From 9439ed4c44142f1920ad1b569e5d1b229322d23c Mon Sep 17 00:00:00 2001 From: b12f Date: Fri, 16 Aug 2024 21:33:49 +0200 Subject: [PATCH] email: add mail@b12f.io and mail@hzdomain --- hosts/frikandel/email.nix | 76 ++++++++++++++++++++++--- hosts/frikandel/unbound.nix | 10 ++++ modules/printing/default.nix | 10 ++-- secrets/age-yubikey-464-identity.txt | 6 -- secrets/age-yubikey-485-identity.txt | 6 -- secrets/hzdomain-dkim-private-rsa.age | Bin 0 -> 2056 bytes secrets/mail@hzdomain-password.age | 23 ++++++++ secrets/mail@mezza.biz-password.age | Bin 0 -> 1310 bytes secrets/mezza.biz-dkim-private-rsa.age | Bin 0 -> 2056 bytes secrets/secrets.nix | 7 ++- terraform/h.net.tf | 24 ++++++++ terraform/mezza.biz.tf | 65 +++++++++++++++++++++ users/b12f/email.nix | 14 +++-- 13 files changed, 211 insertions(+), 30 deletions(-) create mode 100644 secrets/hzdomain-dkim-private-rsa.age create mode 100644 secrets/mail@hzdomain-password.age create mode 100644 secrets/mail@mezza.biz-password.age create mode 100644 secrets/mezza.biz-dkim-private-rsa.age diff --git a/hosts/frikandel/email.nix b/hosts/frikandel/email.nix index 480a8c1..bb91aba 100644 --- a/hosts/frikandel/email.nix +++ b/hosts/frikandel/email.nix @@ -5,10 +5,16 @@ lib, ... }: let - # hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ]; + hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ]; dkimDNSb12fio = '' default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ; ''; + dkimDNSmezzabiz = '' + default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8iuDq0eon2k7QlBJWGxwDiEv53iJQu2uqxOjr7Ul/nfQjuR6kVKs6oOVopnyFTGRpffrpSHHW1YUN5nF76p0fJphk4l+QmJP36/xweajsNU27PAkb88xG6yRKl28MCfPdMR96+Jobpei8S0UhqcskYs1aZybm7ci9ZuAMidziwIDAQAB" ) ; + ''; + dkimDNShzDomain = '' + default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvVA2XZno6g6qBdmxoLgX2Qmd883M6yV4YkE/VaNH6xcR0AcTo4hEYoAOPryfKn4FE/TYvyk/k2cyBKpMBn2qbVhwUavYQh/e9bweS2FKQvdzCUUoqXk04o2MqSXb2ZFwkUCtfrPcckBgpF754PDL4HMZGPnkMSdDX7bmYe37CWQIDAQAB") ; + ''; in { age.secrets."b12f.io-dkim-private-rsa" = { file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age"; @@ -23,16 +29,44 @@ in { owner = "maddy"; }; + age.secrets."mezza.biz-dkim-private-rsa" = { + file = "${flake.self}/secrets/mezza.biz-dkim-private-rsa.age"; + path = "/var/lib/maddy/dkim_keys/mezza.biz_default.key"; + mode = "400"; + owner = "maddy"; + }; + + age.secrets."mail@mezza.biz-password" = { + file = "${flake.self}/secrets/mail@mezza.biz-password.age"; + mode = "400"; + owner = "maddy"; + }; + + age.secrets."hzdomain-dkim-private-rsa" = { + file = "${flake.self}/secrets/hzdomain-dkim-private-rsa.age"; + path = "/var/lib/maddy/dkim_keys/hzdomain_default.key"; + mode = "400"; + owner = "maddy"; + }; + + age.secrets."mail@hzdomain-password" = { + file = "${flake.self}/secrets/mail@hzdomain-password.age"; + mode = "400"; + owner = "maddy"; + }; + users.users.maddy.extraGroups = [ "nginx" ]; security.acme.certs = { - "mail.b12f.io" = { - reloadServices = [ "maddy" ]; - }; - "b12f.io" = { - reloadServices = [ "maddy" ]; - }; + "mail.b12f.io".reloadServices = [ "maddy" ]; + "b12f.io".reloadServices = [ "maddy" ]; "mta-sts.b12f.io" = {}; + "mail.mezza.biz".reloadServices = [ "maddy" ]; + "mezza.biz".reloadServices = [ "maddy" ]; + "mta-sts.mezza.biz" = {}; + "mail.${hzDomain}".reloadServices = [ "maddy" ]; + "${hzDomain}".reloadServices = [ "maddy" ]; + "mta-sts.${hzDomain}" = {}; }; services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // { @@ -52,7 +86,7 @@ in { tryFiles = "$uri $uri/ =404"; }; }; - }) {} [ "b12f.io" ]; + }) {} [ "b12f.io" "mezza.biz" hzDomain ]; systemd.tmpfiles.rules = [ "d '/run/maddy' 0750 maddy maddy - -" @@ -62,6 +96,8 @@ in { mkdir -p /var/lib/maddy/dkim_keys echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns + echo '${dkimDNSmezzabiz}' >> /var/lib/maddy/dkim_keys/mezza.biz_default.dns + echo '${dkimDNShzDomain}' >> /var/lib/maddy/dkim_keys/${hzDomain}_default.dns chown -R maddy:maddy /var/lib/maddy ''; @@ -76,14 +112,22 @@ in { localDomains = [ "b12f.io" "mail.b12f.io" + "mezza.biz" + "mail.mezza.biz" + hzDomain + "mail.${hzDomain}" ]; ensureAccounts = [ "mail@b12f.io" + "mail@mezza.biz" + "mail@${hzDomain}" ]; ensureCredentials = { # Do not use this in production. This will make passwords world-readable # in the Nix store "mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path; + "mail@mezza.biz".passwordFile = config.age.secrets."mail@mezza.biz-password".path; + "mail@${hzDomain}".passwordFile = config.age.secrets."mail@hzdomain-password".path; }; tls = { loader = "file"; @@ -96,6 +140,22 @@ in { keyPath = "${config.security.acme.certs."b12f.io".directory}/key.pem"; certPath = "${config.security.acme.certs."b12f.io".directory}/cert.pem"; } + { + keyPath = "${config.security.acme.certs."mail.mezza.biz".directory}/key.pem"; + certPath = "${config.security.acme.certs."mail.mezza.biz".directory}/cert.pem"; + } + { + keyPath = "${config.security.acme.certs."mezza.biz".directory}/key.pem"; + certPath = "${config.security.acme.certs."mezza.biz".directory}/cert.pem"; + } + { + keyPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/key.pem"; + certPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/cert.pem"; + } + { + keyPath = "${config.security.acme.certs."${hzDomain}".directory}/key.pem"; + certPath = "${config.security.acme.certs."${hzDomain}".directory}/cert.pem"; + } ]; }; config = '' diff --git a/hosts/frikandel/unbound.nix b/hosts/frikandel/unbound.nix index 26ba8d1..380e325 100644 --- a/hosts/frikandel/unbound.nix +++ b/hosts/frikandel/unbound.nix @@ -96,6 +96,16 @@ "\"b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" "\"mail.b12f.io. 10800 IN A 10.13.12.7\"" "\"mail.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" + + "\"mezza.biz. 10800 IN A 10.13.12.7\"" + "\"mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" + "\"mail.mezza.biz. 10800 IN A 10.13.12.7\"" + "\"mail.mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" + + "\"h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\"" + "\"h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" + "\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\"" + "\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\"" ]; tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt"; diff --git a/modules/printing/default.nix b/modules/printing/default.nix index 9bb30a4..03caa88 100644 --- a/modules/printing/default.nix +++ b/modules/printing/default.nix @@ -22,9 +22,9 @@ then [ pkgs.cups-brother-hl3140cw ] else []); - environment.persistence."/persist" = { - directories = [ - "/var/lib/cups" - ]; - }; + # environment.persistence."/persist" = { + # directories = [ + # "/etc/lib/cups" + # ]; + # }; } diff --git a/secrets/age-yubikey-464-identity.txt b/secrets/age-yubikey-464-identity.txt index f12dc2f..e696507 100644 --- a/secrets/age-yubikey-464-identity.txt +++ b/secrets/age-yubikey-464-identity.txt @@ -1,7 +1 @@ -# Serial: 25473464, Slot: 1 -# Name: age identity bd1ccf37 -# Created: Fri, 02 Feb 2024 19:26:49 +0000 -# PIN policy: Once (A PIN is required once per session, if set) -# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds) -# Recipient: age1yubikey1qd7szmr9ux2znl4x4hzykkwaru60nr4ufu6kdd88sm7657gjz4x5w0jy4y7 AGE-PLUGIN-YUBIKEY-1HZCCGQVZH5WV7DCL6V837 diff --git a/secrets/age-yubikey-485-identity.txt b/secrets/age-yubikey-485-identity.txt index 88b82c8..b4c90ef 100644 --- a/secrets/age-yubikey-485-identity.txt +++ b/secrets/age-yubikey-485-identity.txt @@ -1,7 +1 @@ -# Serial: 25473485, Slot: 1 -# Name: age identity ceaabf8b -# Created: Fri, 02 Feb 2024 19:28:33 +0000 -# PIN policy: Once (A PIN is required once per session, if set) -# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds) -# Recipient: age1yubikey1qgxuu2x3uzw7k5pg5sp2dv43edhwdz3xuhj7kjqrnw0p8t0l67c5yz9nm6q AGE-PLUGIN-YUBIKEY-1EKCCGQVZE64TLZCKYUCW7 diff --git a/secrets/hzdomain-dkim-private-rsa.age b/secrets/hzdomain-dkim-private-rsa.age new file mode 100644 index 0000000000000000000000000000000000000000..d1bf39124f4fcfd1148586a933cbd94533b2ff01 GIT binary patch literal 2056 zcmY+?`FGQX0l;y}F@`B247P?1ic`u}$M}#f+du%{j!(%)Y#ClbmTg&M0^% zFe-uyUCiSIIK9=xm}MkVZsSQYDc})FU}+Flq6VKnnwG{Ww2V@fv96333Nr~9aY0-r z3#fn5k|~r=8gwqPnul4fZY3F&0znDkz@!Y44(l*`&?k^5as~to!a7F;5l91WB49*4 zbRcPpm=oRr4j?gtiefsRibP!Yq#?*eaE=BPM$Q>eMndTT;BtmsCfW{$NL@~wv>{&9 zYxi*?zn_Z7Wr*L0%VeAsCwN&%?eY2;$Pfopx|kl2Kv-4*G9e!v@Is_Q3{d*4FM|0{ zSw;zEG}*Wv6C{0FOUj=J;E`Z}=X9vqbQB9y<<5Ls6>w<7B21GYQI68$W=~!s)+Vwt zLDnMI`EXNO;X)*2D1nB9ZWHV9uqG*wayi0MyECR%&|VOD1hRsRO{oirP#}~x3X~`s zBn|Qao=U|$Do+?BA{LF#nL&LhY|UhK2q$I@JiFCvd|ogNP{xeX=*2k7ozD>>n1GU6 zeLNb{=940iB8B)75b>k5+iGCV9;=)X=v*WuKtLW0T4dx8?GJRu6;uAnh( zh3pwf?n$asHcJc(h?u09h5T_78q*Vu921jP7&0&h9sxKQn-W?>APF)Q0br=l8hgI^bCE*n zFs_lJZX>5NB%O92ZI3I;AZyGXR3I{qj3O~ktk<%Dj|i9ZtZ_=?cAK@VBUY}UHMSHa z5#Z_32v3~>{SG5R<}?uO2V)$h0fQD%0M2=G2Dgn+gv~}y z=J8t%VeJ1b&Y6GSldlE{tr0HM>ivY%;IYt3G3&|2=(HIT1&u+65mJ*h9yUN3yFkXv zdgO>lA&SUAHiwB5UY{CujdU_$xQ zuO9ZUeY6z>dW(jQ^!-h2YBHC1U2g6ea{~3I{@nYUR|1_sp8K|9^K7eIU7T0UwlwIw zI)r@vuHB!VyR6PWWUS*p+*v+}obCX+Z|u1^kR9=;{@%mI_uIR_ zA#QgLK5lMopKzq~k8P*mm7nhU?%EqOuNb%G`t}ZAh7QUKTcSZ#|tnVvueLADwz_i&$g0FiPBC+%TbH zuxP}hH;NX#Pkd5x+`M*HY{Ra7;!DK1>iP2eOQUbE9cn&ZsVQ!&yIuLRxutctGk6c& zkX%#V(N(>wRJ}@Fn69~lzto(1XG~4;##Z4)puW{IYfU15YQ;a+%x%70_*cQ-t9F0# zeC~#=swa<%TMXOZT~HIt{xlHn!l(9^RBs=Sc1-+i-gnEi$4LEeRh`f7&aa(&Xngig zed*zGt0q^qPW;R2&e4tMg{o&f?9D5rG`nlz$5`d08&=z}jZ?Zy*L~2_NcA0Ac%uIg zhL1PQkvV$D?p=Mbg~w!Ufu4K8nS0t^dzsw&{jz~E0~^jR>RWGk4T_ZPKQQW}rS2vv z*!jaee((6A#q2t#qGc)@9{5+$!)xk-QunLskN9&xmwZ2U@mQ>-c+?l|C9n5=amI7t z=V*P!w56TJSKF3@z|NN35?0coJzKAuST$t5S#UqRYSNi)NN7RRmRDzdxnus&54Qq+ z(#j203>r&<02kj$Y zzkHJqYFg97#yw>R=MQ~Vxg-1I4RGhC34L34)!dF-UU}!6IT!A}|MjW3*m;t=ceNSr Zz#c3 ssh-ed25519 8bHz7g B8CppVVWblUzZYe4KLZZQg1+Z9HtOZE2riG5rrj7lDc +BBNd3OpQz+QoPp6mv+P2+eYTMwKt8+ty4ERdO5+2Xtk +-> ssh-ed25519 n71/yQ 4cDMfD1yorzkNgdqrbmcI6FCDEWlFlZmdedD5O5x/3k +gvmvNFiPVGZdcIb6PacTn3IKEBEk0TnSaWv30XWX2rY +-> ssh-rsa kFDS0A +D/Wxbu8XMyCpYi3b58FKYrYlSog0yCTDV0+cKQssOPyc/NNQ39FviB6HcqahmZfi +HpXAXdgDBNwHBN+Gmcu4gSFSgogKG3U8UxGmY9kNUUbJ8mKnljGO2rdPPIEbMLEn +ZmUAK86RYOW4ctRceZ5APR24uLN5DpTnq5phLJgWjh9pvUXrI4SPawkMOq7CxylB +h2AOYXPso0Iz9SVHl/KRLV+w32US8ISlLzJSUSAMYBY/2uQd2TRDJGdw5Jz/Ih+q +f/G463YV6opFmYO9odxWPQzuEPmEBKSO7zThXnlCvsW6LDZlJ1IY0SZviPIhO4M8 +RX4jsganUDti19RmiHytDXwKkM4XPCPh5wpE/a6qTVneFhnlXUNiF0Y938dAAMNx +S1rjS2v5ezHHtofpZqspl1s3WiAmsPzb7+E10ymoyT3elvWehWkTTk8a+HP4SoM+ +QKiig8HaevLWS5Ea/8wO8h8lzEDtda65GBvlARQGTCCPyijwHBAfiivU6Xp2EJQr +YP3+hxbLO1wmV8QMxUfMrAfbJVhua+o5oDPZSImNwGfEQo4yztL2jit0bOuA3qDF +6S3Pfvg6YpLcJwKdBCI4t0sBeFCm/Wxk4JT/eh0tdnBHUaviQ0Gj+Bzz1A7J+mek +Ko/jR43KTFbIz46n/mCeYrtn2MTFl/AOsW+T/XoaOTI +-> piv-p256 zqq/iw A71bIRILKAlGedebswRMWObcmTf4o0VGarNPs0HwF7pU +EUfi118cd2/bfnwTXuYAiqx14FawWUf36n66hmpQuIM +-> piv-p256 vRzPNw Atd637HL03L8GedzPSanEXZt9V85DgGnriZnXngfKRFz +UiIUX1ADioDqckf0iT04NN5kOhmyRwf+/CG2+THAsrc +--- uajThUB7bCOg/ahzarVYOMb1c3XR0qrphQ/ehGBQztM +ehCMrbI c@sFAS29] sip]V͇5$IGk)\IWNo3y! :AS! \ No newline at end of file diff --git a/secrets/mail@mezza.biz-password.age b/secrets/mail@mezza.biz-password.age new file mode 100644 index 0000000000000000000000000000000000000000..0d622cf529286ad51ca54895cd4b40b3196b7726 GIT binary patch literal 1310 zcmZA0yX)(800r=iV?Ypba*(=R2)#+#Ji)7^N%L&eq-paS#I$)fY4UB}iGqSx!FvU9 zaug9%1UDxaXAzwI6Yd}mg5oUx931p7_#6)B_;EN7i*q%CCM}BxWfdbG2F+ic)part zg9Slg%#1!s6BW;#uqUg%XL##D_7@H;r)XrKFJVh!Cu&>wwYe3R9xjMB4FyGwCu%rI zf|^vNbzQ=I!Zu2?lsA5DYaW84=p-bO-E9A_6%>Yy#_UGdO2FPlTirauXD?0|?X&b` z5>AV_oR6#BM%kX1w<$kDW_iu&gXPiN#n~<6DotI_SxQcCt`dHaP3f*7SapR5u>7x9 z)&49KcoStIFC!5!uG4~zBbF#t${)%up=iP2BxKm|zAP+4=Zf@d9RlvUK4Dtf`pzP; z&tgo+1q7pOR$Os#%|_G$J!f&bbZoM{UR&7frxe5|pDRU6SEKs`5zK>ONYBQ`s!yy?Md;{N(o0&KX?17I*YcI}B^K~u zB-~Et5+nsefk@&|la-nT#wSd?ljlL}Qn44qFPLnofY3LP%F#X!3C>>M^AF0TNR# zaA3)kZAM?JU>Cs4TTUHZDIMxo2>YY~C_%Cqp`&~r_QZ+uvSK5NF6%Q;-mJNUlXCl= zvuD@4T%^M;KVy_rRY{u}eW##2ttrkVqm04bHO}zVnpl{f5f2*{%^+dWv3=PxfThPZ z$$EMfQAdBpGD3Xtd&6({mkFn^Z0b{)UQ4<@Wod9SPGD+&%h*}M}QMv9vI|gYt2MdCnO}878_A_?GteA~qJ;C)o0d#rv=_Fw^ zzOWfqPI0l(rBq*{5hpqj40mj(p<)3{LNnA3pSXj<7llb5yAGXzCA+b)a7up4{$q9f zN!RYI!QV?uIB18m+9Nk(eNZ*!LdMo&%wobNIxEAsn&6q)c?SWy&(sQ&{Loa-OkDu` zd^~{_tX+G_&nUWdgZI@pFh6z?CygFVz>m{^O_bZrsyPKjxmk_`|Qie(>h~FVJ^~d;R0bpa1soo4NkP F`Wt@!wbK9q literal 0 HcmV?d00001 diff --git a/secrets/mezza.biz-dkim-private-rsa.age b/secrets/mezza.biz-dkim-private-rsa.age new file mode 100644 index 0000000000000000000000000000000000000000..b4b17e6cbe40d4173aa18c832add92ce3f657ed6 GIT binary patch literal 2056 zcmX}ri+59n0S0h-P$*%v3@0K*+P$D9l-xY-O#;Zw`+f7eO>%=4^Ul3VZgQVVE&^6y zP(V0Rp}6wcD9i~sVQdsAI0_czu_{#h0E*DkItL={pgN#9wsW?>;CH_7d|x0Isf-XI zDxYDnG%+Vl#YCJ~P`RLtrsI{7uml9f$}&PO7Ui8~ZieNw5jC9kgMK-mM@_8U!|@!i z@fq>7H>QFJCkpdb2ASR@uzM^%RwI%CK@_m6$Yc(srOBK+p-u+W`7q{8f}9Z0;Cv_% z`kzM8fwF{N>jqQ;9E1#@$xRz0A(nG$Fe+y;O5;ug@A1l{KpKzfV*q3IBoGGn1$dbS zLv0zYT9Q&rTrx8e$O&|Wj+VhDwNawZ*u%MCTw<)UdsR3ow^%}$Qv}*oJf8u*R4hp& z(U?$fvIp>p(;5!vt*G0_3TO!wQwUQ~P^;&7Qel7zQ0u~#N*65@(GEFg!|XvwAt9ke zz@S1TS~CEWhz~*OJQxo!E}ekah7|^x)fQ9*`Z`5i0DL5=zP! zHrsTvgh7Yp6gCB1#h4h>BU3n(B7q070A`aD;?XcD6FGCRI3812C@G@F&?LnXQl7Qt zoD3L>I^rIRjhgAOP%ZJGIB!RiLd-5;<*+gtVKlyIP8d;>vb4cWxeTOO6XZ;iJTIlm zBq`S;DDGz^AkHNWTo}^DSxjSwc*4P11fi@ghf{9En1~~Cl%f?>4kez(wc7RmeAwVt zkSfT8!l5d&*lso8nMlH@4vFM?h1HgESj0L(1QD@nIjl$rWeTN5mvo19I;9HBV7!CF z@VqdlcIiWu%Bz8hTq>4>l@7op_ZXF0ALdb*{Z)c|Dr$y&VTZv_ zxSk9P1KyaCj0uGN-VOI(zt*WdOBHavN zwAyqjLgdN&bOCdof`Dv5gd$be|L!=0ag`Yf2$k_9DZ;X4DiYL#q>VF05v|UFAu%b4 z%kod#rCtIW3PE9An)0gH zU<4QHf&YBw{}$)s9q?0&^N9ISI!HJYMuyO&u`q4dLm}LsO6ju-$eT@7>14)~6-T6Y z0VGA>AjF_XKnF>~K{4($ru6=V2m*~6Z-$HMGCF%q%hIk4DyXciEc0ojOg4-VdIz0` z<7PZ7Q{bo_V_jk<6AV&GG*JZ@;A9{qG6|X;Yx*B9DmD!-`0XlU?ZTn{$qx^$@49rT zbJvCR^2HzcdbGPeHByG_d-4$>-Mt)XTDxfY*m_jQO!8JukFcuSLSy-TRb=X z;T_S$V*GT;;Z4or=Lq3I*C!{c->rXZb*0JdE!=PL?5mr+u{!NPF`yfNs!%y=VVXHV z(J}w-C*w88e`vV6cUt$F+tx3@qK7rJ;Rh#c6bqKV)2iqyAMEX66LlwRO$1vw<=n;E z)3I~+{&a&KrqT7Z>O%U~AhY&zcI^8<&lpXEN33stx5tw@yX55^vkS&rO56WcGHn{% ze{0#;9esQ7>A~+WPOO-_AUtNuUg{5HfBJY+{k+i*Z{MJD&mLvAb=+@O++a&jbpp_Y zMD4Py_7Ok+w(#1#!4;Zg()7*gkHqu-xo&Uo-udQZ{bz<|-+W_T@IsZk)qk`FDDg}l z{b_@(W$_<3zJCAfW}B@k-S~s6DI_ekYAV|YMje>a{rt?`^VA)^oqv~@%}W~4C0)O) zu+X3X?syKV+=Z$3Z}GdDY7X58l!_j|sruDn+wX-Pb-nv1%$&6LKycMDv~gt4FSY{> zD6MbOQ@AH1V^YWsBEj6cpRB~{8*Tm`2skbM8 z-g=;~srV!9EcDACt4BVoF1#`9{h2nrXTplU#1EU_eBa-eK1jcjJ%6{XtFiw0xd+On zSMoz2?rI;|o-b4dU+ii5$88VadgQf=x>38IS#5K_Yh3xO=1_dU^zy(t>8%mb#bebE zmRxjg-THw0tUJeTJw4Lw{Q$nS*m_Vh6H zQ2XklwXSC^H=OF>tBp?S`gVK4$}g_