnpBA1cJJ2^wx_ttGQNhAn!(&YBVNvY9bU)SPIQVs5FQjqS=K;SK zz6HVgF!;c@95_LtDuh18AZ%bPIoB?Sfgk!_c9gBTZoSz_;Ym|Dl=c<0lq(8ae-6vFty_l7~!gi^#)%<9`#5 zHw}ss+#0ECAy`FCaQQO?96ELycaVNcoQBC1+O_YB{JVGu`flo(iXVwkb3JS#fO{u6 zxs@?tN1~!JfuY%a20wPDi9j{1Oz~9V^(gQ^d%>3-189i@gw68yfcq4*^!S*prNO{= zB|7OB=5@$%LKLOB@9cJ9{M-k?rqin`bm&+M6pS>7IKm9j9Mwn_ zTZmfG`h4<#Qvm-y_^)xVhR>4W!11QcWS%o~H!t-h7D(Y`_pQ=5;64%PPVLh5e|vyC zk)8N46CWn%-#m>^Hlh<_bVNmsI%-AudRsoTCM9*E;CI)BFF?<_uAzo$MypBW7!U|^ z&4Cp<6<(u-KML1r-uV8s|96Y_DeSp1pJ%v}?tHzkYBKk1-W(Tm^}hNfTyWrI))Z%T zl=&8QgasY@JVI$MhY8fO_~!f@W&yCr6@C$jm5|xoozzcG0>|CzK`Rt*4)Cd30I;c3 zhht64?&6I+rN4&&D$AFbkWy=FYn4~D%)ro4P!0QfRd5A*_@T0uN1$0Umh&K5E-8#ph-7D?-u#*mJ6OZRrHsvX^UN|Vy-iX4LH8i3>W_W zINwtQybw@(W%L*lfJHsYn3fEi|75(xQYix^2s6_cObzV^w+t~aWWEuD<+AS(ZMPOmwUv5&1D^M-2_KxCw-VXpf}? zKLC}PLwtI?i;T|kS$PyI*_cyY3FL|WV16hqLYw8Sc5vS-?r`&9P@Mk^Q8UiYp- zs)v@h^z%*enP4Qvd8UA%D^nQjz>1ni>a=zms5zfhA8yzKhQF?(j$7bdF;dpk>GWBS zag6%IdmF8XNN`jAacI;67>@||y_8385Y}t;^t1`JtzZFkBC4Uo|4(@aYDT&beB7U` zL7Ub6l4(*}wjLGK`(zM-BlrS1=zS-+v?wr1=4-Z`cGQj4M8HKnDZ84(#d3UdR2`b|_=d~zfK0^jN~X46 zDsm+~A}qY_Zw&?929~|~dHJ#*+}aNw216U(RWZ1Yj?94dL?>}peXP^J5x`C2m;%Bt68;nba+P}a@g2a2!@bzx!(=|Ul(-Kc--!U}{{K81PB7cP8QTN-E zedDlYA4l*QU;nk)=wc@Cd)3vEA_yb^!un^-A60d~6!+~^Bo^pje}Ls3ZjXdB(Sj(E zK%q7xf*v5_95Xh*@7?#SNM}-yu=+N^Ma_9Nu=WQ$evg9jRCn($YT1VRcQFgf=G8@S6}DU!x+OEi8=_{@cqf`U;QB)iPO(_y?WyqvNr-B!H` z9z8YL0QIY6a!}>HF%7`M?SwM@+_s;e>E2WcRl4uP@&W7Feb;o4oe;ftcJ3n;b+s9s zjwOb??3FAol84LRsIwg!^#b{%gB16;+1Cq()>ntDI)@*xPK`!jz;*a0wCyuex1+Wk zoK)zyq@-kmMYfRvGtw7j>)MzoNmJMcDGfRrt!#;P6Wq0yGYrxj{#2f&;Aj=xdgeBD zJm0xr$W9fx-g=~K?e-&|f=fqInYF}zp{)sUiWGv)*dpsl`xiHz1gU zb@$LXLN-~Cfe7==;Qc|^N+LPFM4Wua1E~{nrDYI*inW{OP8MzH_iDTRWDtkPBrCNp zbJ-EJDIeayM>Y3p;~lLb>RCHYm-)*MsC6e}D4~^6%-qr!v#Hml>X~_lLkMV8H1GRC4OK$OtFH^i*Rdu4zFc zgd6AQQvL&X>CWcMKF>~IL0(+0V1}3&y zI>5JzC5riDWj*^z1{{_3Q60}J?XId~g?=S8O>g&IBCW{H!$@edFSj+Z%SD3-h$_3uMSl8~#rOA~NXp}L5(xn%ZL5?PKGn)(cUeO3MOqO2Zi85etX zZL?lMKLSf4kz22T%(IW41SPRGZY2ON&nYofOoO8^lR&gC9cbczHnI-|A@LoOf@`2x zkKfsj=IKUV0vUdk}43|}X2)WA%9WPWgrjbEd`zf@bPUd#n2 zF>`JOeD0(2IwF{OhRBZpt{AY8Wg?)a6T2d$?5-quHs0qlLOF8v z;6`4#=|Fb{k`IUl@b?lvyAJhVVvM5rZX5F}4-JzXNNq^1sA>&b(RUUV76&2i@i%G( zM2tW+_l@9ZfQ%=Q4=ki+GRu)5%4M+PhEJ=sJv!d%;jE%i>omT}DIRdBKi_S zPFtkk{w{>C|1ps01=FU13Jb{>rB2Mss#e1e4Rn)0?6 zm@*I}zRQF^ls5(6EiR3aR(G7>l(1|z4@j84b5z;>?Twxr#q&Q5wawx>Md6U%6L5VZ zv>t3F0S`+Qp8t#Ek#+_7x9evI;%fbgU5)U`cM6+@j&og1ATmPkzYG0UTn0u4JHrn! z5h=7oG1A4h2%4J**1BLpU+(_&pt-hF?*yt7DwUOVWGdq9(1=)Uvba4BewJ|cVkiM&H#{% z6ld-XlFlLzKmiYduGUtkm_>`H5B~<$^3ZxHkR^tzCcV>Nv}0%Tl>-kCR>ox5@mE%3#gPjlrG3M>4k*wZ&IuWwBmLCJ&i5uB z=Zngc>M+@DA^<$qoK??Us67$vNPX{u{xbOed+E=EbEMo8i{PP84bnU3BU-dnBEY`> zgi6;d0^17)_W+0l9y*y^F3643$v&a3rlTfds`z z?Pq*IgU}zd`UEn;)gK8u3k2cKkxtc_=mFk1x>OK#z|nUC;6MVdSP-ku7NTT~F#O=3 zHMmjni)c`JrZL@p)yW$ag(-6gS?UGJcK?<)jsGrSd7cxwH~6BLE%gb1n8Da91J$oB zZio5K8?@~4x;p$?qi%K&1;Y|zKP?QTxDgdjfvY7p%IKPy!m0g~%b%8fN$M=8C`clt5FF2K&G@Xap1N~NcF zXzI~?hj7EuQGK7oH@>M>DDFP`jUSzObVX$VP~WS2h-zyBT%l8fLRWSLhtzXv#STW3 zRoAg3tpg`P`p2%q@l>Y)+!$u+7&sY2Z%h6kgZK9cTyoVbYv#7wkIORkS{~*zH93l@ zhU~b61XNfsU4tg1ZN5>N@irUBb0$l&IJ|9>Rw(Jr7A~#pFQ}8;|8)#bX&}=2HX&e% zAhM@*GM+c_*?+9oxS?m(VivK~@9r7X9i0$-Q@(oTiAFw%t;ZkNYJtUqW^f^NEr<>` z$AY98CJqA&WhO%R=BEp-^&evJ-d%ss5u+F-9ga&-N$MHqVG6WJ-JI<|_G1HLTT2^@ z^(@%@D0o6-1erMbAAv$ym9M^kp#^IDe*^PtbugK+UOCfxXdNP+`Oez?9|LYwrEqr-h_z-I@oD){xCriB>|NY{XPX78RQ`-5j`rVg zslKOan{`%6gt1Hu$uxQb4-3C>fd6fp@|Sy2B0xh&bYwB_t`Wtb)X5E2QMX}8;e3SQ zEY{)o?GN6!<%CQOG5v)R`}0~Qnc0i52UIz90KL=oTmL8D|86V`=p%uRufUj^0Zv=45g*DLJ^p7Gt}(^U z99yf6S4;zbVHxKsXkb8`g)IVlnD7|0I zPaZ5LNe9q>HY;v%58{~LSI6**%GqkRci&wK@T|?yF2MTAV)>G%<-+{Cif4s7Q#&`) zd&Gp4t~F#$_K$6Qor|zBF`8;jX~x9ho6*p#etUQ%jJ0xAXvSmN`1Q;XouRI`AzCAdD?mS#Y91uMb2aS;k z|0W^{Y57t$e4s+S2p&OXn0F&`Eg2`E5CxY=k0O_=rpjU;GWIvMF3zz0EnpTzx~9y9 zA4vL(tZONsWaQyw_Mh~&o^mB{w>68?E+=8dn#k3?F^WL~j{J~96ZJR87sYO_9GOm} zWEot)7ioX9Rq+P_6HCZF7A5^u432Q^9CJ99!b{f#b2ZCM_a=096u)}1cHiBZh{Re1Tg`!GXSAd3wJ?`m$<1iF z^W*|Ux;w^nG$O~f_4*w%eA)ga-Nva#6`7d$D>8^sTu(3yhiTH~ci ziv%@6E!GtO{V z)9cs(Gz)FY2>fz7K~T`&x2;QkuPvJ$+6t%}S1fXvyqB^P^Hc<%$eA1}Q^I{Vz!wKp zdVqp!7R^Geys$GIO>6yGvEA^g1LJO~n+D^u_bh44`NI4U?Q`q-b1<1BCRr%%^nH^6 zke#P~T|3lngih2K)f>c}r;$`*M*hR8X=dD|!uJo_V{$E?h|P+58qzme>DqR$9{=p@USNK@<%!GHD8=d3o3~ttZQHHb(Nb%Pp6}zRP8sR_}%s zb(&$-9+A>PTyP*|Y9&-m7JSj%p!{#HBGv zqx_fIZxVG?D$Mj=F59QEag%m*!w?4>jh{j8YY;`@aqq?4+BdoAET&>&R^o#Rvzwxn zbZi=;aC_zNwdayUjk)JFsyk?e2IX&!R}Op32!V{)WO6g%jgk&Y_{Le7apxU7t!GG3 zQ}0xJUQJQHh`$;ayciO^*b}_ktG`@VzuG}uU9JdTWM8=-P0bX{Bwrr4&0HLo*Pkx2 z?~ppqW{K`uoE;QgZOt{L>VXq#OfMocUspD_2`qwLJwlP@OE)_@RObR-eKgQUeX+Qg zy-{x7&CWaKl-ok`;n@$kwV{Kd`$_8h;Cg3K{EyD6iHT+Z)5kqH5?b2!I_euO>bmvQ z9<2l&>{&kk>y>`Sc5Z&m6K`EAws zf^>k)bEX=9QvEcSIu0U|sF4fM($Wf}vM@LQo|n(e&cedP&XS*<{ob74e*ZnubQ5lV zwTq69kv1%BZAj4dvNG#xH&#&0LPzT3jqmIIT~Z*h1<|W7$+d@sZiwH0j#v6(9i_?49Z*_G z8I;HE+-Wc3@u#;vRaNV!Rq>gbuaAolob0qF^(&2t+dJffl4oxiEc=ec#c&_PKkjs}ZdWckIh5aQNtY;`X+>*k8$q-R!e=IDhfGun$@# z5uep-d3`Udn84!38IfQ|?2^UaIuUurh92Mf$G%_yOJ z@`t>*!I_jQV?|<~?l$(+;qc2ukw5jBv(;j}Amu?cgnT0Rnatpm8w8EJjv$&&+?iqx z3j>@tFbMOq^n)sji8GLNi30t!r5V9{0;$scb;sZG({%5^KvZRMtw7y{0+49~y3Sxg zJm0GX2Ge&kN6>db1=^t>D_(?b99Y#~mJhDmLc(4XO?%4c%7ikf9&@s=pN&E;`P@#F zYNiRuE|5_!n|^FX)|%F3H}s>+ZQ$5u!9EXK$_t)h3zpO^0WrQWFiaId?Ku6GF)m0D z3kwhCyaKgmn?Hb0{j9)KR+_Jdk1#Y1OGRBD_@N!uO&Bk_)ZLS&*_QbbxWBUvC>|Nv z9iHF>kUD`o}ZUlL^jYE5RQKM!6;YDH61Rt^R6xm8@^ zc^=<|m#-wbwnl^G5U+zk-l^{BH*!6!SvrJQtzRCb${!w-l7pZwC~w?=qzi03t( zj;{yD0VuUbEYD)&7%~ksr2^EgQ2;l@_V$<4JKurC3ui21w)oH(Lo)W^dU|fUFg7Zq zC47Q+h>e+onzCC)lUEyf^<;Q!F2*}kf)^)j=CLnNZ$YFz=&|P(0T|&LwlLI*!(?fq zM6fqLHG3@D``G~=?RWz?1(fQCLP6gI<;v@UHitAK6;auU$17;=?DLt;P+E|{K{pW( z3L^M8kSw#!fIGy5G~9uv6Y&#<(MEU)@>^;dsSoFwQweI zx;3d33a)9Y-owzLWI?V@sYlypY$lwATK_*6IxbdpTg!{lKxMX4~t^<16 z07bg)KV@blF+i6znsl>FuOevaUZy=coj;^_bp^50BC>=$w|j~k8z{qW^m%-Ky6K$ z4hxtwt>Ecy%+Wi7z77%UUx6%mnAVfUrOLv$E7$Yz!T$O;(5?%OC%o+zJN?~HXw zz3pEpBq!;`@xG!uIZu49s=`I$P0GtBDelAfOMo;@GOU9<5)d%VS-@n03$Gfl;Nsc6 zyqnN&5zM~at9-_-8{%{ukITVYD4Aci8uRHII-Y1w|4ZAfdK(5SN$S~NGY0AW3zfBD znDb>r=0?}69f9lrU&jvceQ7wq(wC_^7juc@U(DgoWx+}q@?!x&k9I$h!bjHA7jXbI zJKY2o9HFXMZajK4;ZJ&PvcY&uy{DOJ3zZ4IR#(TG&EM-fz=8Mu0G1x~v?R4cSLW*! z@1fGTEhzS>DQZ3{B=I6G^2oZf28goFVz6FW(n<25PV>95YIiG(a}OG-y2xi@p1NvU zc7qiv+|??YzCyinx?*3sn+{dC?UkpgQZ+%J9()^(xgt@H<=-A>#YDwqoioHdk zX)}iZ8`c4=jRn|Xl071W&(=gQi2F(95K+Y*%v+8lydH0$$*wkGNeYe(G_#^A_ujP@ z<#Z+eLWq2k=)uIpLb6qUwzn8#&q)6<7u5q9Lcg+9zxRNWQ&&X&SxIT|PC*48Kr@p4 zrfk4yI?yBs>w^Y#5h?_TeI=n<)ab)1LCX`F>~9iS>E)CPvGNsMn+sPj!Qa}y4L2_c zw-O|l0E7aV!U~Cs01$g7N(cX?fGCm=*K11Qy1%Yn?6m_4D59ddEc@I=t|eldrDv0s zqAPT5G!0>ELg6%j0z3J|-pu%Jv#z9#?OBbv_vD&^jyLk1{`}`$12qf-IDcH-zWA7A z29fi2?)EK!ni~{=JOF=>e+$gn<*1yyDQSCufMpY-wohk@KhF=-HLpWouzO1 z{_%j>lZhKg?)>`ZeMoD-3(FRSrdr9}Xn42D3b4<20-&2C+K5c!;_m&+{$79jZ*inv z-RShqM-68LCTsIgaB5)XR_SueQ(hF4kiMejFYdQ)h8|{mb7X$qaA| zW1-&rbdEZN^|-?j9I$krL-sxZVJ za(+_N!q!SSeJocwWKaE^SYW*}VkApl6GejMjHmzQ4t_RWe!_M7J`%*+ed9=C?SpS@ z6rgBvr_fBWaELiW>wI3@_*pP0uN+xJL9*ZVS@(+SZx{3%{Q9zpO<0Q6oeW&%l{l0biBsijOOlhc?I$|Ny@1N;Rz&;Yc8 z(3I%Vhi{rr!qg;yb|+wKE;G-p_!^=>?p~mtRivRPE~pra765XOqbA6r8Ax?dVGd~D zW_wOP+vD#%1fe5~Z~0`^9r)#CD}rUKYG?d;REx0X{89C{Pbc3T4lQ#(5CjYd6)(tf z2dC%yth}&n9;Y8oq9e@Zd?VlzjNPr% z*b;IM-8$IW3YcF-Y_20vOoPlj$p;J0kvV4dGf*;=qLNM^`4Y%EuC>6J+Ec9pVZb$C zb+tbU;%iFvyS&%emoYsPW=vm>xe`Dy*HP_HpFpIWJIDv|Dv@0qd~o8RsJ%aFW79Z* zQ$sVm#GhKSD}7eVTs(r!cRPKo_aL|(s$CGc0m!^k zm*9^MRWbLn5i*Q+{KqViR}@!sJwcirym|1&8n(L`VdYRI%v3rNi7k4WP@nFiKfAKgPXU2GxbsX?q7%Xmr-@v5*@5x z>-Miq5V8&FjKv3ib_fTGT6O4I{qzF~6Pp^giiMA~X(`X{scQdPa*xsZMN3221`8>i@S3Qx%58rNm%M?+j2=C<$w z0&ZHx<@gHw&rLe8JCI4+aT$QVfSs>Vt3MdI<(M&_}5So#c=oDV9ZZ~(lE0*Ae@ z(l+ku#I*{zUKz=k+TM4+1v#&n5-RPEa*uQf=H}~JQ4SlB#Of&g=pPdz$Frxu z3n>z&CxNu~Ki-@Jzd!g+g{1jeZyz#;5ebr8=v{gY+JftDVW-(qU_c8o%Nj+-;;iA_ zlQk~l)eKoLYxIAam3xdV^%B*dlWDBV(mu)Z|Mwa|6u@dw&6k z6`AgYlH!q;R$nCSC5cH0Gi-XRUh5Zwb=IO?xB1yvhCjDlzUQkKIW{dPed@ASA9Ae4 z6V)&4fZDRRT`9HgY zl@N1P4w+xStQUHTaRlRvyE`Fk;W)Fn0+)1uX$vyHF#WP(thxb=LZs_e4Cguq?#*u& z-i~RYDi#3l-GQyi!O!P}mhoH%w^n-PHiojwJ>H#ia+`l}pY%S0^9@&XeC?x#4zb^k z+-v&7M<2hid2oHF40nM}3G31?XGE>naq2i_Qkk;pR&tZGjU%uV?HA1)$y3Y^EI;23 z5Ky%1dfb=)eaK@X-Rad%ZC1^1nz+6sA^5(TmBzqni&^WTX8%@8rPV90a>I*f>n{(3 zI=_{Qep370m`o(##CNXMWY()CKUc#8GWVjR_h3Vshyzg1BAC&vmqA&R->Wj{M9!+) zb+7C~2hI<>$bUSADAVI%@5Lp5i-8ngkLao|Tg`UUIi+7%y98VBR=t5;GAc;TibY5L zO+5B%)(r@~_N1dlfu^SVry~W2nJD&SU8@A{#VKd!p^?~a79enUEivfhumBNrv6`uQ zc8s0y3P{9B-)R0a*z@B+=%XQm`_n1&i}yxf+r_JNJI%GC_DwP;60DHiy{2MWgh6Ge zm3)~^R(`fHTCr~52YQ$MIDU>6^aupe4MSX1()o}f?*A-#x8FI~o#$ZzgR@-QI!#&y z<5{Pfdh5YiF%aoe46cR}hnZoJjFoRYG=H|&!qtupq47KK-P^YybM3Lzm9%qv1{)K_ zfe{(@THos&VthB$udXLyv@dz)Y)Ptb=2dpb)&fD{@NDL9|1wOI<{Oy-+Q$I}C0h)p zoCQ#i@e?n_tc1_-9^@5SZa>Xt*$nx%RR#@^p)sy2uy05MdP1^T99esx%IPR`&~*V* zD-Eqr>3}no^&qDz)=FxeH~VLSpJPUSK?(fD4FAayJ1 z%{HAqMf6&rMvh~Bfopk2I59;Yzad~xW_c+(_;Dw19dJKP^?pWysjFUjY*D~_hVePC z*sH^y<6+9Me6HQe;_u3CwfR@08)z>6AU_W8uTD5_o8@-zKSiFVbeoLg-H$70H1flH z6IWc@U7mx@{*buri{qQVQTv7I16$t?Ga25E{4mh z>N=)&fxuKG$IpC9#Hi(rqKYo*I}A}hCVZm)6UzzQ&?8Oa21nUOAG~e7XSZ(=YZ0zS z1b+fO2D;XIk4uaAH=>Gc3cfgqzA!O9kuISvp(|l5iSyHvHal5QCzyY5rDR3mY4Uw! z%*Zjw>9thMG9*~CV>4{2m(sPINjI_9)e&bVic4lgP<_`Wb~9V1EZUo62fMK?d-~4( zsZx`bNlqEBBrD=WVUU~2%GuJH<9Eu$Wkk(dW^fm&JcHadqUs$R&e02Z!AUCf3|3C) z+kyAu(HBfc>8X(}KYfczbLW^aUEr(GkzT6roXmy5kFp_|?a*xng^$qb{;>+qc_0B3 zI$j)ROkXh2fIsTJ8ismu@?Ma`D&JCZyP&F0Tw`f`qI}~VDy;SR&?dSK3X8*sC)R^% zH8ji==q+_lzj)MSHpKqy;C5Py`JJ2QJT7pK(f_+>Sw2YAS>P63AkozwZG*0osi8+x zmSMY)Qz*26o8eDR-br<<@yBCvcLN6ew;2Il%IC89=d$Ew2<&wPHgT(Kcj4oCqE&oj z?#)|-ThD$WVny-^lXlo_O*krE2E=@Fsq7Xs3fh({rOZQ>GiY_G_fbBIsa(RE^TBgr zAlk9F_MHDp=q%g0&ktFKPwfjk>!o(9L&}H(mLfl%6KIivHS}JX`B&HF z%|0m3cLGtUFM>zsmK%x)Bqb%f@BOe@^DxLrnKL0#hhTeuy>|hv*QB|0Yb!);&fI!U6zGg&0D{D(3%NEnPxfDqnn7R~26~vqiUSOYQ|7|(1 z$8YQ!nv_x)h@k;osh7QRoLTmW=>yIR@fSob`N1N~*NfvL znahQy9JU{Cdlu5V*y?i>P59M+T&by8o%giFo*yN%T&`ScJJ?N;dRCUG>V>Emzp_|Tok^QT5UH;(vi0w1YCJXtplOrqxt5)03W78q6c6xgP z26sI<&|ap>z)ui@buI^bg5MdnF1MOIb9mPB>+LJ4$amPaZ*ODGOMhf(AgU$JF0()3 zDwl9&qY!=gx_e~4%6{qTFyVpDl=>2!lwC0PIs2F68_1@U$z{})%xb~W%+2~6H>Aw` z(-kXkOC{FJrJnJxg62~C@UStw$T9)Ewg;td?%jE23kj-uNK@p&{go&`(SFR>tSk{XcBrwQ-~(_ymw^PQEZYa)VD}% z_;Fa$MA^Z{w*zthpAZE7oY%uThWOah^TKl<#U*Mcp09DLg;o&VKIh5dy~Kk_196-h z_x`4|r(!3zV@}`c>UsLqV(AH!o$ zBM1r>cyUos;$prC8XMidb?5%=CoQc)k%8CNQ>qJEq5eSew1ZwR<~-<-bB3GSn)|%@ zSZsS^mOGf5`-@lMEs0{y1>fP53UA@p92;L3d!I!+FYkj-ihFzS;l;ih|6r9+HAMY% zvRF6uRv>;~dJM^JOg*WopE>7QqvMmi3y(t6BKhBs&8K}!z-kD|ROtH6HK}IR!vOTJ zAzc77ro+L({UvfrZ@Hdr$UV$`rlc+|)aB5l`7;#p28Ljt5EB(#F#Ls#kSy$bpc&Er zgXQvuJX8-{81`37A11IewBOwN4S$;*yC_`c)%+qih{oBlug~??bHvdwsuBDZ@HrFo3$p*ouD| zQ>um0Q}rjU`FZAPLyYuK>h4zKQB1g>Z@gLrFKDWj-G6?6$X$6!zQ!w@AKP-?%nFou zzpsHOM3!R!uqEe3JRA@CCogPLs6M~LOKf|_m%|4ey(%#)WwdJ1spy0JO*L!y=WeUmS0_ucdE2I?(aVA(z& zEKi!JMhFM1VgK~2hTP`M%AL`u^E~R_gx=pPDvLEde+==rmpr3yD#a*0a=_&Kl)pzd zUw-#zYU3L@bG2iTLmt6?(8zoF1qc&_4fNb|HR4g8fEiYEv)TC9SH-j$-((d#rgc_r z?6?ulSp4an#<9^|lr*g#LpDT~?d6$dzYIT&MDtxB&4UST<({ng1?OHe&`Yi!*nL;_ z{vx;o{U^J1A&t6-;B!UGDg3jgSl2qiQtrnP2Hlcm#g7C8Pl6TkC4;wG3z$so&Jugp z<{rR(9~0%vk!)7inUf?!31YfR5<+o>BgLv<48tbFb58eKV z=o`1h!yUX%O-?jJJ?PBV^U;1!j^d4P+)EvL>1pz|46P)sX-&}I7~4r#3}5y> z8&}ko_Q0E9`h4WGnY6r2&QI2^t{DsnJ zx{+ILE-VpWlyRmxC9=TF7EI}`l%O~EELC{8Smc@U=nO3y11*aUO%l{hb#?em$Zlr9 zhehVlhfBH0F&(l9zqm8`t1bU)J5y+oCPXXctg{G4Gf8WNbkKdDaicVy06(3U zM=*1*eNtyXNIIvu(^zD8<;ry*FVYaVQ`^;Ex4A5MvhWL2fftu>+>!(?xMLh^zd3|Q zBH(@nQ8Vx(T<@^Fd3vN>v;H1!<1p^IoN3=9E4t2^2PON2t*%e%yHpBZ!5;7=A1`(M zdN6s|*f`{%`#@y;*-v!pa3?9sF{aPnVdHk)sX6@n-zlcQ8r{<=O?(q-62knUvT5dl zlOVk?P461zX_8i%^u@fBcLI(|y-RAzx8NC^8K(XWf{36L6O{L977(cN>B*`qX=X`_ z#r=u;p!C-&FecTRM(8#deWKGPasyFIqp;uO5cpspn#*4l?8H{*fil?@R+m_YUo41?E;fO=e^L6CoN$ z?PV3jDT^Q@9pN}3S(Weo;LKm+ri;edM>6kyf5n_`pRYF)zIe-n*x`F`$HmdysxbG6 zA402z?i9e0=rs4DJ^fm=Kx&maP=zPf6*_JVN|Xj zpfUR3qna_eZpBuI(j1gP3!_Jk;V#m5Kir04)Mv7Cpv>FTm-hcDZ)EE^*UPf%ub%g@ zeD@t7R=Cp_6(*Bd2&SiJGYUlul2&}ZipQ-I!@M+5M9+L>NJ^rcA5&LmSRWkAi-ZMkR&K_okpGu+`36 z6@~Gd-=lr|0fe3T{RKfrV9UaUN=48LWH8tlq_cmwt7yXaA$I(Qde94-H&mvhiuY21&cb9M?svoZG zS2<4ONBQTU5kBk0{N=sUz}UM8w#dTwd>VMWj`2zMtvn&@`KRQizYr76R>7_q%CNEd zyCLJ`5}qdAR7;P#Z2O-R5TxQ0&5c@r_{cHW6}ly^c)ql4kd}k1TZ7X>RS{&T@9M-C zUZ(suj*nH%1Qimdspi|A8qP_iLCkco(R^q$I_tV|E~^Vg{(e(^v>_|+1+;1rg8d7^ zwT``#7BQ@x_V9h4Rx;(R14ec6{5utE~UBdUYq8s8cd!SLq zEiRZoA*Li(TXSQrY4qWeV@tta=AZJ$?__A_(jcT zM_irHBD823(V5YoUc6CIPO#YeFmGQ}PZXV9^VM3nNf4*gmz~pkS@?tJ9nzij`zJKE zh=3WeT3CyP56W{xSN?M-BV4qo#+N5uaK1EXqj+fM&!GM2VxH^pOg6be#E4HSJc{Jf z1tD(hWHAf=?Vx^XYRy3CANnM0*5j53I}>@38^Lw}YjXO5f2XGMTV)k@Oi%+aWUdh-{7Hbl=AkT(SUIC^%V%u0Bx#%9W2ZQy=A$PbVWEfgnx^62z>s5DOE%YtL z@*6#4O!8*>#fi1Dvgo5(Gde-EglO*b#XJ{@lRQ;Ca#b)7@eXQ;&Dkw4OH!&yeZS%5 zC#K{_B}hw=cC3;2*c`Zn!-#@LB{kLs*Ep{a?8)%O8vbJNy2~AJL`LM0r6{2Xsyo`d z%~$MH!StH-p2)Gl4mNiv&_A)8K-qN}ajzrUReo{ypk8m6dRdJkpC*fU_mtY+o z$SuYZ3>0@-e4GWNX786OdibNp_3SPe(PW-3D--E^+vZ|fpNWZJc1r zrg&NVK9hOn+&#m@yPWQp{>Wj4{!8d=*NdO{zD}`pt7Qk#Tg>-IXPM(8C7(D%uvWb; zO!HXj7#KCmtO?tebK-lQhXV|K+}t;zqruLU#8t6|z-CWjm=_?+EO`~F#57Uo^}XlJ z-C^c(ld|HaPf;clRK(W5fzFH2r}@E$CiP$z3?Eual^7$)ZjZRiC0HR7GZ|G)I*gZb zC>Z`&D3t#Z$$OR%rPl8KNJjc>v5M+vkR2tW%Dw%#UjU9U{<0-cIYg!-E@&$BkB+C< z$?fI}xa4NHxldIofMNr!^~z|v)q3ssa{$qZ2%j~1V~nz%+iC()2aT>Ws-@-xQv>x! zE-%8NH3bjLxE0jt+fv`qE7K>07(E$866b1EZpSkgvquMg^U8hpIz?fyax^|-`0G7FFmXJb&Dy`E|LE>{NmE%wA($T^_ zT`MlSmH2;Ur*C21RiDuJpV;I^5d zY`c!k}P!p04SA5?JKoe2Fqf_M)>Q`vzT7&y3G_956B@N&b!av*a;c)!rN$y zNB(a3HRjDok4a?UCD`hn zj?8wd?$`%gFoh!|vp=2eH}%z{bMYniY!O+6r`)g}r~Tn5E{P2`IM9R+;{qBukm%vG zNj|QswG5*!!FtgZhL%D#)^nKOOYTb1hoNEMUA61ehZfD+KRi0!* z@xre%(OR;WsZIS%jOoshC)uRbLjEH!HhZ1)(E*y7Wh(Ts|C4!4bejqJ3NE) zlvAFklM)6hPdM7YX8p$#*E_ChDMTN+CCe{Ap;Zu7u3$b_e7_gv^SY>B^Zo+Y(x_GA z!>85+-U83fCA70qt12zA6bS0x;h}IccB%v|GDZb$QnL!pw2msOM^Yv~EWz20ie~bn zvF@iq7vG0`WcoHiCjxGn3w~-{*P476P8&2zamW4M#c$zCJL5xe#ml)Gyxc~hBjHcL z;i7@@POjh-R8Fmh+H77`ee%mle!i4oHwv(=HJ8!6 zJQy@LAnKD?G(AH@P(blx9q6CBmJH|fzmvH`A6A=TRTg4=uQm~)3an$2{%Ter=eMc!MafQ^`4Y!IO36BX*?zcCOAbQik8i)cZIq^)sd<2=R}>T?D~-u( zz$Ps7mAVbfT#*2M9wGWZ)9J-eN-8-f2*TU-iHu?CPTss$q!pnB-Y0x+$@iZ*eo|fG zceyzty+44{)zb)pv9s}wowh+<(e@zmADvO(sMIz%p^EI=amzwJAoGM~|KUuJhbNdh+)$bRJKE6~A&N3$1?_z{0lnj$! zI)P9FkJ_lZS?jV)k95u;hEE-c0^R__J~v44%vXOpsdQ8>=$jpJflt69*NBX$K#V5W zb6_rZO@@cdH6ykuuEZcgFpaqKp;O*H*A;urim^F8vQCvF{$uHHkr6*E-tD~#U%b^Q z6YxyooXM;W5?|^rmG22!o?oiRUmJ1?CgB*1vFNGIKP?7+5wGC3Ymh8k!Rffc&T7=9>wwYQzL z&Tohu&@Md^Ka}rxi7PYGmthWlLN1ldpo^yVdALlfrj`7;Pw3R=95yVh%AC_o3zFrX zQb|A06M=8aDU{L_l9uB@z3@-&fHMe%*qYb|!1+u@tt6ShUQtXx0(w=XZSM{G^6=Mc$TmFu`j&}k$h&qCfg<(@rclYra6;dTZ+4#?B2Mvs zfFLYG&rQopJCjb5{v-Mrbt=(oi4T_vJ(=ddHqg)*C$hY4 zfzb=+97pO$vZng_(fvfNKs<*vkA@Uzk_KWfNZ`#dS)e>-W~;^o1UG*$hMm=z7ym8OtskBOf} z{JBjUm@obFZU&WD0j3{@6SP zsK}~B6VXf$CEJ%!p}0<_Ff!aqb%NMOo6$<~*0gt)pZ(h4qptaia}TxrwiF%wC3rOV z6_wFB3Sr-ecN&N9L8z-lsgK*8sSDd7r``G`o;OOl5OoWw6H%Fk?iUnAjEYSc(66ro z%!u+qZVYO((M&K6+ik2uW9bpgnuc2x@_OjQOhVH?bm?_N&bDiN3{S1%FLzpvdNEE~ zIA^h&eNv=IgiI66VE$hXF?dN#p1viPd>S>%`~da{i=a`&tM1)}))dpNluFn7uLK$eej~!PLL#2T4Rr)bxMS39G{Q@$uASc1m66M zZ|p)qWB_2k2~{g?;I{(}UPRd9!m&g3Nt$l0H>UcL9h$g!*IFy>74b0RQ>*8UpO1(Y`3CYFi&)OvGT!F#`Gb%{QI z3R*z9MFwy5a$9YImL<`xim)1UU$|=UFji`;H}8nGdx{ z|JKK2hi=+uG{j#qi0R%v9u7;aME`u(tW$biQR5b+;HUU#?u}y}nlS%G2BM*)`9*NV zKCUllL2UWZegE%3wsb~45mwKy(x8V342?Ss{*OpEveMnK)d=snKg=b^>r{Dx!A@UO znbKW$Heupf+P@CI-Fe%O#)4my;`S3MVTW5dAIYBEusXC5aRecLa+SOzxpg8ykol2a zgTL+PQ#!ohmVg$kcc&6B{XnI+FyS!X)6|mZI#Ir$;_@ZLB=m0y2A5Ef-FJ>SZ-k{v)*PL|tPZIgFrLRKR=nlUe)J%6mF1ovFVWqS+gya1 zd92uQZp%}*Hi!!xr<3}<=|?C3$mPQ&6?g;E2{T?@Gt#H zK+Rw%EIt<9K66+jz#V-_gYT_Kp?3Ds)o8V?DSt`2|${3 z4fxeBn-SGwKRM1Ua}Il`#8Xlsbb5*_x=?1e$>^m|3#6kr9b`4Fr?8m#$*BTzbXJyAXMgAOznuq64s9*)fdai#*y)OfSD5kSRl zhK_|~Xtd`upm=API;pZu9~#D2blx*yS$C=)ky+sdQV*&@;!SP1wk%$f{>sl8Z(29M zW$#qfZic14zl}oGojLS^iWPbH!pZ*L*#p^tTV{eVoZ@RGDQ3iHDt}h<<=hjRrhA_l zsbXo8CR`^!6P!-nAL)u805P^vM`bDTN6dXQ=7!#qx$&il5QWNqRDU&+4uTp`4GKs%qv;k$CigXL31Z!&ntvuZyeR%xPi zRKTvWD(sj9UU^KElgIkNj@j^5?;Nh5fkwcMZ-O~@BUrVm2j^N%U4Xpg9gu9%of=lD z^v=gmp0hM^N-wl(@hCooS{0vs^AxdH1N&0lEdX3HS2;~E`URxVgzoG^l98XC(%8_s z7cVyyUS+wYaBFy$&$z1=Y2uQ0wrv#SZH@;}o9N`X)1pYWU=@!Te{j<>$JpbZ*SoKY zouFNZ4}`ypDL&w|c#Nrg6E=6d#S_!Z;Pu^ygA~LFm{d?!PU6vS44%8^R~UB+DA4|V(GBC@ zRMhG3laR&{Sl@@XCiZe!KFA~wxpAX(!$@|iu3<%l+asswkl`G*RP?Y;zrI$}vphb! zKhqSKv5y(WwT)+ao_n}ZOqD;48;Ifg0VIXsaKh~EzgmeRFUVZ+$Hc^P0_a2P!tBI> z+@g3p>Su}VN+0?0l<_XpRhb$EUJ7~k<&!jQ7ZYNuc>uJHQ%@jbG}gKMS$@CHxs%qhhLw5)Cke6{3Kif+`|h)HA~Vl|afLekt6 zbN_LwH1R=xhf)|kKKzy+%Jyi5m{xUx_E%T$KW-tf)W-DPAx4ipy4$)r`<4|#LwL^J zfTIU+#ThCF#2phivqn)gz4@jt{@kH(hd#T1(g`Jgu{pcTfL$yv99YoJ^pUtpDDl}g zty`AH^Y&bSEHUg1>cuURX`c5XugwIBD?Y{wU63~i%O<$S7;jZ1H1auL#$A3tN3z~> zYFr0`5r;r}0>KX7-x0t_HM@6;deG<&Q{&LAoqe4|68>ZL1C5%vdIN1t;6Ztx4a7bt z{eVr-?@-vI*V+mrwcgW}I=i)A;li9M;#>aH%6kR5bwgqox)tHMiH3 z)pA49^)Dp`u`mbz{K{BMPrj6ChK8uNv?ZdOvlIg}U0JRiK#lOe2g5aqdOOe@YUpqK zL2!1y#L@Brg$=J#U6HBOvBPMHgSej{T-?nSh==YRVG6t4=|EtaD;V|PM!=ber&;r+ z{k?Gy^R*U6;B~j{=j!fG-rNsfz8Sx`eGaji4%+-Ygv@%J9xI*9UwmifN~=Qrm;v)V z_*uNEY}i(La*B0xD@vz-jVN_)OLJ&zR!44?QI*M%EP(%=w(LEKu-VD)_Ir1s1h>X# z#%1gP1~Olpi^uzW7;GNmONW?R&^z`A3SwHvjA9Z?TTi=j-!Od;ktk4vbR#Lq?QWfP zvrTa0RWYQyjK}4zhb)zNOH=0^`7X0!(?%tNh zh&3RDFyHOTp!d;V{(46e9dl(({$pun_dEQ)O!otV#UCdUm@Skh+mDywO<=vjTjMM7 zGtZ?mp6zeuzf;!4$bd_XquaFpdC{aDhLt!_G%n(id|2|p9Uxvn`RI^|KKVMhwMIJo zZXT=`al__&_LEr~Zy5HEY2T+ivLRAHO#6+mV>;GK29(ppfO3x zlUD8?A#un+C5I+cRRi z2G`ndi!M^R=pP?aX;N_K1faMwGq=cbWL&pHW@psj<1!XCb?>)`1JB6sqDbB42J1Fz z7pjvNr9w1tYbs$&)Q;Ya!+Sv-R!LeTZsA z*Y1z4Y1j10l*jofs9^C@;v~qsdV88pWJ&GUqM^vc{G6$kY3>T1i?mr)AoGUoE^K0WdCE(aV^0r>;%=-XAz|dv1?`^@w;>>>Y^1Re48p!-TKCXyr zXqHF2xD$Z-Ak;B`#jNMk_xE%Y+72*##gb@#)fs4$os5*brS1<9^wYh@ z4U9i95!E*I?NuR|>f+90rbtr)cQ+ zkH>`tYb3mi=zUJL-!W58_sjEA4~i^uS)`UlXJM`i0!0@3L{pjfh#w_9_m5z^TL*=s zM$V=U0)IMljSFf$`*h^u@-*B{V!F7;vqvU5CR{nEEEoBvL>%E~sN1$epxo?eEziQL z_Xzu@@vZwl37`8i)3G zk)d57em?GE^(aZ^vuogYdLbVU0jt#*L7ia?(|KQb>Zh_fRoq$dub3V>uP&7luk8z+ zh3Dv^_^PjLBB~?|{boCNAY211UX7JB~qdBE$#P?KF)$w|DjHMly1kn2hE{;rfE z^i;tiL%5RoD$0@Xz`WEjsU(NBwhDX2B{HN;flU2d- z(1z-V6>s{xPY~1Jx^pcB(bX@;Gho;aZ)s@}$yt0%`8wg88~FiDVaE*2dC1W7h7_zX zWIg$-qcma-?%(Y8Yv79Mp>A0}fH`7U4sb{OMA3I)V{*uNsVC7)DKd<$*Q-1R=tw1Q zj{N)*Kz}nWTmL6pZ?NCPHr;g!IpyVr!6{sd&r5ka2OV>zV(+HPWLvj*Y!i##Gd#aF zkaB-gZS-cnuMhg6&rk^5V7ftJSp7QHUC0h7f|iE-cE~vN!l1PmpBG{{vvF;Oh1wKg z-)x6Bx^vBP$7*Qzm$bv|4?iAP^79BeW!N5kz^CF3lYD5xp2V9I&S^Nnvry$W@n)kB zBtd6OsF;I8*dpo5>+~9U2v`5bZO0q1JZvD=Dhks*l0wYu#TawEmap?ilr zAa3S)4Z+%Yb8c;RY%oL+Gh)P5DQ-T3Qn=>C50`;RIe$F`(BXDO8+u79q_j1b2JU-P zSnZN6(u9nC#2*ZZ^%Zzn^chN7SPX7S7ZRFpH>8MxH{phFKMfk! z2=^_<+d(qa_m=6lMyl`neg$0gPWaGau6HRF#CM$ZJJ-HQtN$oxc=G(npu7F9M(5MY z8P?9nMt7HxX`Ra1T9<{7FhERp%D*ecWxkUi8z>wYymQa6eaV8W1!S5(0qNf+*c=TH zi^Gdncq#r#hkdDD5-7H2RHLwXR3Z9B6@M(8)54jLHQ(7Sq?q_f_SQ|dKyn@F?;uI63>CNY#mSAWmjFZ{-uEYcA7rZc9n*XTh2h-8^_85xiD~vh#y8=f&R8p(pbJh^!j;#=I&4e26I^OD(76p<-Ky%4DR!5Q)t$fzY+!M!2p z45U~JoP4m}28;K^EoxY^n_|s1b5mCcisPzC# zdkg1Pz6u^vv++uQy~ZHM$3(uMSkwG9A$9{YEnyy$yB_h|Y^mRvw22*#{h9X0^w>y* z`${E{Q!{@eyE*N=*Df$GS>T0_yCLP^xh?8yYe&Od?(3{_6+`w>#pr}wAY?>lw;WQ$ zDCl``O9GanELccukEsN4SYBTIM37JAWxdAE93lGL}}C)W0_Pu`1(KD{PcWYW>K*A%o6}cVD>A*RGMNIB=JP!(4e0&@@oAI-Dw?{rA5k)q;E3!Kum9n|L$m>>p zDn+_UI^><__0mp1kw(a)7J7{{;&c;g!#!5v-c!L4X&}X$ix4i99m?K0(wbCbzbE#V zbQsTjsGh&`QWcRG3qmqMAK zOmsj>aGlpm)=pR*)nQ*bMh+|pfumxNDoC>ZVQnFHnBjwnZMCKncj)|@3N!XWBx8SZ zKVPQN-b`+y6%(AToEK#>6#rTHh; z?H!-c`EL$vP0>HA8a$!Mcul06hg`Dlv%!YNogm+ri2dr3l-^rfHHb7mdj^tOFA!xu zGvcD@PuG0beP_eJrosY6>F{kFZ_B6ET0I?H_S=GiO2>6_-XhD>UPaTCD#{}vXW8~1 z$0h}xkC1;BJH42tvd{DP48lp9gzSj97?0z5u&uT^3l+F{R}Ts(7%soqq714ZPocv@+53bc4Xb98H#+fs$Ybp{E}W7~XR z0yUl26#(J$h+e)RTDp_xC0b#bPPvy7T}+zzTU&TFRzNo~b|~@BQWW~>-uP9$Ra?wL z=K~Q*M?eAa3jK9?F~gc+L)3g)QfnCYc)c*#DsuX4kRzvFoE)&fegJh+;3b3!CNcca zvHj&@;g$rVO8l@E`xVf@br}UsGt4YunU-$nhemspW43fw!^t|q|4im#)7vIZ z;AK;}xBm6@G+xdDH?{$-5!K&y&;$1Y4y}Uy=0169uOXj+0)925o2ePx7HdR$Ezkr` z4^;d{Jf`oAM8?OpBVL}@QS9~+Vo>+McnF_0UN?KZtDk}WQr_6dk2~V%s<_zc{$E8t z#J#X&P6`JrL;N5ELBmHI$|O)P!SW_y47#&AxZ_ph=-Ow6ioKN@f@!?>+qr%dKc4#3 zKaW#H?ejpBl($^RcVgwQDznjHF@}o0`i;B{tXI(Eml#07?^FBb{(Wd2#ln6*4!YbL zQe?M$27J~9u+&5=#FQDKfg=&gJ;yus)UgiB!I)b~E@zAPuL`r#T00Kv%vk?O!_P_t z2Ercl0ivzfuRh8lQ&;#T}?XwdA+=X93fH};IMlAlh?3E7uSFV*Elo)eDGC=0CEVr z>uU)7|5}&-HXNFI*xEtkesHXw3+t3u111^AHz|cfWck~@>9>;Fvu7sl^(ZkEwRnnq zKr$VJ{C;%Uo_R!5a`}{cVU4NZ`|16myU1*;X!#5OF_1-jG@IcGpbN7; z!K@q@Lb6JIkCD{tgoTL60nla+8Q}mP1g~9&O_H8&+_-nZoo3DY>{}8;;_iL_+)abb zVgwq2RA?wA=gos@?6Z46#IT;2s(+XEc9uor zG2hF18I972E}=5;DkdY@-E0tILwOYLJ!O$mav-Xk*E%e)^i_!Csg{{|H*l>a;- z?D4%UlO9!Dd+vXV1J&%76T|-0l98xr!{8QOuNde!;R4X@xp%H$TGUgHlyDI_@?Bo) zpAbak3;znSGu9BtdEyr%kvDD6LjPFRPZStgE`%-15923jb+n6l4buxEjnnKPgKdM> zx1p_v!P3t=MVI}BH^?`2j-a`$8n zwYmt4ci_Y^zwy%2ub01Vx+zX?kqq&YLi6-%r4`gPOQ^6zzh#~Nxsf&s_J-ggDFDKw z7>1XPpDW~?MK@$L#sQ7}>PhoILjk2|g6}-1+LX$j<4bD+!*J^d=}qMQfi-ZitE&w16;8<63n>8*fSiB|jae|KJy7)mhzx$W zc@S?r!PZjd;sj8Mam!5Bwcn`KWfqKMc;~rFnTLy9GI$;U>j(`2l{T-2i7Cn^!?0g4 zK&t{kBl*33_kq)kPV|h|+K)7SMw^=jgz4P=c*AEJO>?GkPc(f)fpSn*vl9+Z`ztIN zG+xd10hr$%bA(#=%VezNJ%e3A*!=U`Uz|}t?Uz5OxP=Jv&PrMqK8UHB+2l?q~t$Y>d*CB`m32?b_ zwGH6VDvIA#70-UqYQ5hb`3B=E&+Bj5hwdh64ot(q<|5Dz8(Zh&s@_oFoREo6pD4an zsZmW?EiP8_HY@xm2uPYkQmFrrF93i<)FEZa<#I9fRjDz=BGEDB0Alv4IHoCVgIY{%tAD>TB6ab4j5{v*IUWdnoVe34F}!uDa2V^a78A_TMoc=0k-y4ss6`zy9+66fJSc5 z2W=E5kN<2Az-NVlJ~6|c9qRp-sXg5M(Eu|JSK#@8sus_my0>$4h~{rqtk(JIK)g~CUXANUW+&#m`fCltF4&QW{&;; z0k_ecALr!(Vhs%C9sQfkf;ELRJri)$YLrmcH%8?TMu2Y3MCHV!a}KuHicu(@&J;b5 zrxGfy+pKqo&cyHyjFP>stv z1VBUS?~?j`s-oh*Fn9&}0zlmurhcjb`~mZ^wp}HaG;|5SX9Ar$ZO2CbfRVn()xAE= zB?{if)H7R^JQ%I@j{$Sc5P*i0lc0ymk}BF0RFjapqHzu3I`Mcf>^y_F5>qaDe;}v^<|-~xXHC)y{)O8 z7I*0QG*kNPxj~*A=Jn)px0?+0iDV%T4$LL*!1-gp=)NHf{?~9U=AP15(#R5ENF@$6 z$BVys|4RWs(P8Lnk>hb-J9ZgT4Hh=jWAEM?9p011>#@?czt|%kNErVYs0)`;DnNOp zt!mj&UrDp3Z0QsU9~p#8ZjMoH*hc>5u($FqwziW9^;O{E5KZN`tlV3vGdnF))}Pw? z!^({mOz(I{OgWV}KGQlFC_I*pCH!A=ze;05uBxIq_TNp_cwL-Lald$ffl^Shp_|@b z!o{~K`jhSZueA~l0;T>|iHtq;wqH|A$o8Qtji;pJhqL=RP?e;IW!U)1KJjr`ScR=&pJ zda4GBzIa8GNCvdUM1+3PtiJx+z9DLXNewLjOnhmnB(*74t~CF8lQwy1Rsj?}jIzJF zqo7%LP9OkuJ|6u#QPBKdrw+xIVBACI`*WV=UCy$|Io_!W59hY(i9A>>U83ytj{F08+#rw2qpFB|`j1~>~xC$Wpvi~$_ z2Y?D|lxM)5@2@N>Wg*lL@!tQzq6+yJmB$s?h1xac#ebP`a%dn7t|WdEvWY@EsG$9e zd8>0PzdL~6xXj!4ueY>bFU)Zua7H81wl$)6FIcndBX!N0hXL=pp zcIl;lG=SOXbPJk|5l%k1BTRPI7J^B4Z4AzwT!SzH2M4j;XUQeZlMF*rT)M$rK+PU5 z%XW~9zz%rz2Aop-pl=IdP)++w@1@HPl1`c~rCy2b3XLg7!ZG^ltoe_Ze0Jr2AhPq- z&grh#Ty@9gW`BwoYu5y?49SvGFNll+_#lYxv;KR)N>fgTg@ncDEE&9CWyA_0iOuEq)yuI0tS}S@an^5itYnZf4!k zJQObi6@!1Vxq@7(H)Gzyw>j~u66`WIQt){0i(QEi2nmw4&uzYkwA@-JNXq?ilWBzl z1KOENoA+`OydrS)M*G4KR?p&9#VQ)hfPX(+KN~XZuaWcD;@fAZ8W1G>=3v=I?eH52OvOFOYI%dQs8E z$~Z5btVkPx^p)_qCQM~8HVwd_nt|6M}M9U=l;eDD-as!5#Vd%&+1X|TC6MX(F zO~5$e2jC{Akb+|2w`mrySuIJ}3D1J{9;o$&UB9FpP?`h)5vPU_n*hnuKoxE2mbwKy zNhXf^CX?;`lqi!qLGXUZ%A*jbQhn`Bx8l8Fe^JY|L6S)dnl6|OjjR7DmBiZX6#w1khUl=)9{4q8iIt&x)$ z)T%bYic7x>_9p)a;xrRRJo4qc*f*OhsZ6bxhj`w<2~X?tK_-or8X&=}gyAR&QtZq} z)YV2^A1diq4?A8BaagspMz9>xIRvpP=Cta_`h z&gXcT@x_4=@EcPGjjIS(HCg_cXanj~KceXp|JuicJ&lgpFf?E#+7m<}n*UtoT~`tS zrw~Ghu{>59x#X%$TzIoL3{ddn1BfZ4MRyPZKamK9=SPeb-rA zoT#gfz`wS;EBIDI#Kj4E)sDmSjN_eR3MtySCn%?)Ve{~+KR?(1zSinsZKT%7PhLa- z@M5A>R&dAx+Ft2Dg&BCwAH@E1-6PulR;v7YP0;#vpWh`WmM0wsoJH69|Gwsdib{fA z8;!8N)AhJQGMRb@X~i1ZJASs>-EpPOiMslm!1sUvW(#fg`dx}( z7z+N12LA{R0O_qI4L-mZv@fgGKX1#H(iXKHz#{-?0?=#XJFvd(bW03+S`_>h;D~Wp zjt@P7EJ>L~z%_>2HN`X5jI*8nOfRb`Rx~nKo*)e|+D!%ONCS+$;vqYOrD!Sm4;h%_K-g#z4iM?#_&(+&S7Y z$iD>Gc%iQ`sWR|T1BZDao4I|l%7J<0s+KZbwFH^9R-Uuy{oxffHmnMht&|<>CI#k$ zC!|3mG%~Y4-%R6xa;&yf!;@j<&w$!@hyv`}EtFuD{Tl2MzsCdq#pF{SBZHUHu=%ghCpjkz+-uNa%qHabkOH!mzgb8n+cVLJsl zt!WRe7#x_*f0I@QIuwDEM8TlmJc+I%L5geJ4t)#yUH~pO3r3;U@P&={xiAJTkPd)= zvM=5BsJ@TVjNEvc^HS|Lg{w!0#P222j*07x(0{r#nMKeMm|hex!=7-+p~Mp=maV~r zXz+Xh_VO?8sdZ9d7d;t?iaWgp!URyvLsS3$<(d|e1cZ6*Vz@q;EWq7pxk_yebOPMa z0roXpE6}F-=NdEIYx7Xk!THX=*vME33Iov)*=P?ca5T}{B*6NPKI=e>SATDiTzQWx z6G354chKL>-BY^y^}52B6{rkT3*Y#gkMwGaz&9~}Ii(B#CUpab*>dtfHGJ*(2mumD zB8{)9=h1l{Xc=%l5WxL>P4D@?TB-pbk!JM;gviPNmxcP*y#JZk7m!{HOk4EcI<~{d z^mYIV7;t=F{ddJW#R3$gUH$v->+}Df#@}lh9ru5q1>jjhFVO#f)Bd0REco?FqZTy1 zkA3gJy>#swFb5zRfo@t$*?(dUE~I=*g1eAkh2_K*2rwb)G$9!yaEBxbl zpVc3^>Vh(zC-g@Iy#+8CXIc~3ZN|#Nk@0xQtS31Q7*z%yJ8}VT?8ZxArFTN>97f>- zMREgT5rg%gChInG@@g7uR{)iaa+L&-2at^?`JobkUJZVO(&VB8qE+^gufi7!18o)) zH4=0HJh(E7WRz0$yRCymh7E`X;6-JNiM76_D|kRqTcsv19635WS;luWRh(WXgR-a|u3LG@KRX{qNE$xpc4mvin(tbMPhREGU)U=inF z4H{kD@)6W{Q973{t{cgkmU5rG`$e`XPzWC(iumvD3sMdxP#KlGP}Yq6h~! zHavXHs3Q1y_<5u#V66gyvXjLF#+yxqwN>=ofa+l|ywy+YsFr5goo>oQjitxKR91|A zkyR?=?t%O3uEtCtk^*92#|>qI%o9=)t{t+xU`M;nXZ2BoFGVQ%3QniYVWVhSI+;x-nsvNi~pxU90hPs&@bav8WaEoeD{7?Z#D!(Y5^N_?Wi zvGvFO2nn@`oROXS(u5((zSIY1ycI7p=c&XAE&?cL_)yuKBHwKMhx0Dx3X^}fyzM#h zI?m&-9H0_5c_4W4F)Su*8j--up%K)wrc6guW}5CTo>>i*#nKTN;sj+qkR~jp|I*-T zXF8Urm(_l3zs+4EHxxjTCsYU!75dyeEf$EkR*D#;_*3z zJB$wdW3cz?D-%MecXRC{7t=!>Gg}_{^KXL=tzCd1!qMb1{Cv|^q8%n^rD;&iG${nI zP6<#w6Rc2g%xxzV5u==D9^ApF#m<+}yAL7VSq6k#Q^{-M8sYucL`_rEl(1ybq!+)r z^L&H|DWcVOy(dmE%}-eUlaJFjL*VOhzI*s#Tg09DmfIq(p6AXZPZQPKlC>^&2=5Ls zzfS_GD6kbpfq2QnC@dW^a7{J~e7E4Exxvi&^HmMX%TQdgT*|Sw=V!0u=5Zd}hLOM2 z2;=MccrHOP7x>z`+YA%~srgrOh~8Gi$ntF@K2zpvopu$)?}V^f(vw-y%P(E-B|{3K$! zb{HHFS`;Cgen3u`0dr|i<`Z|fU1`y>-|HbYNiZ!B14-Cj4FJ7+gDWYD&7DN-D^~o# zw#Q`v4heKkmOpGGO^Nf)H+PaH5h5hTiog(}a{h&pMz16D2QkT&L8c1@7e5%i5GhG+ zp603xp#x+Y0XscdH)n>*KEZbKg9BiKRA;d5#j{!$l}R0*zVGLm#qE#NYDV0jY*p)l zO5P11tKNpNB3FGAcyp-WdHqE@%p2z2Mg2x{f%3XZK=IX+7N0;d0*iyfDnVyz+|H*4 zs*o=fE^hhDmBa`{d=_0i1}w&YIh2Amj7oU-A@t|ZpF(eko6S*YsJGM3BYN|-Z^m8) zRkYlj4ki=4)PDlvrV!Ywkgac`GJ7Swlvi~)4)$@8Hd#l8gQng(F|jM>Y6dLwUdPC&lWp$f}zvi{&Gr z@Ap?`Wl-H69a-w>MLmFyC6K!;;?~uWsw_ z2n>G2`1KmOdYHhwPU+qJtP4GcIJpB*bckat!P-Gy8{kg!aAA<_S8eOZgx=!yi`i8E zdIB?%S}hiGtg`I0q<{+9=z6z?QqZE=+QQFK(AcqFSl_AMc$wwI?6Y0kc5V~)_=CGDiq+F~?%ug0-VQ6| zd~G_cecEhN8t5(74)m}0OfD>oPrzz`CUk??_3UF?e@i(ezF5#drxuSfJgZhqwh zD6BifJsMQL#DUuLa)0Vn@d2b(vj;S|2e3>7EQxbS`WeH)iu=0k@qA=rIj?@zlsnbp z3-Wa@g106^)%2?yhCl0)qG4g8xK`EI1>veH! zF)|q2YA%h>%W3-4nAFsMa8rKuq3y3}k0JM*at)!C^CZ}pbdafZ`E6Ydj*6Ha^H7JG zp1A%;!!`N^jO;Xwwm)ASw_^a89=>hJEwqqg=VN;96kYZaRLBP+stdaft%?IB2)eTh zIzKh8)If?)R+pXbCFfgB7ls{WyQ{y#(H_n*faVHJ?nW=q{Tf*1K`r!pos zA^Cr+is9gu1iD5m9$zsyLk}4|)KwVhmME~|gzE0@&eg~; z2i%yyCVyv{u;j&K4`QL<&1 z;Wz^Jyi#T^tgVt5rK?;jucgv)l1$9gztse#%XHz^^d*$^@&a@VqHj-^!++fo;&f>i zY&of`PvGsu6*j?LKp31fCIJkmt%N7rG?|Nc@mUlHkIoM*i1vPlAq~p<1K$=oBZC!O zG|Qj9bB=Iirrn$@ByXpF}gSX@F}HS?!TR##UQ8epy|&si0t$93V6-*r7zj0{pn zX-0ud?r8Yi$={Zs>^42R1-(^xbNt%9hxTPyFCh*$b?~W#x=ARVu%VPtx7|+Joo|hG z(uJS`dDRUPb9-jKkb;lBsZWBwegffFiMyGlx}ux@s&Z9SX77~3!VZ8UO}1|feZtaf zf???;)fA~xTa1xqnv&EKk(k|twk~b#<3JH{ylM6(Q~l~uslG9uzQ$0)h!mhmBHI9d z1cIVW>G7+AK|A%gfM$cW9-!Ti=<#tZBFKM_*0#bhF)=e2ar3$JIY?U6V$ePqQpXIQ zT63WEgMV&U4(PJxX92hB2EhhUt<3CXZjJ!9PT8u!iX_S(UT)k%b%^Sjj}Dj<3`paU zlerptp}cC;Yh-ZnqGGfSCnqN(^rFPUJdASa1EOrNQ`SDk%pirlvz1mxZO0B$Y_6iN zq46t4M$3VjwkZ%_?!ZI;H48xrwb_-YiOFF(Q_WAO^nDLKr4u`JPAz{ba&a2JJFhO25o@O5o~?1g49@d3vh_RZlBZsL`w{zdBmD zyJuQDB1Y-N3!U@L|EU=5u4)hhTsK0ZBtKTn43*fi=z0G_{QHEY*We9nq(%`cMCxp7 z$$1ZBy22acVn0SAw@x;FG7Cm(Jb1QtoT(4p!Dy|4x!R3yT7jV z_;xJ$oo^08<-KExv`k6&KW3%T`Sw#pKGVLbZ!V*AtM@G-^wy-;Uc%iHNCP(`IoX;` zLz3rqKJ8ZNT@&WAOqy*m+I<1O=5JFBES*Y7+?A)Li0*FX9Lv4~K!VjVdAx@IC@;R+ z?R{joSnuduoMlJ_&OLI-7((I_&KX>IFmhGCNs0_xGk>_^zBz`?!g_hfDg)IOyjRU9 z*1Y>$#y%7$zWzejYV9_aMc-W{t5W&pha_t|l6=zc%qwST08bbi+d9m6*#!#e0G?JF#NSh+Dlmlk~Rtg_Ept z=bZ*oKRvw0BktK_PbR;4)x?bd-pWqj@UtK41r6nR8KM5P)4a2>qbjJ77f}hM=*Y!4 z!VH-QQU^|vtokpS8IPHfV>2xJ8o3l^rMW3E(-8;e3QiWSfJO$IK8sWyJm?%pQG&~R zVZZ~RTfj%9Y`IWVRcW$mFN+DcBFrI3pOk^v#ce&U*U}G?nUYQ#Kv74Ly&IL+<`0EA z41AcR=aT@=Q0_VjU#*Rp6B8y>F_(F_Alxgd7yayvTUc^b@cY3<09r$T@O_kc1*DjZ zLXL(_9Ez31*nKF?ADTFV;~rq&lf79rpDFdkley{~gW+x3BKTMJNRp>h1I*V&@!1#S z0g*|7=Pm@mb*X=e9Rv&Jg(KI|0GDmXpXy-I!nT`IbR84dMxq=`vkNTAnZ|Ng>HE&J%rnW;fSk{g(V$lW+tSOgr`3yEw=!WCMvp(VW5E+l(noZqaZ>|LvcA|(I- zg&9=}W`NE>%{~KRy?N$*ychUQ8_EY2dsIivo#a(ihH}3v)=SGK7yM^~#B7z^mo!*4 z@OP9LtOGz&(6Ru1`w}Bop_M@#^l9`sb72AeDVwxY^AvcumOdsSgs#Qmc~kB{*Omra z;0i9j%AP_wT^f!Z?a7UYL!vYG&ot}ME6pLH54{J zgFT;T25iEX0oLJMg?!D`;lV*oDpw8)fPUNFwRiOX`OL9+34~wg5zzJ9Y??{kyAO<* z+Dc0@eyIx>?Mp9CtA85ysVa)ez=R20YORPVKIdn{#5ZrYnXhwn}=qDkKS z>1p-qmq>`BIZC;L=%sp+LvDdG&4U~UsJiA1xo_}+*ZEYw_Rf1vvGT~auirqaTQ8_P z6NS^2PGj1I={?mu&`Cg93+l~cfCGr_Ple-Xfj(N*Lcl;YAeU})S|t}02~4tz?$0yZ za?2zkdl8Lr7F$Ae6mAkoHek${F^I&PuJf#Z5=6l0-_{O;?|SCx#$lbDIkjWAi=ABD zjurVk1Tm5$0$puZJC_lW>Mds8kU`;n|F99=F4oxVM~5p#I>CM&r;w`zpLPiu)02tw z*LWX=vGdOu>^XvE=??9eNwsvpuw>W(fh?x!9fsKqt3R@Sv**)YiNan``v+9Ke>EWb zie<3aVb-)8S?0az_V|SfJ(-|~mz;<~BTUP{voxJ_TV)yiE5xyQNrh?x-Zo*Vs%h|n zPJn?EGfx$%P!OyE%+BGb*J$KLldtk2PUl2auwZ?|V~sX~o5?w(5 zB14aHp|5ha`^(l;e>!I5oe-U+v_JX4P68!*s21W7j#anQ?l*E-Cc6@}kLjhR$@lz? zdq4pp(B{xBvm^ryalyB%;@b+(hn=vX#=JkKFAmFv>>**4g2TD5=Wham8D@6lZjry< zag3!zNA)$r=J0<9i6oj~2Wvx0FJ3VJ6J=Q(1shGKrKF^&rz--j6`S{Lymm;sdJ7(6 zqBVplfbVN>D(<{27zC&g$b19%Q_n$uiZDcXJ|N-TF2C^|R&9?&6<0PPmi8CP^?a|AzxziW zeuQJ)7-R%`J}WIWLA_{n?rO}P$9kFQ;_ZL2-8+Al$KrzR<^eyJ+i=OVCV=yHp2FsG z_@0>fn?>+sNiI1;;=Zd0iPsqn^n07JDw-9i)p)3gmXL0qDZj6MZqJ-?tf#g?Kuwcr zN?cK>B{^M-E>*?AhZ4f5ZmyizbU zJuI=1j5{b!2&T>1thmSo-B0pSH8zh{5A`@5o%_nv=^xf(xEz z!s&%mYy3+uk%E4c$p#aN58vsXLVEmwAl&IEme(yX34|2UuBEqlSr^>^&nlRpklHxR zL#_;l&`q`Q^KR`E200kS*?n4vsKG@&TwYRn?`b1f+9I)$L##I(r8W}h&%ir(okHeT zMsU{&7AfvO3yMs>9Ap5~>=zxyGJJfe^_U8q;!?|$^sQ>|NByAp<~yzQX1d+fIAUM! z58^Gote!q6=ncl(L5})8;Rw<`n)(&Uu=HKiyWaH~gY8j(!5`Z`p2Ph9lZ^i-&=qAsZ~q)JfwL9C>)6?Bwe{X+3RsZ;%?jBh?a^IC}q2{(@m5Mo%vFJ`?4(e6!%R877&&e&s z!h=-)kYp%`px$u)t!%j z{r%K;e)?8#TlnX-cx_?L`RYib^s@IZ;}xm2CSqrtK_+WlcqNyw?*&xKH&tX5zj|r; zk0<-MrU&_hDIGdXZpyLA+Q^y*VtJa+M9@wXZ*rcZOQg;*0giYFeV&WE(Fk%sq#HmHxNxwx}J z-Pvr3XY2aO^r805H{+@w$Hms^Vk6a^odGg_sVjUiTTp-}&Rz;P{NR;Fxcw8^)bJVy z(}z)%ukSiDec~`iVXgSq1uG895_w)2CUd#^JChfw$}NB^@|3IfCs8#OwOd~eHn+&) zxu`7y4-$w6u_ATE7OsjqidvUnZAyTZ7k5^uJ5}7NKw;P(a=+V-9-%bzx$FJjJ zaj_GnJ2lbYfW&AEMJ4<>`8!=*U;fp-ddD2X8Iw`0TJeWRwN8<*vhVU%=xr2vY0Z42 zD2N_){b*dG^U>WQ{6oAJfd>i4gM?X>qCkH7Sas^Trh=W)ep|L|xqJ6+1G-a8O-;?t z&NijEyAQP*P$`m!T3l?ME;eG_xx6&AEvWN1#`ulvbv&1u{`t=YWiT_d=cuT!D!Y<8k{`%tSU3|uTOc0zQg=35`d z7Uo}$eI!EftgU)MM=)ihKII{t9_#0of(>L8tMBTS$j+AzD{t>nvX*BQxg~3b3D*7| z*aBLX?hox9OgGZf`!7yRwjB>rj|a)wT2RI^f>G2qZBSC_9yB;%rWrT;(VNf4GL8%` zwjLK7sqRcemCCR`eKMpi+`rYeg^RC57Qa~=fh!8Dc<0eAy|R4?{an4d>kreS>vjIx zSBwD`T$bfV(X&N2*C>3u$ouHrNKeSRbNSQLkIx-yFAqOdp9cFh4Mr0)eGwj{HV@*j z7EV9=P-Q1$MCo-U*?W$mS*`AznVFfMo^J3cm<;36FTRV5#l^;}JCzMoPO$aKiBZQF zJMpztdj8>OlRAh@1md7`)rHoG5ZN*O+xc|fgpr4dNdpsaKmX*`#mPys<3VciAZtE4 zph1-W(|)?#tnNI1{P^L+hkLG8t?pD`k;HGa2V(i}AG9AovFBd2-HnJg;{`{WtvMSIV%Zz6lT%+};Q)$Yc!`o1=F@AKE z^ty?3rW3J@aRNX|Pb>lt5~)#WYN8X{RYs*^s%Ax2|1CX9IJ;7Pz2}p(ErTl+7aPf< zabD8le>;)Re&(LW7FZ_P94@|M%pr|*j(^tar(KJfxIsPfAQ(kB9Yr&$HCF*mM*l;3@NoYG%HOe!Z`4HRBX0^Fy{rRVjN zX42|TtNVA<-mCdxxtduTFXhybF6OdKA7L-QI_BJZ0gvAK7Pi0=*7D$sbfhHL9IhU% z#~c(oTJ;X^znEIY1dT1v67e(Gy~WP(VF&GFSegoJI=5~+$TdG@&*78m)}29xJk6u6 z&Y2m}aP=1R@#~8EsC}4AoTbio_4HQK>6YkLbDsY}ol~62o%^=%?hDugOOwq*E0<#Z z=Fs&H*WU0g;_8oN5ehYNf>`SG4!Y{}@MEL?-D(p>B^sIrGZ&4Wq!E<*Uq7jB&w5T3 z-$0|$!#f%Q&OShRi{=$ntxq=Zle==!!WP&<;TF`#@aRj$7rVY~ZoeY&P4y(M+CpcH z&+Km7m}s`lXrLp&7TCfXS!w6c>X?ISj-USfh8e)2L31$AW2r?b=2~D8t%cY8CXa>J z2Kw%7fi3jd!j+?I%x(UqW{qN8QN{Xnry{YMzNmb*_y)tD%b(5b7Nhg3W%cIr_VfPD z=>Dz2bOu{s3#D5~ufEUb1A2IsEi9f>kjb+Jd*ky~Plux)NU5*|w$RHWLi4O^EMi55 zW*h$W%3wN!EwF{sE$G72B`0N~N1%G@Ool+BQ_?d~-6>{gXQ!s7+5i9m01z|7iMpib zy&OUs0{{R3KsXGY#I9R+Y7QmMq{ImW0001pl%bn;lKS`chaEU)00000(ILet-8tNQ zlScM<&z?Q!&!6Ya0RR91M8u67H&ip(|A3uA=uVXdXs7j)^9KL`01yR|o6>KRoLM?^M*2QwRV601ySEkHwxexc4(NGt<-4oJ9Zt0D!>JyhNIvXvB>q&3=bLr&j_1 z004lRIeYf(-o1NA-%ir_H`%{`|J>XhXA}Sc03bj#2&QTyhwdc`OLyvPNI}!y4gdfE z5E|+t(#Y%Mn&&(T;VbFONJle|5dhTB$&)9OByk57K62#9&Ye3SK78n{qvVWzrPXTf z+qciYVpcG0*s$U1)vMm8nDvtkLl0(r^XAPhTef6B2moM=EG{leq3P$iHkbtU#fW+W zK%E#lc<9ifjT<-KxpT+7cIv-rFT8&zw1v{UA?eN;_`e zyxCh503Z+)=^U@<3`lpjJ5f(1+_?nPOLv<4`+)-oW@l$P-vCepMj+n1ch60l zdm2#^)2?G*RE*Oo%OXMP(U0zQbMbBf)x=g!2LJTw)6YEfjQ-{3+1)qVt(g_HzBIJ? z7f1O1! z1*2vM+?_PPoBg!9(|x1+yNTM`Z{dAG0DvMiz@_rfW9eRxLwB}2L&~e9fQd8#pgP<- zPA|7^|K+C9wT_838vW;m58c+HZ0fwIuPFP8t|r!hz1OXLw7Szq7QfXFex?0eEG55x;)ynHTjVN@(pRR0m zyWQQ$tE+uo-RZ4hUiXA1x)T7(Q5TVP*ND?#Myxx9;+=|m4n58Y06@uOy(yY>aRY}Y zlkVo$i(br<6?xe_yVv&a=}T9SqB{YgYIHABL8qi=)gP3Ee=KyTminyWSOCEKAzSb0 zC8mwIbn7^CU(D5W{pe1kV(mWI26=BkOVa38ce-!Pu7K_YfD+U^q};l?x~u3Sic)vB zS90#UWmi+$JMbHml0SL#!}{ah#jFbYKjwkw=z6=X@7W;P-2RcB_agNnvca%W3& zdyiZp>yD#z?AWnvIJ0CNC3GhMBR0~l(Vb1t;r$O0v_4X?oJobT10RY0stL6j% z7!)i_g4#zUqkg~GymtY=Dh0GN28X=9(c8GHbMK2gk0rJPbw4NlOL z#C!PW=H{f+}IqBxyVoGRsPwpAvH{ZLADN_t9wsy3E!<^ccz01T3t z5}GPdtYKiz^`bkikXLQ2s^%38P!^uHcK`qYShuJNTLI2Zn>OiZPz~A1gdJ!l-_>;_ z0ji&hfHLYQ000222bA?y=*@)T6yt0>rM@n7r$K`Pm_xr~#|~99NbKwAqd@@x0AP|( ztB@5uHs}^|* in each row to specify the number of resources used in this deployment. Remove the rows for resources that aren’t used. - -|=== -|Resource |This deployment uses - -// Space needed to maintain table headers -|VPCs |1 -|AWS Identity and Access Management (IAM) security groups |2 or more -|IAM roles |2 or more -|Auto Scaling groups |1 -|Classic Load Balancers |2 -|EC2 Instances |5 or more -|EBS Volumes|5 or more -|S3 Buckets |1 -|=== +// Replace the in each row to specify the number of resources used in this deployment. Remove the rows for resources that aren’t used. + +|=== +|Resource |This deployment uses + +// Space needed to maintain table headers +|VPCs |1 +|AWS Identity and Access Management (IAM) security groups |2 or more +|IAM roles |2 or more +|Auto Scaling groups |1 +|Classic Load Balancers |2 +|EC2 Instances |5 or more +|EBS Volumes|5 or more +|S3 Buckets |1 +|=== diff --git a/docs/partner_editable/specialized_knowledge.adoc b/docs/partner_editable/specialized_knowledge.adoc index 7cdb04b..96939ad 100644 --- a/docs/partner_editable/specialized_knowledge.adoc +++ b/docs/partner_editable/specialized_knowledge.adoc @@ -1,3 +1,3 @@ // Describe or link to specific knowledge requirements; for example: “familiarity with basic concepts in the areas of networking, database operations, and data encryption” or “familiarity with .” -This Quick Start assumes familiarity with basic concepts of networking and Linux system administration, as well as basic knowledge of {partner-product-name}. +This Quick Start assumes familiarity with basic concepts of networking and Linux system administration, as well as basic knowledge of {partner-product-name} diff --git a/scripts/user_data.sh b/scripts/user_data.sh index 0ca7ebe..321924f 100644 --- a/scripts/user_data.sh +++ b/scripts/user_data.sh @@ -4,8 +4,6 @@ function base { - # https://splk-quickstart-testing.s3.us-west-2.amazonaws.com/quickstart-splunk-enterprise/templates/splunk-enterprise-master-ss.template - # variables export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) @@ -13,27 +11,25 @@ function base export SPLUNK_BIN=/opt/splunk/bin/splunk export SPLUNK_HOME=/opt/splunk - # make cloud-init output log readable by root only to protect sensitive parameter values chmod 600 /var/log/cloud-init-output.log - - #- The newer version of the Splunk AMI does not come with Splunk pre-installed. Instead - #- Splunk is installed via ansible as part of cloud-init. The following code (line 28) is + #- Splunk is installed via ansible as part of cloud-init. The following code (starting at line 30) is #- needed to ensure these install scripts are ran prior to the remainder of the Cloudformation #- user scripts. Without doing this first, the Splunk installer is ran after CloudFormation's #- cloud-init scripts, leaving no Splunk install to configure. - # remove the cloud-init scripts from running + #- remove the cloud-init scripts from running rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg rm -f /var/lib/cloud/instance/scripts/runcmd - # run the ansible manually + # run the ansible code (cd /opt/splunk-ansible && time sudo -u ec2-user -E -S bash -c "SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml") - # update cfn package - yum update -y aws-cfn-bootstrap + #- as of 8.2.0, aws-cfn-bootstrap is no longer pre-installed on the AMI. + #- install aws-cfn-bootstrap package + yum -y install aws-cfn-bootstrap # setup auth with user-selected admin password @@ -118,7 +114,6 @@ function nvme_setup fi done - # name of the raid device to create raid_device="/dev/md0" @@ -224,10 +219,6 @@ end end chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/system/local/server.conf - # add base config for peer nodes (indexers) as an app under master-apps - # peer config 1: ENABLE HEC input on indexers - - #printf "** create HEC token\t" && date # generate the config file and HEC token sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector enable \ -uri https://localhost:8089 @@ -252,17 +243,17 @@ end touch $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf cat >>$SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf <>$SPLUNK_HOME/etc/system/local/server.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local/outputs.conf <> /etc/hosts hostname splunksearch - # stop splunk to make changes to search head configs - #/bin/systemctl stop Splunkd - # Increase splunkweb connection timeout with splunkd mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf < Date: Thu, 7 Apr 2022 11:46:28 -0700 Subject: [PATCH 37/47] fix default parameter values --- templates/splunk-enterprise-master.template | 10 +++++----- templates/splunk-enterprise.template | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/splunk-enterprise-master.template b/templates/splunk-enterprise-master.template index 5d6ac0e..1be0ad2 100644 --- a/templates/splunk-enterprise-master.template +++ b/templates/splunk-enterprise-master.template @@ -12,7 +12,7 @@ Parameters: Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. Type: String WebClientLocation: - Default: '0.0.0.0/0' + Default: '' AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions. Description: 'The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address.' @@ -20,7 +20,7 @@ Parameters: MinLength: '9' Type: String HECClientLocation: - Default: '0.0.0.0/0' + Default: '' AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions. Description: 'The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address.' @@ -82,7 +82,7 @@ Parameters: Type: String QSS3BucketName: Description: S3 bucket name for the Quick Start assets. - Default: splk-quickstart-testing + Default: '' Type: String QSS3KeyPrefix: Default: quickstart-splunk-enterprise/ @@ -96,7 +96,7 @@ Parameters: Description: Do you want to build a Splunk search head cluster? yes or no Type: String SSHClientLocation: - Default: '0.0.0.0/0' + Default: '' AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions. Description: 'The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address' @@ -185,7 +185,7 @@ Parameters: MinLength: '9' Type: String SmartStoreBucketName: - Default: bbartlett-smartstore-testing + Default: '' Description: Name of bucket that will be created for SmartStore storage Type: String Metadata: diff --git a/templates/splunk-enterprise.template b/templates/splunk-enterprise.template index 1e4fdb8..4a3d688 100644 --- a/templates/splunk-enterprise.template +++ b/templates/splunk-enterprise.template @@ -67,7 +67,7 @@ Parameters: Description: 'ID of Splunk public subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)' Type: AWS::EC2::Subnet::Id QSS3BucketName: - Default: splk-quickstart-testing + Default: '' Description: 'S3 bucket name for the Quick Start assets.' Type: String QSS3KeyPrefix: From 73248c8532e14b7ec97739405c158d39be5f8a8e Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Tue, 26 Apr 2022 09:10:27 -0700 Subject: [PATCH 38/47] fix default values --- templates/splunk-enterprise-master.template | 3 --- 1 file changed, 3 deletions(-) diff --git a/templates/splunk-enterprise-master.template b/templates/splunk-enterprise-master.template index 1be0ad2..c98c974 100644 --- a/templates/splunk-enterprise-master.template +++ b/templates/splunk-enterprise-master.template @@ -12,7 +12,6 @@ Parameters: Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. Type: String WebClientLocation: - Default: '' AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions. Description: 'The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address.' @@ -20,7 +19,6 @@ Parameters: MinLength: '9' Type: String HECClientLocation: - Default: '' AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions. Description: 'The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address.' @@ -96,7 +94,6 @@ Parameters: Description: Do you want to build a Splunk search head cluster? yes or no Type: String SSHClientLocation: - Default: '' AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions. Description: 'The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address' From a64b47a83c7d783aafb2fd79b759bf24f6b8292d Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Thu, 28 Apr 2022 10:49:45 +0000 Subject: [PATCH 39/47] remove everything code-related --- ci/defaults.json | 38 - ci/taskcat.yml | 27 - scripts/user_data.sh | 622 ----------- submodules/quickstart-aws-vpc | 1 - templates/splunk-enterprise-master.template | 352 ------ templates/splunk-enterprise.template | 1090 ------------------- 6 files changed, 2130 deletions(-) delete mode 100644 ci/defaults.json delete mode 100644 ci/taskcat.yml delete mode 100644 scripts/user_data.sh delete mode 160000 submodules/quickstart-aws-vpc delete mode 100644 templates/splunk-enterprise-master.template delete mode 100644 templates/splunk-enterprise.template diff --git a/ci/defaults.json b/ci/defaults.json deleted file mode 100644 index 7d1bc77..0000000 --- a/ci/defaults.json +++ /dev/null @@ -1,38 +0,0 @@ -[ - { - "ParameterKey": "AvailabilityZones", - "ParameterValue": "$[taskcat_genaz_2]" - }, - { - "ParameterKey": "WebClientLocation", - "ParameterValue": "72.21.196.66/32" - }, - { - "ParameterKey": "HECClientLocation", - "ParameterValue": "10.0.0.0/16" - }, - { - "ParameterKey": "KeyName", - "ParameterValue": "$[taskcat_getkeypair]" - }, - { - "ParameterKey": "SSHClientLocation", - "ParameterValue": "10.0.0.0/16" - }, - { - "ParameterKey": "SplunkAdminPassword", - "ParameterValue": "$[taskcat_genpass_10]" - }, - { - "ParameterKey": "SplunkClusterSecret", - "ParameterValue": "$[taskcat_genpass_10]" - }, - { - "ParameterKey": "SplunkIndexerDiscoverySecret", - "ParameterValue": "$[taskcat_genpass_10]" - }, - { - "ParameterKey": "QSS3BucketName", - "ParameterValue": "$[taskcat_autobucket]" - } -] diff --git a/ci/taskcat.yml b/ci/taskcat.yml deleted file mode 100644 index 9e108f4..0000000 --- a/ci/taskcat.yml +++ /dev/null @@ -1,27 +0,0 @@ -global: - marketplace-ami: true - owner: quickstart@amazon.com - qsname: quickstart-splunk-enterprise - regions: - - ap-northeast-1 - - ap-northeast-2 - - ap-south-1 - - ap-southeast-1 - - ap-southeast-2 - - ca-central-1 - - eu-central-1 - - eu-west-1 - - eu-west-2 - - sa-east-1 - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - reporting: true -tests: - splunk-enterprise: - parameter_input: defaults.json - template_file: splunk-enterprise-master.template - regions: - - us-west-1 - - us-east-2 diff --git a/scripts/user_data.sh b/scripts/user_data.sh deleted file mode 100644 index 321924f..0000000 --- a/scripts/user_data.sh +++ /dev/null @@ -1,622 +0,0 @@ -#!/bin/bash -xe - -#### start universal functions -function base -{ - - # variables - export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) - export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) - export SPLUNK_USER=splunk - export SPLUNK_BIN=/opt/splunk/bin/splunk - export SPLUNK_HOME=/opt/splunk - - # make cloud-init output log readable by root only to protect sensitive parameter values - chmod 600 /var/log/cloud-init-output.log - - #- The newer version of the Splunk AMI does not come with Splunk pre-installed. Instead - #- Splunk is installed via ansible as part of cloud-init. The following code (starting at line 30) is - #- needed to ensure these install scripts are ran prior to the remainder of the Cloudformation - #- user scripts. Without doing this first, the Splunk installer is ran after CloudFormation's - #- cloud-init scripts, leaving no Splunk install to configure. - - #- remove the cloud-init scripts from running - rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg - rm -f /var/lib/cloud/instance/scripts/runcmd - - # run the ansible code - (cd /opt/splunk-ansible && time sudo -u ec2-user -E -S bash -c "SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml") - - #- as of 8.2.0, aws-cfn-bootstrap is no longer pre-installed on the AMI. - #- install aws-cfn-bootstrap package - yum -y install aws-cfn-bootstrap - - - # setup auth with user-selected admin password - mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak - cat >> $SPLUNK_HOME/etc/system/local/user-seed.conf << end - [user_info] - USERNAME = admin - PASSWORD = $ADMIN_PASSWORD -end - - sed -i '/guid/d' $SPLUNK_HOME/etc/instance.cfg - touch $SPLUNK_HOME/etc/.ui_login - - # restart Splunk for admin password update - $SPLUNK_BIN restart -} - -function restart_signal -{ - - # restart splunk - $SPLUNK_BIN restart - - # communicate back to CloudFormation the status of the instance creation - /opt/aws/bin/cfn-signal -e $? --stack $STACK_NAME --resource $RESOURCE --region $AWS_REGION - - # disable splunk user login - usermod --expiredate 1 splunk -} - -#### end universal config - -##### -#### start role-specific functions -##### - -### -# setup nvme drives for i3 indexers -function nvme_setup -{ - # first, determine the instance type. - ec2_type=$(curl -s http://169.254.169.254/latest/meta-data/instance-type) - - # this script is intended to run on i3* instance types. - if [[ "$ec2_type" != *"i3"* ]] - then - return 0 - fi - - # find the attached nvme drives. lsblk could work here, but utilizing the nvme-list utility due to - # json formatting and simpler parsing. install the nvme-cli and jq packages to accomplish this. - yum -y install nvme-cli jq >/dev/null - - # save the nvme drive information to a temp file for parsing - nvme list --output-format=json > /tmp/nvme_drive.json - - # declare the nvme device array - declare -a nvme_devices - unset nvme_devices - - for nvme_device in $(jq '.Devices[] | .DevicePath' /tmp/nvme_drive.json) - do - # test to ensure that the storage device is instance storage. in testing, I have - # seen EBS volues show as NVME. this logic will ensure attached EBS devices are not - # added to the nvme raid0 - nvme_model_type=$(jq -r '.Devices[] | select(.DevicePath=='$nvme_device') | .ModelNumber' /tmp/nvme_drive.json) - if [[ $nvme_model_type = *"NVMe Instance Storage"* ]] - then - # unfortunate 'hack' here to remove the quotes from the device name. without them, the jq lookup - # will fail in the previous step. however, they need to be removed for the md raid creation later. - # additionally, since there needs to be a space between device names for the md create, convert - # quotes to spaces, and remove leading space. this leaves "$nvme_device " (note trailing space) - # stored in the array. this will allow for simply using the contents of the array as an argument for - # building the raid0 device - nvme_device=$(echo $nvme_device|sed 's/"/ /g'| sed 's/^ //g') - - # save device list in nvme_devices array - nvme_devices+=("$nvme_device") - else - # if the nvme model type is not instance storage, continue to the next iteration of the loop - continue - fi - done - - # name of the raid device to create - raid_device="/dev/md0" - - # mount point of the raid device - raid_mount="/opt/splunk" - - # make directory for mount point - mkdir -p $raid_mount - - # create the raid device - mdadm --create $raid_device --level=raid0 --raid-devices=${#nvme_devices[@]} ${nvme_devices[@]} - - # create filesystem on raid device - if [ ${#nvme_devices[@]} -eq 1 ] - then - discardOption="" - else - discardOption="-E nodiscard" - fi - - mkfs.ext4 -m 2 -F -F ${discardOption} $raid_device - - # add entry to fstab for mounting on reboot - echo "$raid_device $raid_mount auto defaults,nofail,noatime 0 2" >>/etc/fstab - - # mount device - mount $raid_device - -} - -### -# Splunk Cluster Master / License Master -### -function splunk_cm -{ - # execute base install and configuration - base - - export RESOURCE="SplunkCM" - printf '%s\t%s\n' "$LOCALIP" 'splunklicense' >> /etc/hosts - hostname splunklicense - - #- for the CM, we can't reference CM_PRIVATEIP in the CloudFormation UserData like - #- we do in the other resources because the CM hasn't been created yet. To keep the - #- syntax consistent across each resource in user_data.sh, export $CM_PRIVATEIP to - #- the CM's local ip address - export CM_PRIVATEIP=$LOCALIP - - # Install license from metadata. - if [ $INSTALL_LICENSE = 1 ]; then - mkdir -p $SPLUNK_HOME/etc/licenses/enterprise/ - chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/licenses/enterprise - /opt/aws/bin/cfn-init -v --stack $STACK_NAME --resource $RESOURCE --region $AWS_REGION - fi - - # Increase splunkweb connection timeout with splunkd - mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local - cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/system/local/server.conf < /tmp/token - TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token - - # place generated config into master-apps - mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local - mv $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local - - # peer config 2: enable splunk tcp input - cat >>$SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local/inputs.conf <>$SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf <> $SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf << end - [default] - repFactor = auto - remotePath = volume:remote_store/splunk_db/$_index_name - coldPath=$SPLUNK_DB/$_index_name/colddb - thawedPath=$SPLUNK_DB/$_index_name/thaweddb -end - - cat >>$SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts - hostname "splunksearch-$num" - - # set splunk servername - sudo -u $SPLUNK_USER $SPLUNK_BIN set servername SHC$num - - # Increase splunkweb connection timeout with splunkd - cat >$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts - hostname splunk-shc-deployer - - # Increase splunkweb connection timeout with splunkd - mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local - cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local/outputs.conf <> /etc/hosts - hostname splunksearch - - # Increase splunkweb connection timeout with splunkd - mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local - cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf < - NumberOfAZs: - AllowedValues: - - '2' - - '3' - Default: '2' - Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. - Type: String - WebClientLocation: - AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ - ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions. - Description: 'The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address.' - MaxLength: '19' - MinLength: '9' - Type: String - HECClientLocation: - AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ - ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions. - Description: 'The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address.' - MaxLength: '19' - MinLength: '9' - Type: String - IndexerInstanceType: - AllowedValues: - - m5.4xlarge - - m5.8xlarge - - c5.4xlarge - - c5.9xlarge - - c5.18xlarge - - i3.4xlarge - - i3.8xlarge - - i3en.3xlarge - - i3en.6xlarge - - i3en.12xlarge - Description: EC2 instance type for Splunk Indexers - ConstraintDescription: must be a valid EC2 instance type. - Default: i3.4xlarge - Type: String - SearchHeadInstanceType: - AllowedValues: - - r5.4xlarge - - r5.8xlarge - - r5.16xlarge - - c5.4xlarge - - c5.9xlarge - - m5.2xlarge - - m5.4xlarge - - m5.8xlarge - - m5.12xlarge - Description: EC2 instance type for Splunk Search Heads - ConstraintDescription: must be a valid EC2 instance type. - Default: c5.4xlarge - Type: String - KeyName: - ConstraintDescription: Must be the name of an existing EC2 KeyPair. - Description: Name of an existing EC2 KeyPair to enable SSH access to the instance - Type: AWS::EC2::KeyPair::KeyName - PublicSubnet1CIDR: - AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ - ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. - Default: 10.0.1.0/24 - Description: The address space that will be assigned to the first Splunk server subnet. (x.x.x.x/x notation) - Type: String - PublicSubnet2CIDR: - AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ - ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x - Default: 10.0.2.0/24 - Description: The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation) - Type: String - PublicSubnet3CIDR: - AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ - ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. - Default: 10.0.3.0/24 - Description: The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation) - Type: String - QSS3BucketName: - Description: S3 bucket name for the Quick Start assets. - Default: '' - Type: String - QSS3KeyPrefix: - Default: quickstart-splunk-enterprise/ - Description: S3 key prefix for the Quick Start assets. - Type: String - SHCEnabled: - AllowedValues: - - 'yes' - - 'no' - Default: 'no' - Description: Do you want to build a Splunk search head cluster? yes or no - Type: String - SSHClientLocation: - AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ - ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions. - Description: 'The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address' - MaxLength: '19' - MinLength: '9' - Type: String - SplunkAdminPassword: - AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* - ConstraintDescription: Must be at least 8 characters containing letters, numbers and symbols. - Description: Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols - MaxLength: '32' - MinLength: '6' - NoEcho: 'true' - Type: String - SplunkIndexerCount: - ConstraintDescription: must be a valid number, 4-10 - Default: '4' - Description: How many Splunk indexers to launch. [4-10] - MaxValue: '10' - MinValue: '4' - Type: Number - SplunkIndexerDiskSize: - ConstraintDescription: must be a valid number, 100-16000 - Default: '334' - Description: The size of the attached EBS volume to the Splunk indexers. (in GB) - MaxValue: '16000' - MinValue: '100' - Type: Number - SplunkSearchHeadDiskSize: - ConstraintDescription: must be a valid number, 100-16000 - Default: '334' - Description: The size of the attached EBS volume to the Splunk search head(s). (in GB) - MaxValue: '16000' - MinValue: '100' - Type: Number - SplunkLicenseBucket: - AllowedPattern: (?=^.{3,63}$)(?!xn--)([a-z0-9](?:[a-z0-9-]*)[a-z0-9])$ - ConstraintDescription: 'Required for QuickStart to function and must be a valid s3 bucket' - Description: 'Name of private S3 bucket with licenses to be accessed via authenticated requests' - MinLength: '3' - MaxLength: '63' - Type: String - SplunkLicensePath: - ConstraintDescription: 'Required for QuickStart to function and must point to a valid Splunk license' - AllowedPattern: ([0-9]|[A-Z]|[a-z]|[\/\._-])+ - Description: 'Path to license file in S3 Bucket, without leading /. (ex: license/splunk.license)' - MinLength: '2' - MaxLength: '128' - Type: String - SplunkReplicationFactor: - ConstraintDescription: must be a valid number, 2-4 - Default: '2' - Description: How many copies of data should be stored in the Splunk Indexer Cluster - MaxValue: '4' - MinValue: '2' - Type: Number - SplunkSearchFactor: - ConstraintDescription: must be a valid number, 2-4 - Default: '2' - Description: How many copies of data should be searchable in the Splunk indexer clusters - MaxValue: '4' - MinValue: '2' - Type: Number - SplunkClusterSecret: - AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* - ConstraintDescription: Must be at least 8 characters containing letters, numbers and symbols. - Description: Shared cluster secret for Search Head and Indexer clusters. Must be at least 8 characters containing letters, numbers and symbols. - MaxLength: '32' - MinLength: '6' - NoEcho: 'true' - Type: String - SplunkIndexerDiscoverySecret: - AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* - ConstraintDescription: Must be at least 8 characters containing letters, numbers and symbols. - Description: Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols. - MaxLength: '32' - MinLength: '8' - NoEcho: 'true' - Type: String - VPCCIDR: - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. - Default: 10.0.0.0/16 - Description: The address space that will be assigned to the entire VPC where Splunk will reside. (Recommend at least a /16) - MaxLength: '19' - MinLength: '9' - Type: String - SmartStoreBucketName: - Default: '' - Description: Name of bucket that will be created for SmartStore storage - Type: String -Metadata: - QuickStartDocumentation: - EntrypointName: "Splunk QuickStart (New VPC)" - AWS::CloudFormation::Interface: - ParameterGroups: - - Label: - default: AWS Instance and Network Settings - Parameters: - - IndexerInstanceType - - SearchHeadInstanceType - - KeyName - - WebClientLocation - - HECClientLocation - - SSHClientLocation - - AvailabilityZones - - NumberOfAZs - - VPCCIDR - - PublicSubnet1CIDR - - PublicSubnet2CIDR - - PublicSubnet3CIDR - - Label: - default: Splunk Settings - Parameters: - - SplunkAdminPassword - - SplunkClusterSecret - - SplunkIndexerDiscoverySecret - - SplunkLicenseBucket - - SplunkLicensePath - - SplunkIndexerCount - - SplunkIndexerDiskSize - - SplunkSearchHeadDiskSize - - SplunkReplicationFactor - - SplunkSearchFactor - - SmartStoreBucketName - - SHCEnabled - - Label: - default: AWS Quick Start Configuration - Parameters: - - QSS3BucketName - - QSS3KeyPrefix - ParameterLabels: - AvailabilityZones: - default: Availability Zones - SplunkSearchHeadDiskSize: - default: Size (in GB) of Splunk search head disk - NumberOfAZs: - default: Number of Availability Zones - WebClientLocation: - default: Permitted CIDR for Splunk web interface - HECClientLocation: - default: Permitted CIDR for Splunk HTTP event collector input - IndexerInstanceType: - default: EC2 instance type for Splunk indexer - SearchHeadInstanceType: - default: EC2 instance type for Splunk search head - KeyName: - default: Key Name - PublicSubnet1CIDR: - default: Public Subnet 1 CIDR - PublicSubnet2CIDR: - default: Public Subnet 2 CIDR - PublicSubnet3CIDR: - default: Public Subnet 3 CIDR - QSS3BucketName: - default: QuickStart S3 Bucket Name - QSS3KeyPrefix: - default: QuickStart S3 Key Prefix - SHCEnabled: - default: Enable Search Head Cluster? - SSHClientLocation: - default: Permitted CIDR for ssh - SplunkAdminPassword: - default: Splunk Admin Password - SplunkIndexerCount: - default: No. of Splunk Indexers - SplunkIndexerDiskSize: - default: Indexer Disk Size - SplunkLicenseBucket: - default: Splunk License Bucket - SplunkLicensePath: - default: Splunk License S3 Bucket Path - SplunkReplicationFactor: - default: Index Cluster Replication Factor - SplunkSearchFactor: - default: Index Cluster Search Factor - SmartStoreBucketName: - default: Name of bucket that will be created for SmartStore storage - SplunkClusterSecret: - default: Shared Security Key for Cluster Nodes - SplunkIndexerDiscoverySecret: - default: Shared Security Key for Forwarders using Indexer Discovery - VPCCIDR: - default: VPC CIDR -Conditions: - Create3AZ: !Equals - - !Ref 'NumberOfAZs' - - '3' -Resources: - VPCStack: - Type: AWS::CloudFormation::Stack - Properties: - TemplateURL: !Sub 'https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' - Parameters: - AvailabilityZones: !Join - - ',' - - !Ref 'AvailabilityZones' - CreatePrivateSubnets: 'false' - CreatePublicSubnets: 'true' - CreateNATGateways: 'false' - NumberOfAZs: !Ref 'NumberOfAZs' - PublicSubnet1CIDR: !Ref 'PublicSubnet1CIDR' - PublicSubnet2CIDR: !Ref 'PublicSubnet2CIDR' - PublicSubnet3CIDR: !Ref 'PublicSubnet3CIDR' - VPCCIDR: !Ref 'VPCCIDR' - TimeoutInMinutes: 15 - SplunkStack: - Type: AWS::CloudFormation::Stack - Properties: - TemplateURL: !Sub 'https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/splunk-enterprise.template' - Parameters: - VPCID: !GetAtt 'VPCStack.Outputs.VPCID' - VPCCIDR: !GetAtt 'VPCStack.Outputs.VPCCIDR' - PublicSubnet1ID: !GetAtt 'VPCStack.Outputs.PublicSubnet1ID' - PublicSubnet2ID: !GetAtt 'VPCStack.Outputs.PublicSubnet2ID' - PublicSubnet3ID: !If - - Create3AZ - - !GetAtt 'VPCStack.Outputs.PublicSubnet3ID' - - !GetAtt 'VPCStack.Outputs.PublicSubnet2ID' - NumberOfAZs: !Ref 'NumberOfAZs' - IndexerInstanceType: !Ref 'IndexerInstanceType' - SearchHeadInstanceType: !Ref 'SearchHeadInstanceType' - SplunkAdminPassword: !Ref 'SplunkAdminPassword' - SplunkClusterSecret: !Ref 'SplunkClusterSecret' - SplunkIndexerDiscoverySecret: !Ref 'SplunkIndexerDiscoverySecret' - SplunkLicenseBucket: !Ref 'SplunkLicenseBucket' - SplunkLicensePath: !Ref 'SplunkLicensePath' - KeyName: !Ref 'KeyName' - SSHClientLocation: !Ref 'SSHClientLocation' - HECClientLocation: !Ref 'HECClientLocation' - WebClientLocation: !Ref 'WebClientLocation' - SplunkIndexerCount: !Ref 'SplunkIndexerCount' - SHCEnabled: !Ref 'SHCEnabled' - SplunkIndexerDiskSize: !Ref 'SplunkIndexerDiskSize' - SmartStoreBucketName: !Ref 'SmartStoreBucketName' - SplunkReplicationFactor: !Ref 'SplunkReplicationFactor' - TimeoutInMinutes: 45 -Outputs: - SearchHeadURL: - Description: Splunk Enterprise - Search Head URL - Value: !GetAtt 'SplunkStack.Outputs.SearchHeadURL' - ClusterMasterURL: - Description: Splunk Enterprise - Cluster Master URL - Value: !GetAtt 'SplunkStack.Outputs.ClusterMasterURL' - ClusterMasterManagementURL: - Description: Splunk Enterprise - Cluster Master Management URL (required for Indexer Discovery) - Value: !GetAtt 'SplunkStack.Outputs.ClusterMasterManagementURL' - DeployerURL: - Description: Splunk Enterprise - Search Head Cluster Deployer URL - Value: !GetAtt 'SplunkStack.Outputs.DeployerURL' - HttpEventCollectorURL: - Description: HTTP Event Collector URL - Value: !GetAtt 'SplunkStack.Outputs.HttpEventCollectorURL' - HttpEventCollectorToken: - Description: HTTP Event Collector Token - Value: !GetAtt 'SplunkStack.Outputs.HttpEventCollectorToken' diff --git a/templates/splunk-enterprise.template b/templates/splunk-enterprise.template deleted file mode 100644 index 4a3d688..0000000 --- a/templates/splunk-enterprise.template +++ /dev/null @@ -1,1090 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Description: 'Splunk deployment with indexer, search head clustering and cluster master. QS(5030)' -Parameters: - WebClientLocation: - AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ - ConstraintDescription: 'Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.' - Description: 'The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address' - MaxLength: '19' - MinLength: '9' - Type: String - HECClientLocation: - AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ - ConstraintDescription: 'Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.' - Description: 'The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address' - MaxLength: '19' - MinLength: '9' - Type: String - IndexerInstanceType: - AllowedValues: - - m5.4xlarge - - m5.8xlarge - - c5.4xlarge - - c5.9xlarge - - c5.18xlarge - - i3.4xlarge - - i3.8xlarge - - i3en.3xlarge - - i3en.6xlarge - - i3en.12xlarge - Description: 'EC2 instance type for Splunk Indexers' - ConstraintDescription: 'Must be a valid EC2 instance type.' - Default: i3.4xlarge - Type: String - SearchHeadInstanceType: - AllowedValues: - - r5.4xlarge - - r5.8xlarge - - r5.16xlarge - - c5.4xlarge - - c5.9xlarge - - m5.2xlarge - - m5.4xlarge - - m5.8xlarge - - m5.12xlarge - Description: 'EC2 instance type for Splunk Search Heads' - ConstraintDescription: 'Must be a valid EC2 instance type.' - Default: c5.4xlarge - Type: String - KeyName: - ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' - Description: 'Name of an existing EC2 KeyPair to enable SSH access to the instance.' - Type: AWS::EC2::KeyPair::KeyName - NumberOfAZs: - AllowedValues: - - '2' - - '3' - Default: '2' - Description: 'Number of Availability Zones to use in the VPC. This must match the number public subnet IDs entered as parameters.' - Type: String - PublicSubnet1ID: - Description: 'ID of Splunk public subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)' - Type: AWS::EC2::Subnet::Id - PublicSubnet2ID: - Description: 'ID of Splunk public subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)' - Type: AWS::EC2::Subnet::Id - PublicSubnet3ID: - Description: 'ID of Splunk public subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)' - Type: AWS::EC2::Subnet::Id - QSS3BucketName: - Default: '' - Description: 'S3 bucket name for the Quick Start assets.' - Type: String - QSS3KeyPrefix: - Default: quickstart-splunk-enterprise/ - Description: 'S3 key prefix for the Quick Start assets.' - Type: String - SHCEnabled: - AllowedValues: - - 'yes' - - 'no' - Default: 'no' - Description: 'Do you want to build a Splunk search head cluster?' - Type: String - SSHClientLocation: - AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ - ConstraintDescription: 'Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.' - Description: 'The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address' - MaxLength: '19' - MinLength: '9' - Type: String - SplunkAdminPassword: - AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* - ConstraintDescription: 'Must be at least 8 characters containing letters, numbers and symbols.' - Description: 'Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols.' - MaxLength: '32' - MinLength: '8' - NoEcho: 'true' - Type: String - SplunkIndexerCount: - ConstraintDescription: 'Must be a valid number, 4-10' - Default: '4' - Description: 'How many Splunk indexers to launch. [4-10]' - MaxValue: '10' - MinValue: '4' - Type: Number - SplunkIndexerDiskSize: - ConstraintDescription: 'Must be a valid number, 100-16000' - Default: '334' - Description: 'The size of the attached EBS volume to the Splunk indexers. (in GB)' - MaxValue: '16000' - MinValue: '100' - Type: Number - SplunkSearchHeadDiskSize: - ConstraintDescription: 'Must be a valid number, 100-16000' - Default: '334' - Description: 'The size of the attached EBS volume to the Splunk search head(s). (in GB)' - MaxValue: '16000' - MinValue: '100' - Type: Number - SmartStoreBucketName: - Default: '' - Description: 'Name of S3 bucket to be created for SmartStore storage' - Type: String - SplunkLicenseBucket: - ConstraintDescription: 'Required for QuickStart to function and must be a valid s3 bucket' - AllowedPattern: (?=^.{3,63}$)(?!xn--)([a-z0-9](?:[a-z0-9-]*)[a-z0-9])$ - Description: 'Name of private S3 bucket with licenses to be accessed via authenticated requests' - MinLength: '3' - MaxLength: '63' - Type: String - SplunkLicensePath: - ConstraintDescription: 'Required for QuickStart to function and must point to a valid Splunk license' - AllowedPattern: ([0-9]|[A-Z]|[a-z]|[\/\._-])+ - Description: 'Path to license file in S3 Bucket (without leading /)' - MinLength: '1' - MaxLength: '128' - Type: String - SplunkReplicationFactor: - ConstraintDescription: 'Must be a valid number, 2-6' - Default: '2' - Description: 'How many copies of data should be stored in the Splunk Indexer Cluster' - MaxValue: '6' - MinValue: '2' - Type: Number - SplunkSearchFactor: - ConstraintDescription: 'Must be a valid number, 2-6' - Default: '2' - Description: 'How many copies of data should be searchable in the Splunk indexer clusters' - MaxValue: '6' - MinValue: '2' - Type: Number - SplunkClusterSecret: - AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* - ConstraintDescription: 'Must be at least 8 characters containing letters, numbers and symbols.' - Description: 'Shared cluster secret for Search Head and Indexer cluster nodes. Must be at least 8 characters containing letters, numbers and symbols.' - MaxLength: '32' - MinLength: '8' - NoEcho: 'true' - Type: String - SplunkIndexerDiscoverySecret: - AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* - ConstraintDescription: 'Must be at least 8 characters containing letters, numbers and symbols.' - Description: 'Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.' - MaxLength: '32' - MinLength: '8' - NoEcho: 'true' - Type: String - VPCCIDR: - AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ - ConstraintDescription: 'Must be a valid IP CIDR range of the form x.x.x.x/x.' - Description: VPC CIDR Block (x.x.x.x/x notation) - Type: String - VPCID: - Description: VPC ID - Type: AWS::EC2::VPC::Id -Metadata: - AWSAMIRegionMap: - Filters: - SPLUNKENTHVM: - name: splunk_AMI* - owner-alias: aws-marketplace - product-code.type: marketplace - QuickStartDocumentation: - EntrypointName: "Splunk QuickStart (Existing VPC)" - AWS::CloudFormation::Interface: - ParameterGroups: - - Label: - default: AWS Instance and Network Settings - Parameters: - - IndexerInstanceType - - SearchHeadInstanceType - - KeyName - - WebClientLocation - - HECClientLocation - - SSHClientLocation - - VPCID - - VPCCIDR - - PublicSubnet1ID - - PublicSubnet2ID - - PublicSubnet3ID - - NumberOfAZs - - Label: - default: Splunk Settings - Parameters: - - SplunkAdminPassword - - SplunkClusterSecret - - SplunkIndexerDiscoverySecret - - SplunkLicenseBucket - - SplunkLicensePath - - SplunkIndexerCount - - SplunkIndexerDiskSize - - SplunkSearchHeadDiskSize - - SplunkReplicationFactor - - SplunkSearchFactor - - SmartStoreBucketName - - SHCEnabled - ParameterLabels: - WebClientLocation: - default: Permitted CIDR for Splunk web interface - HECClientLocation: - default: Permitted CIDR for Splunk HTTP event collector input - IndexerInstanceType: - default: EC2 instance type for Splunk indexer - SearchHeadInstanceType: - default: EC2 instance type for Splunk search head - KeyName: - default: Key Name - PublicSubnet1ID: - default: Public Subnet 1 ID - PublicSubnet2ID: - default: Public Subnet 2 ID - PublicSubnet3ID: - default: Public Subnet 3 ID - NumberOfAZs: - default: Number of Availability Zones - SHCEnabled: - default: Enable Search Head Cluster? - SSHClientLocation: - default: Permitted CIDR for ssh - SplunkAdminPassword: - default: Splunk Admin Password - SplunkIndexerCount: - default: No. of Splunk Indexers - SmartStoreBucketName: - default: Name of bucket to be created for Smartstore storage - SplunkIndexerDiskSize: - default: Indexer Disk Size - SplunkSearchHeadDiskSize: - default: Search Head(s) Disk Size - SplunkLicenseBucket: - default: Splunk License Bucket - SplunkLicensePath: - default: Splunk License S3 Bucket Path - SplunkReplicationFactor: - default: Index Cluster Replication Factor - SplunkSearchFactor: - default: Index Cluster Search Factor - SplunkClusterSecret: - default: Shared Security Key for Cluster Nodes - SplunkIndexerDiscoverySecret: - default: Shared Security Key for Forwarders using Indexer Discovery - VPCCIDR: - default: VPC CIDR - VPCID: - default: VPC ID -Conditions: - Create3AZ: !Equals - - !Ref 'NumberOfAZs' - - '3' - CreateSingleSearchHead: !Equals - - !Ref 'SHCEnabled' - - 'no' - CreateSHC: !Equals - - !Ref 'SHCEnabled' - - 'yes' - ConfigureLicense: !And - - !Not - - !Equals - - '' - - !Ref 'SplunkLicenseBucket' - - !Not - - !Equals - - '' - - !Ref 'SplunkLicensePath' -Mappings: - AWSAMIRegionMap: - AMI: - SPLUNKENTHVM: splunk_AMI_8.2.3.3_2021-12-18_00-53-30-7b65de6c-5006-4ca2-bd75-fdba95ae5d9d - us-west-1: - SPLUNKENTHVM: ami-09661ae18cb9aedb4 - us-west-2: - SPLUNKENTHVM: ami-0c22deb9fc3c775d9 - us-east-1: - SPLUNKENTHVM: ami-0582e6c6a47fc48c5 - us-east-2: - SPLUNKENTHVM: ami-01021135eb4ce4d5d - ap-south-1: - SPLUNKENTHVM: ami-005110201be854c36 - ap-northeast-1: - SPLUNKENTHVM: ami-0f652f101b96c37e9 - ap-northeast-2: - SPLUNKENTHVM: ami-0673efcda653adfb5 - ap-southeast-1: - SPLUNKENTHVM: ami-091a6c8fd0012281e - ap-southeast-2: - SPLUNKENTHVM: ami-0cdb50ab376ee7d58 - ca-central-1: - SPLUNKENTHVM: ami-03c36e8753b649758 - eu-central-1: - SPLUNKENTHVM: ami-00018e48dd37a4de3 - eu-west-1: - SPLUNKENTHVM: ami-01495bcd527c0ff9d - eu-west-2: - SPLUNKENTHVM: ami-0b285d7712449bb17 - eu-west-3: - SPLUNKENTHVM: ami-05f8860a4be3a2a86 - eu-north-1: - SPLUNKENTHVM: ami-0a2d7f72e56037575 - sa-east-1: - SPLUNKENTHVM: ami-08c43f4591f7fc7a6 - - SplunkConfig: - dedicated-instance-type: - clusterMaster: c5.xlarge - shclusterDeployer: c5.xlarge - shcluster-replication-factor: - num: '3' - labels: - cluster: IndexerCluster - shcluster: SearchHeadCluster - -Resources: - SplunkSmartstoreBucket: - Type: AWS::S3::Bucket - Properties: - BucketName: !Ref 'SmartStoreBucketName' - BucketEncryption: - ServerSideEncryptionConfiguration: - - ServerSideEncryptionByDefault: - SSEAlgorithm: AES256 - DeletionPolicy: Delete - SmartStoreS3BucketRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: - - ec2.amazonaws.com - Action: - - sts:AssumeRole - Path: / - SmartStoreS3AccessInstanceProfile: - Type: AWS::IAM::InstanceProfile - Properties: - Path: / - Roles: - - !Ref 'SmartStoreS3BucketRole' - SmartStoreS3BucketPolicy: - Type: AWS::IAM::Policy - Properties: - PolicyName: SmartStoreS3BucketPolicy - PolicyDocument: - Statement: - - Action: - - s3:ListBucket - Effect: Allow - Resource: - - !Join - - '' - - - 'arn:aws:s3:::' - - !Ref 'SmartStoreBucketName' - - Action: - - s3:PutObject - - s3:GetObject - - s3:DeleteObject - - s3:PutObjectAcl - Effect: Allow - Resource: - - !Join - - '' - - - 'arn:aws:s3:::' - - !Ref 'SmartStoreBucketName' - - '/*' - Roles: - - !Ref 'SmartStoreS3BucketRole' - SplunkSearchHeadSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - VpcId: !Ref 'VPCID' - GroupDescription: 'Enable port 8000 for Splunk web interface, port 8090 for SHC replication, and port 8191 for KV store replication' - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 8000 - ToPort: 8000 - CidrIp: !Ref 'WebClientLocation' - - IpProtocol: tcp - FromPort: 8090 - ToPort: 8090 - CidrIp: !Ref 'VPCCIDR' - - IpProtocol: tcp - FromPort: 8191 - ToPort: 8191 - CidrIp: !Ref 'VPCCIDR' - Tags: - - Key: Application - Value: !Ref 'AWS::StackId' - - Key: Name - Value: SplunkSearchHeadSecurityGroup - SplunkIndexerSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - VpcId: !Ref 'VPCID' - GroupDescription: 'Enable port 9997 for splunktcp input, port 8088 for HEC input, port 514 for tcp/udp input, and port 9887 for data replication' - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 9997 - ToPort: 9997 - CidrIp: !Ref 'VPCCIDR' - - IpProtocol: tcp - FromPort: 8088 - ToPort: 8088 - SourceSecurityGroupId: !Ref 'SplunkHttpEventCollectorLoadBalancerSecurityGroup' - - IpProtocol: tcp - FromPort: 514 - ToPort: 514 - CidrIp: !Ref 'VPCCIDR' - - IpProtocol: udp - FromPort: 514 - ToPort: 514 - CidrIp: !Ref 'VPCCIDR' - - IpProtocol: tcp - FromPort: 9887 - ToPort: 9887 - CidrIp: !Ref 'VPCCIDR' - Tags: - - Key: Application - Value: !Ref 'AWS::StackId' - - Key: Name - Value: SplunkIndexerSecurityGroup - SplunkSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - VpcId: !Ref 'VPCID' - GroupDescription: 'Enable administrative ports like restricted SSH and management port' - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: !Ref 'SSHClientLocation' - - IpProtocol: tcp - FromPort: 8089 - ToPort: 8089 - CidrIp: !Ref 'VPCCIDR' - Tags: - - Key: Application - Value: !Ref 'AWS::StackId' - - Key: Name - Value: SplunkSecurityGroup - SplunkHttpEventCollectorLoadBalancerSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - VpcId: !Ref 'VPCID' - GroupDescription: 'Enable port 8088 on ELB for HEC input' - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 8088 - ToPort: 8088 - CidrIp: !Ref 'HECClientLocation' - Tags: - - Key: Application - Value: !Ref 'AWS::StackId' - - Key: Name - Value: SplunkHttpEventCollectorLoadBalancerSecurityGroup - SplunkSearchHeadInstance: - Type: AWS::EC2::Instance - Condition: CreateSingleSearchHead - CreationPolicy: - ResourceSignal: - Timeout: PT15M - Properties: - ImageId: !FindInMap - - AWSAMIRegionMap - - !Ref 'AWS::Region' - - SPLUNKENTHVM - InstanceType: !Ref 'SearchHeadInstanceType' - KeyName: !Ref 'KeyName' - Tags: - - Key: Application - Value: !Ref 'AWS::StackId' - - Key: Role - Value: splunk-search-head - - Key: Name - Value: search-head - NetworkInterfaces: - - GroupSet: - - !Ref 'SplunkSecurityGroup' - - !Ref 'SplunkSearchHeadSecurityGroup' - AssociatePublicIpAddress: true - DeviceIndex: '0' - DeleteOnTermination: true - SubnetId: !Ref 'PublicSubnet1ID' - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - VolumeType: gp2 - VolumeSize: !Ref 'SplunkSearchHeadDiskSize' - UserData: - Fn::Base64: - Fn::Sub: - - | - #!/bin/bash -xe - export INSTALL_LICENSE="0" - export SYMMKEY="${SplunkIndexerDiscoverySecret}" - export ADMIN_PASSWORD="${SplunkAdminPassword}" - export STACK_NAME="${AWS::StackName}" - export AWS_REGION="${AWS::Region}" - export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" - export SplunkCMWaitHandle="${SplunkCMWaitHandle}" - export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh - export CM_PRIVATEIP="${SplunkCMIP}" - /tmp/user_data.sh single_sh && rm -f /tmp/user_data.sh - - SplunkCMIP: !GetAtt SplunkCM.PrivateIp - SplunkCM: - Type: AWS::EC2::Instance - CreationPolicy: - ResourceSignal: - Timeout: PT15M - Metadata: - AWS::CloudFormation::Init: !If - - ConfigureLicense - - config: - files: - /opt/splunk/etc/licenses/enterprise/splunk.license: - source: !If - - ConfigureLicense - - !Join - - '' - - - https:// - - !Ref 'SplunkLicenseBucket' - - .s3.amazonaws.com/ - - !Ref 'SplunkLicensePath' - - !Ref 'AWS::NoValue' - mode: '000600' - owner: splunk - group: splunk - authentication: S3AccessCreds - - !Ref 'AWS::NoValue' - AWS::CloudFormation::Authentication: !If - - ConfigureLicense - - S3AccessCreds: - type: S3 - accessKeyId: !Ref 'CfnKeys' - secretKey: !GetAtt 'CfnKeys.SecretAccessKey' - buckets: - - !Ref 'SplunkLicenseBucket' - - !Ref 'AWS::NoValue' - Properties: - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - VolumeType: gp2 - VolumeSize: 334 - NetworkInterfaces: - - GroupSet: - - !Ref 'SplunkSecurityGroup' - - !Ref 'SplunkSearchHeadSecurityGroup' - AssociatePublicIpAddress: true - DeviceIndex: '0' - DeleteOnTermination: true - SubnetId: !Ref 'PublicSubnet1ID' - ImageId: !FindInMap - - AWSAMIRegionMap - - !Ref 'AWS::Region' - - SPLUNKENTHVM - InstanceType: !FindInMap - - SplunkConfig - - dedicated-instance-type - - clusterMaster - KeyName: !Ref 'KeyName' - Tags: - - Key: Application - Value: !Ref 'AWS::StackId' - - Key: Role - Value: cluster-master - - Key: Name - Value: cluster-master - UserData: - Fn::Base64: - Fn::Sub: - - | - #!/bin/bash -xe - export INSTALL_LICENSE="0" - export SYMMKEY="${SplunkIndexerDiscoverySecret}" - export ADMIN_PASSWORD="${SplunkAdminPassword}" - export STACK_NAME="${AWS::StackName}" - export AWS_REGION="${AWS::Region}" - export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" - export SMARTSTORE_BUCKET="${SmartStoreBucketName}" - export SplunkCMWaitHandle="${SplunkCMWaitHandle}" - export REPFACTOR="${SplunkReplicationFactor}" - export SEARCHFACTOR="${SplunkSearchFactor}" - export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - export SITELIST="${Sitelist}" - export INSTALL_LICENSE="${InstallLicense}" - wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh - /tmp/user_data.sh cm && rm -f /tmp/user_data.sh - - Sitelist: !If [Create3AZ, "site1,site2,site3", "site1,site2" ] - InstallLicense: !If [ConfigureLicense, "1", "0"] - SplunkCMWaitHandle: - Type: AWS::CloudFormation::WaitConditionHandle - SplunkCMWaitCondition: - Type: AWS::CloudFormation::WaitCondition - DependsOn: SplunkCM - Properties: - Handle: !Ref 'SplunkCMWaitHandle' - Timeout: '900' - SplunkSHCDeployer: - Type: AWS::EC2::Instance - Condition: CreateSHC - CreationPolicy: - ResourceSignal: - Timeout: PT10M - Properties: - ImageId: !FindInMap - - AWSAMIRegionMap - - !Ref 'AWS::Region' - - SPLUNKENTHVM - InstanceType: !FindInMap - - SplunkConfig - - dedicated-instance-type - - shclusterDeployer - KeyName: !Ref 'KeyName' - Tags: - - Key: Application - Value: !Ref 'AWS::StackId' - - Key: Role - Value: splunk-deployer - - Key: Name - Value: deployer - NetworkInterfaces: - - GroupSet: - - !Ref 'SplunkSecurityGroup' - - !Ref 'SplunkSearchHeadSecurityGroup' - AssociatePublicIpAddress: true - DeviceIndex: '0' - DeleteOnTermination: true - SubnetId: !Ref 'PublicSubnet1ID' - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - VolumeType: gp2 - VolumeSize: !Ref 'SplunkSearchHeadDiskSize' - UserData: - Fn::Base64: - Fn::Sub: - - | - #!/bin/bash -xe - export INSTALL_LICENSE="0" - export SYMMKEY="${SplunkIndexerDiscoverySecret}" - export ADMIN_PASSWORD="${SplunkAdminPassword}" - export STACK_NAME="${AWS::StackName}" - export AWS_REGION="${AWS::Region}" - export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" - export SMARTSTORE_BUCKET="${SmartStoreBucketName}" - export SplunkCMWaitHandle="${SplunkCMWaitHandle}" - export REPFACTOR="${SplunkReplicationFactor}" - export SEARCHFACTOR="${SplunkSearchFactor}" - export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - export CM_PRIVATEIP="${SplunkCMIP}" - wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh - /tmp/user_data.sh deployer && rm -f /tmp/user_data.sh - - SplunkCMIP: !GetAtt SplunkCM.PrivateIp - SplunkSHCMember1: - Type: AWS::EC2::Instance - Condition: CreateSHC - CreationPolicy: - ResourceSignal: - Timeout: PT10M - Properties: - ImageId: !FindInMap - - AWSAMIRegionMap - - !Ref 'AWS::Region' - - SPLUNKENTHVM - InstanceType: !Ref 'SearchHeadInstanceType' - KeyName: !Ref 'KeyName' - Tags: - - Key: Application - Value: !Ref 'AWS::StackId' - - Key: Role - Value: splunk-search-head - - Key: Name - Value: search-head-1 - NetworkInterfaces: - - GroupSet: - - !Ref 'SplunkSecurityGroup' - - !Ref 'SplunkSearchHeadSecurityGroup' - AssociatePublicIpAddress: true - DeviceIndex: '0' - DeleteOnTermination: true - SubnetId: !Ref 'PublicSubnet1ID' - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - VolumeType: gp2 - VolumeSize: !Ref 'SplunkSearchHeadDiskSize' - UserData: - Fn::Base64: - Fn::Sub: - - | - #!/bin/bash -xe - export INSTALL_LICENSE="0" - export SYMMKEY="${SplunkIndexerDiscoverySecret}" - export ADMIN_PASSWORD="${SplunkAdminPassword}" - export STACK_NAME="${AWS::StackName}" - export AWS_REGION="${AWS::Region}" - export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" - export SMARTSTORE_BUCKET="${SmartStoreBucketName}" - export SplunkCMWaitHandle="${SplunkCMWaitHandle}" - export REPFACTOR="${SplunkReplicationFactor}" - export SEARCHFACTOR="${SplunkSearchFactor}" - export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - export CM_PRIVATEIP="${SplunkCMIP}" - export SH_REPLICATION_FACTOR="${SplunkReplicationFactor}" - export THREEAZ="${THREEAZ}" - export SH_DEPLOYER_IP="${SH_DEPLOYER_IP}" - wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh - /tmp/user_data.sh cluster_sh 1 && rm -f /tmp/user_data.sh - - SplunkCMIP: !GetAtt SplunkCM.PrivateIp - SH_DEPLOYER_IP: !GetAtt SplunkSHCDeployer.PrivateIp - THREEAZ: !If [ Create3AZ, "1", "0" ] - SplunkSHCMember2: - Type: AWS::EC2::Instance - Condition: CreateSHC - CreationPolicy: - ResourceSignal: - Timeout: PT10M - Properties: - ImageId: !FindInMap - - AWSAMIRegionMap - - !Ref 'AWS::Region' - - SPLUNKENTHVM - InstanceType: !Ref 'SearchHeadInstanceType' - KeyName: !Ref 'KeyName' - Tags: - - Key: Application - Value: !Ref 'AWS::StackId' - - Key: Role - Value: splunk-search-head - - Key: Name - Value: search-head-2 - NetworkInterfaces: - - GroupSet: - - !Ref 'SplunkSecurityGroup' - - !Ref 'SplunkSearchHeadSecurityGroup' - AssociatePublicIpAddress: true - DeviceIndex: '0' - DeleteOnTermination: true - SubnetId: !Ref 'PublicSubnet2ID' - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - VolumeType: gp2 - VolumeSize: !Ref 'SplunkSearchHeadDiskSize' - UserData: - Fn::Base64: - Fn::Sub: - - | - #!/bin/bash -xe - export INSTALL_LICENSE="0" - export SYMMKEY="${SplunkIndexerDiscoverySecret}" - export ADMIN_PASSWORD="${SplunkAdminPassword}" - export STACK_NAME="${AWS::StackName}" - export AWS_REGION="${AWS::Region}" - export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" - export SMARTSTORE_BUCKET="${SmartStoreBucketName}" - export SplunkCMWaitHandle="${SplunkCMWaitHandle}" - export REPFACTOR="${SplunkReplicationFactor}" - export SEARCHFACTOR="${SplunkSearchFactor}" - export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - export CM_PRIVATEIP="${SplunkCMIP}" - export SH_REPLICATION_FACTOR="${SplunkReplicationFactor}" - export THREEAZ="${THREEAZ}" - export SH_DEPLOYER_IP="${SH_DEPLOYER_IP}" - wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh - /tmp/user_data.sh cluster_sh 2 && rm -f /tmp/user_data.sh - - SplunkCMIP: !GetAtt SplunkCM.PrivateIp - SH_DEPLOYER_IP: !GetAtt SplunkSHCDeployer.PrivateIp - THREEAZ: !If [ Create3AZ, "1", "0" ] - SplunkSHCMember3: - Type: AWS::EC2::Instance - Condition: CreateSHC - CreationPolicy: - ResourceSignal: - Timeout: PT10M - Properties: - ImageId: !FindInMap - - AWSAMIRegionMap - - !Ref 'AWS::Region' - - SPLUNKENTHVM - InstanceType: !Ref 'SearchHeadInstanceType' - KeyName: !Ref 'KeyName' - Tags: - - Key: Application - Value: !Ref 'AWS::StackId' - - Key: Role - Value: splunk-search-head - - Key: Name - Value: search-head-3 - NetworkInterfaces: - - GroupSet: - - !Ref 'SplunkSecurityGroup' - - !Ref 'SplunkSearchHeadSecurityGroup' - AssociatePublicIpAddress: true - DeviceIndex: '0' - DeleteOnTermination: true - SubnetId: !If - - Create3AZ - - !Ref 'PublicSubnet3ID' - - !Ref 'PublicSubnet2ID' - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - VolumeType: gp2 - VolumeSize: !Ref 'SplunkSearchHeadDiskSize' - UserData: - Fn::Base64: - Fn::Sub: - - | - #!/bin/bash -xe - export INSTALL_LICENSE="0" - export SYMMKEY="${SplunkIndexerDiscoverySecret}" - export ADMIN_PASSWORD="${SplunkAdminPassword}" - export STACK_NAME="${AWS::StackName}" - export AWS_REGION="${AWS::Region}" - export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" - export SMARTSTORE_BUCKET="${SmartStoreBucketName}" - export SplunkCMWaitHandle="${SplunkCMWaitHandle}" - export REPFACTOR="${SplunkReplicationFactor}" - export SEARCHFACTOR="${SplunkSearchFactor}" - export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - export CM_PRIVATEIP="${SplunkCMIP}" - export SH_REPLICATION_FACTOR="${SplunkReplicationFactor}" - export THREEAZ="${THREEAZ}" - export SH_DEPLOYER_IP="${SH_DEPLOYER_IP}" - export SH1_IP=${SH1_IP} - export SH2_IP=${SH2_IP} - wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh - /tmp/user_data.sh cluster_sh 3 && rm -f /tmp/user_data.sh - - SplunkCMIP: !GetAtt SplunkCM.PrivateIp - SH_DEPLOYER_IP: !GetAtt SplunkSHCDeployer.PrivateIp - SH1_IP: !GetAtt SplunkSHCMember1.PrivateIp - SH2_IP: !GetAtt SplunkSHCMember2.PrivateIp - THREEAZ: !If [ Create3AZ, "1", "0" ] - CfnUser: - Type: AWS::IAM::User - Condition: ConfigureLicense - Properties: - Path: / - CfnKeys: - Type: AWS::IAM::AccessKey - Condition: ConfigureLicense - Properties: - UserName: !Ref 'CfnUser' - BucketPolicy: - Type: AWS::S3::BucketPolicy - Condition: ConfigureLicense - Properties: - PolicyDocument: - Version: '2012-10-17' - Id: MyPolicy - Statement: - - Sid: ReadAccess - Action: - - s3:GetObject - Effect: Allow - Resource: !Join - - '' - - - 'arn:aws:s3:::' - - !Ref 'SplunkLicenseBucket' - - /* - Principal: - AWS: !GetAtt 'CfnUser.Arn' - Bucket: !Ref 'SplunkLicenseBucket' - SplunkIndexerLaunchConfiguration: - Type: AWS::AutoScaling::LaunchConfiguration - Properties: - AssociatePublicIpAddress: true - IamInstanceProfile: !Ref 'SmartStoreS3AccessInstanceProfile' - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - VolumeType: gp2 - VolumeSize: !Ref 'SplunkIndexerDiskSize' - SecurityGroups: - - !Ref 'SplunkSecurityGroup' - - !Ref 'SplunkIndexerSecurityGroup' - ImageId: !FindInMap - - AWSAMIRegionMap - - !Ref 'AWS::Region' - - SPLUNKENTHVM - InstanceType: !Ref 'IndexerInstanceType' - KeyName: !Ref 'KeyName' - UserData: - Fn::Base64: - Fn::Sub: - - | - #!/bin/bash -xe - export INSTALL_LICENSE="0" - export SYMMKEY="${SplunkIndexerDiscoverySecret}" - export ADMIN_PASSWORD="${SplunkAdminPassword}" - export STACK_NAME="${AWS::StackName}" - export AWS_REGION="${AWS::Region}" - export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}" - export SMARTSTORE_BUCKET="${SmartStoreBucketName}" - export SplunkCMWaitHandle="${SplunkCMWaitHandle}" - export REPFACTOR="${SplunkReplicationFactor}" - export SEARCHFACTOR="${SplunkSearchFactor}" - export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh" - export CM_PRIVATEIP="${SplunkCMIP}" - export SH_REPLICATION_FACTOR="${SplunkReplicationFactor}" - export SMARTSTORE_BUCKET="${SmartStoreBucketName}" - export CM_PRIVATEIP="${SplunkCMIP}" - export SUBNET1_ID="${PublicSubnet1ID}" - export SUBNET2_ID="${PublicSubnet2ID}" - export SUBNET3_ID="${PublicSubnet3ID}" - wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh - /tmp/user_data.sh indexer && rm -f /tmp/user_data.sh - - SplunkCMIP: !GetAtt SplunkCM.PrivateIp - SplunkSHCLoadBalancer: - Type: AWS::ElasticLoadBalancing::LoadBalancer - Condition: CreateSHC - Properties: - ConnectionDrainingPolicy: - Enabled: true - Timeout: 300 - LBCookieStickinessPolicy: - - CookieExpirationPeriod: '86400' - PolicyName: SplunkWebCookiePolicy - Instances: - - !Ref 'SplunkSHCMember1' - - !Ref 'SplunkSHCMember2' - - !Ref 'SplunkSHCMember3' - Listeners: - - LoadBalancerPort: '8000' - InstancePort: '8000' - Protocol: HTTP - PolicyNames: - - SplunkWebCookiePolicy - Scheme: internet-facing - SecurityGroups: - - !Ref 'SplunkSecurityGroup' - - !Ref 'SplunkSearchHeadSecurityGroup' - CrossZone: true - Subnets: !If - - Create3AZ - - - !Ref 'PublicSubnet1ID' - - !Ref 'PublicSubnet2ID' - - !Ref 'PublicSubnet3ID' - - - !Ref 'PublicSubnet1ID' - - !Ref 'PublicSubnet2ID' - HealthCheck: - Target: TCP:8089 - HealthyThreshold: '2' - UnhealthyThreshold: '3' - Interval: '30' - Timeout: '5' - SplunkHttpEventCollectorLoadBalancer: - Type: AWS::ElasticLoadBalancing::LoadBalancer - Properties: - ConnectionDrainingPolicy: - Enabled: true - Timeout: 300 - Listeners: - - InstancePort: '8088' - InstanceProtocol: HTTPS - LoadBalancerPort: '8088' - Protocol: HTTP - Scheme: internet-facing - SecurityGroups: - - !Ref 'SplunkHttpEventCollectorLoadBalancerSecurityGroup' - CrossZone: true - Subnets: !If - - Create3AZ - - - !Ref 'PublicSubnet1ID' - - !Ref 'PublicSubnet2ID' - - !Ref 'PublicSubnet3ID' - - - !Ref 'PublicSubnet1ID' - - !Ref 'PublicSubnet2ID' - HealthCheck: - Target: HTTPS:8088/services/collector/health - HealthyThreshold: '3' - UnhealthyThreshold: '2' - Interval: '20' - Timeout: '5' - Policies: - - PolicyName: EnableProxyProtocol - PolicyType: ProxyProtocolPolicyType - Attributes: - - Name: ProxyProtocol - Value: true - InstancePorts: - - '8088' - SplunkIndexerNodesASG: - Type: AWS::AutoScaling::AutoScalingGroup - DependsOn: SplunkCM - Properties: - VPCZoneIdentifier: !If - - Create3AZ - - - !Ref 'PublicSubnet1ID' - - !Ref 'PublicSubnet2ID' - - !Ref 'PublicSubnet3ID' - - - !Ref 'PublicSubnet1ID' - - !Ref 'PublicSubnet2ID' - LaunchConfigurationName: !Ref 'SplunkIndexerLaunchConfiguration' - MinSize: !Ref 'SplunkIndexerCount' - MaxSize: !Ref 'SplunkIndexerCount' - DesiredCapacity: !Ref 'SplunkIndexerCount' - LoadBalancerNames: - - !Ref 'SplunkHttpEventCollectorLoadBalancer' - Tags: - - Key: Application - Value: !Ref 'AWS::StackId' - PropagateAtLaunch: true - - Key: Role - Value: splunk-indexer - PropagateAtLaunch: true - - Key: Name - Value: indexer-N - PropagateAtLaunch: true - CreationPolicy: - ResourceSignal: - Count: !Ref 'SplunkIndexerCount' - Timeout: PT20M -Outputs: - SearchHeadURL: - Description: 'Splunk Enterprise - Search Head URL' - Value: !Join - - '' - - - http:// - - !If - - CreateSHC - - !GetAtt 'SplunkSHCLoadBalancer.DNSName' - - !GetAtt 'SplunkSearchHeadInstance.PublicIp' - - :8000 - ClusterMasterURL: - Description: 'Splunk Enterprise - Cluster Master URL' - Value: !Join - - '' - - - http:// - - !GetAtt 'SplunkCM.PublicIp' - - :8000 - ClusterMasterManagementURL: - Description: 'Splunk Enterprise - Cluster Master Management URL (required for Indexer Discovery)' - Value: !Join - - '' - - - https:// - - !GetAtt SplunkCM.PrivateIp - - :8089 - DeployerURL: - Description: 'Splunk Enterprise - Search Head Cluster Deployer URL' - Value: !If - - CreateSHC - - !Join - - '' - - - http:// - - !GetAtt 'SplunkSHCDeployer.PublicIp' - - :8000 - - Applicable when Search Head Cluster is selected - HttpEventCollectorURL: - Description: 'HTTP Event Collector URL' - Value: !Join - - '' - - - http:// - - !GetAtt 'SplunkHttpEventCollectorLoadBalancer.DNSName' - - :8088 - - /services/collector - HttpEventCollectorToken: - Description: 'HTTP Event Collector Token' - Value: !Select - - '1' - - !Split - - '"' - - !Select - - '1' - - !Split - - ':' - - !GetAtt 'SplunkCMWaitCondition.Data' From defa08d07929731376afc42fb7582eb6943b4bbb Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Thu, 28 Apr 2022 21:01:56 +0000 Subject: [PATCH 40/47] move documentation to deployment_guide subfolder --- docs/{ => deployment_guide}/images/cfn_outputs.png | Bin .../images/cluster-master-sfrf-met.png | Bin .../images/indexer-clustering-menu.png | Bin .../images/search-head-distributed-search-menu.png | Bin .../search-head-distributed-search-success.png | Bin .../splunk-enterprise-architecture-on-aws.png | Bin .../partner_editable/_settings.adoc | 0 .../partner_editable/additional_info.adoc | 0 .../partner_editable/architecture.adoc | 0 .../partner_editable/deploy_steps.adoc | 0 .../partner_editable/deployment_options.adoc | 0 .../partner_editable/faq_troubleshooting.adoc | 0 .../partner_editable/licenses.adoc | 0 .../partner_editable/overview_target_and_usage.adoc | 0 .../partner_editable/pre-reqs.adoc | 0 .../partner_editable/product_description.adoc | 0 .../partner_editable/regions.adoc | 0 .../partner_editable/service_limits.adoc | 0 .../partner_editable/specialized_knowledge.adoc | 0 19 files changed, 0 insertions(+), 0 deletions(-) rename docs/{ => deployment_guide}/images/cfn_outputs.png (100%) rename docs/{ => deployment_guide}/images/cluster-master-sfrf-met.png (100%) rename docs/{ => deployment_guide}/images/indexer-clustering-menu.png (100%) rename docs/{ => deployment_guide}/images/search-head-distributed-search-menu.png (100%) rename docs/{ => deployment_guide}/images/search-head-distributed-search-success.png (100%) rename docs/{ => deployment_guide}/images/splunk-enterprise-architecture-on-aws.png (100%) rename docs/{ => deployment_guide}/partner_editable/_settings.adoc (100%) rename docs/{ => deployment_guide}/partner_editable/additional_info.adoc (100%) rename docs/{ => deployment_guide}/partner_editable/architecture.adoc (100%) rename docs/{ => deployment_guide}/partner_editable/deploy_steps.adoc (100%) rename docs/{ => deployment_guide}/partner_editable/deployment_options.adoc (100%) rename docs/{ => deployment_guide}/partner_editable/faq_troubleshooting.adoc (100%) rename docs/{ => deployment_guide}/partner_editable/licenses.adoc (100%) rename docs/{ => deployment_guide}/partner_editable/overview_target_and_usage.adoc (100%) rename docs/{ => deployment_guide}/partner_editable/pre-reqs.adoc (100%) rename docs/{ => deployment_guide}/partner_editable/product_description.adoc (100%) rename docs/{ => deployment_guide}/partner_editable/regions.adoc (100%) rename docs/{ => deployment_guide}/partner_editable/service_limits.adoc (100%) rename docs/{ => deployment_guide}/partner_editable/specialized_knowledge.adoc (100%) diff --git a/docs/images/cfn_outputs.png b/docs/deployment_guide/images/cfn_outputs.png similarity index 100% rename from docs/images/cfn_outputs.png rename to docs/deployment_guide/images/cfn_outputs.png diff --git a/docs/images/cluster-master-sfrf-met.png b/docs/deployment_guide/images/cluster-master-sfrf-met.png similarity index 100% rename from docs/images/cluster-master-sfrf-met.png rename to docs/deployment_guide/images/cluster-master-sfrf-met.png diff --git a/docs/images/indexer-clustering-menu.png b/docs/deployment_guide/images/indexer-clustering-menu.png similarity index 100% rename from docs/images/indexer-clustering-menu.png rename to docs/deployment_guide/images/indexer-clustering-menu.png diff --git a/docs/images/search-head-distributed-search-menu.png b/docs/deployment_guide/images/search-head-distributed-search-menu.png similarity index 100% rename from docs/images/search-head-distributed-search-menu.png rename to docs/deployment_guide/images/search-head-distributed-search-menu.png diff --git a/docs/images/search-head-distributed-search-success.png b/docs/deployment_guide/images/search-head-distributed-search-success.png similarity index 100% rename from docs/images/search-head-distributed-search-success.png rename to docs/deployment_guide/images/search-head-distributed-search-success.png diff --git a/docs/images/splunk-enterprise-architecture-on-aws.png b/docs/deployment_guide/images/splunk-enterprise-architecture-on-aws.png similarity index 100% rename from docs/images/splunk-enterprise-architecture-on-aws.png rename to docs/deployment_guide/images/splunk-enterprise-architecture-on-aws.png diff --git a/docs/partner_editable/_settings.adoc b/docs/deployment_guide/partner_editable/_settings.adoc similarity index 100% rename from docs/partner_editable/_settings.adoc rename to docs/deployment_guide/partner_editable/_settings.adoc diff --git a/docs/partner_editable/additional_info.adoc b/docs/deployment_guide/partner_editable/additional_info.adoc similarity index 100% rename from docs/partner_editable/additional_info.adoc rename to docs/deployment_guide/partner_editable/additional_info.adoc diff --git a/docs/partner_editable/architecture.adoc b/docs/deployment_guide/partner_editable/architecture.adoc similarity index 100% rename from docs/partner_editable/architecture.adoc rename to docs/deployment_guide/partner_editable/architecture.adoc diff --git a/docs/partner_editable/deploy_steps.adoc b/docs/deployment_guide/partner_editable/deploy_steps.adoc similarity index 100% rename from docs/partner_editable/deploy_steps.adoc rename to docs/deployment_guide/partner_editable/deploy_steps.adoc diff --git a/docs/partner_editable/deployment_options.adoc b/docs/deployment_guide/partner_editable/deployment_options.adoc similarity index 100% rename from docs/partner_editable/deployment_options.adoc rename to docs/deployment_guide/partner_editable/deployment_options.adoc diff --git a/docs/partner_editable/faq_troubleshooting.adoc b/docs/deployment_guide/partner_editable/faq_troubleshooting.adoc similarity index 100% rename from docs/partner_editable/faq_troubleshooting.adoc rename to docs/deployment_guide/partner_editable/faq_troubleshooting.adoc diff --git a/docs/partner_editable/licenses.adoc b/docs/deployment_guide/partner_editable/licenses.adoc similarity index 100% rename from docs/partner_editable/licenses.adoc rename to docs/deployment_guide/partner_editable/licenses.adoc diff --git a/docs/partner_editable/overview_target_and_usage.adoc b/docs/deployment_guide/partner_editable/overview_target_and_usage.adoc similarity index 100% rename from docs/partner_editable/overview_target_and_usage.adoc rename to docs/deployment_guide/partner_editable/overview_target_and_usage.adoc diff --git a/docs/partner_editable/pre-reqs.adoc b/docs/deployment_guide/partner_editable/pre-reqs.adoc similarity index 100% rename from docs/partner_editable/pre-reqs.adoc rename to docs/deployment_guide/partner_editable/pre-reqs.adoc diff --git a/docs/partner_editable/product_description.adoc b/docs/deployment_guide/partner_editable/product_description.adoc similarity index 100% rename from docs/partner_editable/product_description.adoc rename to docs/deployment_guide/partner_editable/product_description.adoc diff --git a/docs/partner_editable/regions.adoc b/docs/deployment_guide/partner_editable/regions.adoc similarity index 100% rename from docs/partner_editable/regions.adoc rename to docs/deployment_guide/partner_editable/regions.adoc diff --git a/docs/partner_editable/service_limits.adoc b/docs/deployment_guide/partner_editable/service_limits.adoc similarity index 100% rename from docs/partner_editable/service_limits.adoc rename to docs/deployment_guide/partner_editable/service_limits.adoc diff --git a/docs/partner_editable/specialized_knowledge.adoc b/docs/deployment_guide/partner_editable/specialized_knowledge.adoc similarity index 100% rename from docs/partner_editable/specialized_knowledge.adoc rename to docs/deployment_guide/partner_editable/specialized_knowledge.adoc From 8175690d1f71fcbd84d4e3a40ed2bc85f7717d2d Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Tue, 10 May 2022 10:18:36 -0700 Subject: [PATCH 41/47] update adocs --- README.md | 74 +++++++++---------- .../partner_editable/product_description.adoc | 14 ++-- .../partner_editable/regions.adoc | 2 +- .../partner_editable/service_limits.adoc | 30 ++++---- 4 files changed, 60 insertions(+), 60 deletions(-) diff --git a/README.md b/README.md index b8c6536..bb3005d 100644 --- a/README.md +++ b/README.md @@ -1,37 +1,37 @@ -# Splunk Enterprise on AWS - Quick Start - -Source code associated with [Splunk Enterprise AWS Quick Start](https://fwd.aws/r7QNJ) - -## Usage - -Use these templates to deploy a highly available Splunk Enterprise environment across multiple AZs (2 or 3) in a given AWS region. -AZ-aware indexer clustering is enabled for horizontal scaling and to guarantee data is replicated in every AZ. -AZ-aware Search head clustering (3 nodes by default) can also be enabled for horizontal scaling and to guarantee data is available for search in every AZ. - -View the accompanying [deployment guide](https://fwd.aws/bGBmy) for everything you need to get started. Refer to 'Deployment Steps' section for a step-by-step walkthrough on how to use these templates in AWS console. - -### Prerequisites - -Before getting started with the template configuration, you will need to make your Splunk Enterprise license privately accessible for CloudFormation template deployment via S3 download. The following steps will guide you through that process. *(Note: This step is required. A non-trial Splunk Enterprise license is required to allow our template to configure the Splunk deployment. If you don't already have a Splunk Enterprise license, you can obtain one by contacting sales@splunk.com.)* - - 1. From the AWS Console, select "S3" under the "Storage" heading, or by simply typing "S3" into the search bar. - 2. You can either select an existing private bucket to upload to, or create a new one. If you select an existing bucket, make sure its access policy does not grant public access. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. For this exercise, I'm outlining how to create a new bucket. - 3. Click "create bucket" - 4. Name your bucket, and select your region. In this example, I will use "bbartlett-splunk-config". Your bucket name must be unique, and you should select the same region where you plan on deploying Splunk.

![new bucket example](https://s3-us-west-2.amazonaws.com/splk-bbartlett/splunk_newbucket.png)

- 5. Once you've created your bucket, select your new bucket from the list of buckets. - 6. Click "Upload" on the upper left of the page - 7. Click "Add Files" - 8. Select your license file. - 9. Click "Start Upload" on the lower right of the page. - 10. Once the license has finished uploading, you'll need the bucket name and the filename to use with the CloudFormation template. - -## License - -This project is licensed under Apache License 2.0 - see [LICENSE.txt](./LICENSE.txt) file for details - -## Help - -If you have any problems or general questions, please file an issue in the parent repository: -https://github.com/aws-quickstart/quickstart-splunk-enterprise/issues - - +# Splunk Enterprise on AWS - Quick Start + +Source code associated with [Splunk Enterprise AWS Quick Start](https://fwd.aws/r7QNJ) + +## Usage + +Use these templates to deploy a highly available Splunk Enterprise environment across multiple AZs (2 or 3) in a given AWS region. +AZ-aware indexer clustering is enabled for horizontal scaling and to guarantee data is replicated in every AZ. +AZ-aware Search head clustering (3 nodes by default) can also be enabled for horizontal scaling and to guarantee data is available for search in every AZ. + +View the accompanying [deployment guide](https://fwd.aws/bGBmy) for everything you need to get started. Refer to 'Deployment Steps' section for a step-by-step walkthrough on how to use these templates in AWS console. + +### Prerequisites + +Before getting started with the template configuration, you will need to make your Splunk Enterprise license privately accessible for CloudFormation template deployment via S3 download. The following steps will guide you through that process. *(Note: This step is required. A non-trial Splunk Enterprise license is required to allow our template to configure the Splunk deployment. If you don't already have a Splunk Enterprise license, you can obtain one by contacting sales@splunk.com.)* + + 1. From the AWS Console, select "S3" under the "Storage" heading, or by simply typing "S3" into the search bar. + 2. You can either select an existing private bucket to upload to, or create a new one. If you select an existing bucket, make sure its access policy does not grant public access. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. For this exercise, I'm outlining how to create a new bucket. + 3. Click "create bucket" + 4. Name your bucket, and select your region. In this example, I will use "bbartlett-splunk-config". Your bucket name must be unique, and you should select the same region where you plan on deploying Splunk.

![new bucket example](https://s3-us-west-2.amazonaws.com/splk-bbartlett/splunk_newbucket.png)

+ 5. Once you've created your bucket, select your new bucket from the list of buckets. + 6. Click "Upload" on the upper left of the page + 7. Click "Add Files" + 8. Select your license file. + 9. Click "Start Upload" on the lower right of the page. + 10. Once the license has finished uploading, you'll need the bucket name and the filename to use with the CloudFormation template. + +## License + +This project is licensed under Apache License 2.0 - see [LICENSE.txt](./LICENSE.txt) file for details + +## Help + +If you have any problems or general questions, please file an issue in the parent repository: +https://github.com/aws-quickstart/quickstart-splunk-enterprise/issues + + diff --git a/docs/deployment_guide/partner_editable/product_description.adoc b/docs/deployment_guide/partner_editable/product_description.adoc index 44fb282..bfcf6dc 100644 --- a/docs/deployment_guide/partner_editable/product_description.adoc +++ b/docs/deployment_guide/partner_editable/product_description.adoc @@ -1,7 +1,7 @@ -This Quick Start deploys {partner-product-name} on the AWS Cloud - -{partner-product-name} is the platform for turning data into doing. By monitoring and analyzing everything from customer clickstreams and transactions to security events and network activity, {partner-product-name} is a scalable and reliable data platform for investigating, monitoring, analyzing and acting on your data. With a full range of powerful search, analysis, alert, and visualization capabilities along with prepackaged content for many typical use cases, users can quickly discover and share insights. - -For more details about the features and functionality of {partner-product-name}, see the https://docs.splunk.com/Documentation/Splunk[Splunk Enterprise documentation^]. - - +This Quick Start deploys {partner-product-name} on the AWS Cloud + +{partner-product-name} is the platform for turning data into doing. By monitoring and analyzing everything from customer clickstreams and transactions to security events and network activity, {partner-product-name} is a scalable and reliable data platform for investigating, monitoring, analyzing and acting on your data. With a full range of powerful search, analysis, alert, and visualization capabilities along with prepackaged content for many typical use cases, users can quickly discover and share insights. + +For more details about the features and functionality of {partner-product-name}, see the https://docs.splunk.com/Documentation/Splunk[Splunk Enterprise documentation^]. + + diff --git a/docs/deployment_guide/partner_editable/regions.adoc b/docs/deployment_guide/partner_editable/regions.adoc index cde0630..662f665 100644 --- a/docs/deployment_guide/partner_editable/regions.adoc +++ b/docs/deployment_guide/partner_editable/regions.adoc @@ -1 +1 @@ -- All AWS Regions +- All AWS Regions diff --git a/docs/deployment_guide/partner_editable/service_limits.adoc b/docs/deployment_guide/partner_editable/service_limits.adoc index bec8f21..0a5ae89 100644 --- a/docs/deployment_guide/partner_editable/service_limits.adoc +++ b/docs/deployment_guide/partner_editable/service_limits.adoc @@ -1,15 +1,15 @@ -// Replace the in each row to specify the number of resources used in this deployment. Remove the rows for resources that aren’t used. - -|=== -|Resource |This deployment uses - -// Space needed to maintain table headers -|VPCs |1 -|AWS Identity and Access Management (IAM) security groups |2 or more -|IAM roles |2 or more -|Auto Scaling groups |1 -|Classic Load Balancers |2 -|EC2 Instances |5 or more -|EBS Volumes|5 or more -|S3 Buckets |1 -|=== +// Replace the in each row to specify the number of resources used in this deployment. Remove the rows for resources that aren’t used. + +|=== +|Resource |This deployment uses + +// Space needed to maintain table headers +|VPCs |1 +|AWS Identity and Access Management (IAM) security groups |2 or more +|IAM roles |2 or more +|Auto Scaling groups |1 +|Classic Load Balancers |2 +|EC2 Instances |5 or more +|EBS Volumes|5 or more +|S3 Buckets |1 +|=== From e459a9b5f8f26bd684628bdcda8837ad9bafd2b4 Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Thu, 19 May 2022 19:30:02 -0700 Subject: [PATCH 42/47] added _deployment_guide.adoc --- docs/_deployment_guide.adoc | 1 + 1 file changed, 1 insertion(+) create mode 100644 docs/_deployment_guide.adoc diff --git a/docs/_deployment_guide.adoc b/docs/_deployment_guide.adoc new file mode 100644 index 0000000..fa896ef --- /dev/null +++ b/docs/_deployment_guide.adoc @@ -0,0 +1 @@ +:type: cfn From 2f55069ef651ab427ff71d4486efcf223b977aa9 Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Thu, 19 May 2022 20:07:15 -0700 Subject: [PATCH 43/47] added boilerplate --- .gitmodules | 7 +++---- docs/boilerplate | 1 + 2 files changed, 4 insertions(+), 4 deletions(-) create mode 160000 docs/boilerplate diff --git a/.gitmodules b/.gitmodules index 716fcdd..a9e6d48 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,4 +1,3 @@ -[submodule "submodules/quickstart-aws-vpc"] - path = submodules/quickstart-aws-vpc - url = ../../aws-quickstart/quickstart-aws-vpc.git - branch = master +[submodule "docs/boilerplate"] + path = docs/boilerplate + url = https://github.com/aws-quickstart/quickstart-documentation-base-common.git diff --git a/docs/boilerplate b/docs/boilerplate new file mode 160000 index 0000000..f1ea6e6 --- /dev/null +++ b/docs/boilerplate @@ -0,0 +1 @@ +Subproject commit f1ea6e66f35f01249ee56215437a9b35da655b3c From d389f421db4daa577650eeb63f22403f324dc599 Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Thu, 19 May 2022 20:13:49 -0700 Subject: [PATCH 44/47] updated boilerplate submodule to point to aws-ia instead of aws-quickstart --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index a9e6d48..cdc7805 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,3 @@ [submodule "docs/boilerplate"] path = docs/boilerplate - url = https://github.com/aws-quickstart/quickstart-documentation-base-common.git + url = https://github.com/aws-ia/aws-ia-documentation-base-common.git From 01b66c48a8e551ab5fffd82b005e3c73c4451b37 Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Thu, 19 May 2022 20:22:53 -0700 Subject: [PATCH 45/47] remove boilerplate --- .gitmodules | 3 --- docs/boilerplate | 1 - 2 files changed, 4 deletions(-) delete mode 160000 docs/boilerplate diff --git a/.gitmodules b/.gitmodules index cdc7805..e69de29 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +0,0 @@ -[submodule "docs/boilerplate"] - path = docs/boilerplate - url = https://github.com/aws-ia/aws-ia-documentation-base-common.git diff --git a/docs/boilerplate b/docs/boilerplate deleted file mode 160000 index f1ea6e6..0000000 --- a/docs/boilerplate +++ /dev/null @@ -1 +0,0 @@ -Subproject commit f1ea6e66f35f01249ee56215437a9b35da655b3c From 25e1883b339d47d7e286aeca35f7d4cdb2a80da3 Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Thu, 19 May 2022 20:29:34 -0700 Subject: [PATCH 46/47] re-add boilerplate --- .gitmodules | 3 +++ docs/boilerplate | 1 + 2 files changed, 4 insertions(+) create mode 160000 docs/boilerplate diff --git a/.gitmodules b/.gitmodules index e69de29..cdc7805 100644 --- a/.gitmodules +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "docs/boilerplate"] + path = docs/boilerplate + url = https://github.com/aws-ia/aws-ia-documentation-base-common.git diff --git a/docs/boilerplate b/docs/boilerplate new file mode 160000 index 0000000..4ef16b7 --- /dev/null +++ b/docs/boilerplate @@ -0,0 +1 @@ +Subproject commit 4ef16b77d6020a462feba269030c80f9088e6d1b From a1790311eedebc8ccb6acf0f3d576fed655f6203 Mon Sep 17 00:00:00 2001 From: Bill Bartlett Date: Thu, 19 May 2022 20:47:16 -0700 Subject: [PATCH 47/47] updated some of the documentation to align with new formatting. --- .../deployment_guide/partner_editable/_settings.adoc | 12 ++++-------- .../partner_editable/architecture.adoc | 4 +++- ...{overview_target_and_usage.adoc => overview.adoc} | 0 .../partner_editable/post_deployment.adoc | 0 .../{deploy_steps.adoc => pre_deployment.adoc} | 0 ...faq_troubleshooting.adoc => troubleshooting.adoc} | 0 6 files changed, 7 insertions(+), 9 deletions(-) rename docs/deployment_guide/partner_editable/{overview_target_and_usage.adoc => overview.adoc} (100%) create mode 100644 docs/deployment_guide/partner_editable/post_deployment.adoc rename docs/deployment_guide/partner_editable/{deploy_steps.adoc => pre_deployment.adoc} (100%) rename docs/deployment_guide/partner_editable/{faq_troubleshooting.adoc => troubleshooting.adoc} (100%) diff --git a/docs/deployment_guide/partner_editable/_settings.adoc b/docs/deployment_guide/partner_editable/_settings.adoc index b84a15e..22b64ce 100644 --- a/docs/deployment_guide/partner_editable/_settings.adoc +++ b/docs/deployment_guide/partner_editable/_settings.adoc @@ -1,14 +1,10 @@ :quickstart-project-name: quickstart-splunk-enterprise -:partner-product-name: Splunk Enterprise +:quickstart-github-org: aws-quickstart +:partner-product-short-name: Splunk Enterprise :partner-company-name: Splunk Inc. -:doc-month: March +:doc-month: May :doc-year: 2021 :partner-contributors: Bill Bartlett, {partner-company-name} -:quickstart-contributors: Shivansh Singh, Amazon Web Services +:aws-contributors: Shivansh Singh, Amazon Web Services :deployment_time: 25 minutes :default_deployment_region: us-east-1 -// Uncomment these two attributes if you are leveraging -// - an AWS Marketplace listing. -// Additional content will be auto-generated based on these attributes. -:marketplace_subscription: -:marketplace_listing_url: https://aws.amazon.com/marketplace/pp/Splunk-Splunk-Enterprise/B00PUXWXNE diff --git a/docs/deployment_guide/partner_editable/architecture.adoc b/docs/deployment_guide/partner_editable/architecture.adoc index c73db70..0d16a15 100644 --- a/docs/deployment_guide/partner_editable/architecture.adoc +++ b/docs/deployment_guide/partner_editable/architecture.adoc @@ -1,10 +1,12 @@ +:xrefstyle: short + Deploying this Quick Start for a new VPC with default parameters builds the following {partner-product-name} environment in the AWS Cloud. [#architecture1] .Quick Start architecture for {partner-product-name} on AWS [link=images/splunk-enterprise-architecture-on-aws.png] image::../images/splunk-enterprise-architecture-on-aws.png[Architecture,width=648,height=439] -As shown in figure 1, the Quick Start sets up the following: +As shown in <>, the Quick Start sets up the following: * A VPC configured across two or three Availability Zones, depending on your selection. The Quick Start provisions one public subnet in each Availability Zone. * Two Elastic Load Balancing (ELB) load balancers: one to load-balance HTTP web traffic to the search head instances, and the other to load-balance HTTP event traffic destined for the Splunk HTTP Event Collector (HEC) across all indexer instances. diff --git a/docs/deployment_guide/partner_editable/overview_target_and_usage.adoc b/docs/deployment_guide/partner_editable/overview.adoc similarity index 100% rename from docs/deployment_guide/partner_editable/overview_target_and_usage.adoc rename to docs/deployment_guide/partner_editable/overview.adoc diff --git a/docs/deployment_guide/partner_editable/post_deployment.adoc b/docs/deployment_guide/partner_editable/post_deployment.adoc new file mode 100644 index 0000000..e69de29 diff --git a/docs/deployment_guide/partner_editable/deploy_steps.adoc b/docs/deployment_guide/partner_editable/pre_deployment.adoc similarity index 100% rename from docs/deployment_guide/partner_editable/deploy_steps.adoc rename to docs/deployment_guide/partner_editable/pre_deployment.adoc diff --git a/docs/deployment_guide/partner_editable/faq_troubleshooting.adoc b/docs/deployment_guide/partner_editable/troubleshooting.adoc similarity index 100% rename from docs/deployment_guide/partner_editable/faq_troubleshooting.adoc rename to docs/deployment_guide/partner_editable/troubleshooting.adoc