From bae3b7347039c8ce8fb79a967111de05a19c0fd8 Mon Sep 17 00:00:00 2001 From: akkupy Date: Sat, 2 Sep 2023 12:42:25 +0530 Subject: [PATCH] Added Unbound DNS Resolver --- README.md | 1 + docs/unbound.md | 247 +++++++++++++++++++++++++++++++++++ images/RecursiveResolver.png | Bin 0 -> 9088 bytes images/pihole-unbound.png | Bin 0 -> 35561 bytes 4 files changed, 248 insertions(+) create mode 100644 docs/unbound.md create mode 100644 images/RecursiveResolver.png create mode 100644 images/pihole-unbound.png diff --git a/README.md b/README.md index 3756754..7ce89e7 100644 --- a/README.md +++ b/README.md @@ -103,6 +103,7 @@ List of all Documents used within this project. |[nginx_proxy_manager.md](./docs/nginx_proxy_manager.md)|Install and setup instructions for Nginx Proxy Manager (NPM)| |[Self Signed SSL Certificate](https://github.com/akkupy/Self_Signed_SSL_Cerificate)|Follow these steps for SSL Certificate Authority for Local Https Development(can be used with NPM)| |[pi-hole.md](./docs/pi-hole.md)|Install and Setup Pi-Hole for Network-Wide Ad Block| +|[unbound.md](./docs/unbound.md)|Install and Setup Unbound , a validating, recursive, caching DNS resolver.| |[vaultwarden.md](./docs/vaultwarden.md)|Install and Setup Vaultwarden, A privately hosted password manager| |[rpimonitoring.md](./docs/rpimonitoring.md)|Install and Setup Raspberry Pi & Docker Monitoring, A user-friendly way to monitor the performance of your Raspberry Pi| |[jellyfin.md](./docs/jellyfin.md)|Install and Setup Jellyfin, A Software to provide media from a dedicated server to end-user devices via multiple apps| diff --git a/docs/unbound.md b/docs/unbound.md new file mode 100644 index 0000000..0c5f5ff --- /dev/null +++ b/docs/unbound.md @@ -0,0 +1,247 @@ +# Unbound + +![](../images/pihole-unbound.png) + +## Introduction + +[Unbound](https://nlnetlabs.nl/projects/unbound/about/) is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. + +### What is a recursive DNS server? + +The first distinction we have to be aware of is whether a DNS server is authoritative or not. + +If I'm the authoritative server for, e.g., ```akkupy.me```, then I know which IP is the correct answer for a query. Recursive name servers, in contrast, resolve any query they receive by consulting the servers authoritative for this query by traversing the domain. + +Example: We want to resolve ```akkupy.me```. On behalf of the client, the recursive DNS server will traverse the path of the domain across the Internet to deliver the answer to the question. + + +## Setting up Pi-hole as a recursive DNS server solution¶ + +We will use ```unbound```, a secure open-source recursive DNS server primarily developed by NLnet Labs, VeriSign Inc., Nominet, and Kirei. The first thing you need to do is to install the recursive DNS resolver: + +``` +sudo apt install unbound +``` + +If you are installing unbound from a package manager, it should install the ```root.hints``` file automatically with the dependency ```dns-root-data```. The root hints will then be automatically updated by your package manager. + +Optional: Download the current root hints file (the list of primary root servers which are serving the domain "." - the root domain). Update it roughly every six months. Note that this file changes infrequently. This is only necessary if you are not installing unbound from a package manager. If you do this optional step, you will need to uncomment the ```root-hints:``` configuration line in the suggested config file. + +``` +wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints +``` +### Configure ```unbound``` + +Highlights: + + * Listen only for queries from the local Pi-hole installation (on port 5335) + * Listen for both UDP and TCP requests + * Verify DNSSEC signatures, discarding BOGUS domains + * Apply a few security and privacy tricks + + ```/etc/unbound/unbound.conf.d/pi-hole.conf```: + + ``` + server: + # If no logfile is specified, syslog is used + # logfile: "/var/log/unbound/unbound.log" + verbosity: 0 + + interface: 127.0.0.1 + port: 5335 + do-ip4: yes + do-udp: yes + do-tcp: yes + + # May be set to yes if you have IPv6 connectivity + do-ip6: no + + # You want to leave this to no unless you have *native* IPv6. With 6to4 and + # Terredo tunnels your web browser should favor IPv4 for the same reasons + prefer-ip6: no + + # Use this only when you downloaded the list of primary root servers! + # If you use the default dns-root-data package, unbound will find it automatically + #root-hints: "/var/lib/unbound/root.hints" + + # Trust glue only if it is within the server's authority + harden-glue: yes + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS + harden-dnssec-stripped: yes + + # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details + use-caps-for-id: no + + # Reduce EDNS reassembly buffer size. + # IP fragmentation is unreliable on the Internet today, and can cause + # transmission failures when large DNS messages are sent via UDP. Even + # when fragmentation does work, it may not be secure; it is theoretically + # possible to spoof parts of a fragmented DNS message, without easy + # detection at the receiving end. Recently, there was an excellent study + # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< + # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) + # in collaboration with NLnet Labs explored DNS using real world data from the + # the RIPE Atlas probes and the researchers suggested different values for + # IPv4 and IPv6 and in different scenarios. They advise that servers should + # be configured to limit DNS messages sent over UDP to a size that will not + # trigger fragmentation on typical network links. DNS servers can switch + # from UDP to TCP when a DNS response is too big to fit in this limited + # buffer size. This value has also been suggested in DNS Flag Day 2020. + edns-buffer-size: 1232 + + # Perform prefetching of close to expired message cache entries + # This only applies to domains that have been frequently queried + prefetch: yes + + # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. + num-threads: 1 + + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + so-rcvbuf: 1m + + # Ensure privacy of local IP ranges + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: 172.16.0.0/12 + private-address: 10.0.0.0/8 + private-address: fd00::/8 + private-address: fe80::/10 + ``` + + Start your local recursive server and test that it's operational: + + ``` + sudo service unbound restart +dig pi-hole.net @127.0.0.1 -p 5335 + ``` + + The first query may be quite slow, but subsequent queries, also to other domains under the same TLD, should be fairly quick. + + You should also consider adding + + ``` + edns-packet-max=1232 + ``` +to a config file like ```/etc/dnsmasq.d/99-edns.conf``` to signal FTL to adhere to this limit. + +### Test validation + +You can test DNSSEC validation using + +``` +dig fail01.dnssec.works @127.0.0.1 -p 5335 +dig dnssec.works @127.0.0.1 -p 5335 +``` + +The first command should give a status report of ```SERVFAIL``` and no IP address. The second should give ```NOERROR``` plus an IP address. + +### Configure ```Pi-hole``` + +Finally, configure Pi-hole to use your recursive DNS server by specifying ```127.0.0.1#5335``` as the Custom DNS (IPv4): + +![](../images/RecursiveResolver.png) + +(don't forget to hit Return or click on ```Save```) + +### Disable ```resolvconf.conf``` entry for ```unbound``` (Required for Debian Bullseye+ releases) + +Debian Bullseye+ releases auto-install a package called ```openresolv``` with a certain configuration that will cause unexpected behaviour for pihole and unbound. + + The effect is that the ```unbound-resolvconf.service``` instructs ```resolvconf``` to write ```unbound```'s own DNS service at ```nameserver 127.0.0.1``` , but without the 5335 port, into the file ```/etc/resolv.conf```. + + That ```/etc/resolv.conf``` file is used by local services/processes to determine DNS servers configured. You need to edit the configuration file and disable the service to work-around the misconfiguration. + + #### Step 1 - Disable the Service + + To check if this service is enabled for your distribution, run below one. It will show either ```active``` or ```inactive``` or it might not even be installed resulting in a ```could not be found``` message: + + ``` + systemctl is-active unbound-resolvconf.service + ``` + + To disable the service, run the statement below: + + ``` + sudo systemctl disable --now unbound-resolvconf.service + ``` + + #### Step 2 - Disable the file resolvconf_resolvers.conf + + Disable the file resolvconf_resolvers.conf from being generated when resolvconf is invoked elsewhere. + + ``` + sudo sed -Ei 's/^unbound_conf=/#unbound_conf=/' /etc/resolvconf.conf + sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf + ``` + Restart ```unbound```. + + ``` + sudo service unbound restart + ``` + +### Add logging to unbound + +> **WARNING :** +> It's not recommended to increase verbosity for daily use, as unbound logs a lot. But it might be helpful for debugging purposes. + +There are five levels of verbosity + +``` +Level 0 means no verbosity, only errors +Level 1 gives operational information +Level 2 gives detailed operational information +Level 3 gives query level information +Level 4 gives algorithm level information +Level 5 logs client identification for cache misses +``` + +First, specify the log file, human-readable timestamps and the verbosity level in the ```server``` part of ```/etc/unbound/unbound.conf.d/pi-hole.conf```: + +``` +server: + # If no logfile is specified, syslog is used + logfile: "/var/log/unbound/unbound.log" + log-time-ascii: yes + verbosity: 1 +``` + +Second, create log dir and file, set permissions: + +``` +sudo mkdir -p /var/log/unbound +sudo touch /var/log/unbound/unbound.log +sudo chown unbound /var/log/unbound/unbound.log +``` + +On modern Debian/Ubuntu-based Linux systems, you'll also have to add an AppArmor exception for this new file so ```unbound``` can write into it. + +Create (or edit if existing) the file ```/etc/apparmor.d/local/usr.sbin.unbound``` and append + +``` +/var/log/unbound/unbound.log rw, +``` + +to the end (make sure this value is the same as above). Then reload AppArmor using + +``` +sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound +sudo service unbound restart +``` + +Lastly, restart ```unbound```: + +``` +sudo service unbound restart +``` + +### Uninstall ```unbound``` + +To remove ```unbound``` from your system run + +``` +sudo apt remove unbound +``` +Make sure to switch to another upstream DNS server for ```Pi-hole```. + diff --git a/images/RecursiveResolver.png b/images/RecursiveResolver.png new file mode 100644 index 0000000000000000000000000000000000000000..c2a246f85d3f024d44bc5d2887837047b2cbf14b GIT binary patch literal 9088 zcmb7q1z1$y_BP6l5+Wm|g1~?@0?L4t#37_R2Lwbwx5v*)V*Uqyb?^7x`~9EqdCqY5S$nTtYp-{`dvC(jRAfnrsEP3K@JQt4q&4vHE&_OX z7e)y1K}iIO-y=Lcd^|NJEg2jRx8MD2CzogYJ=yLT)X~Y&b~^m<@NlKrKw8?OW(&93 zVAiyW!yWvnsHkY$#BF12rKM$L9%^daxhFPGZR2o{Kg?lADqp+mDN9Qww#^=bHLg_Z zODRT-9KP=OJ}@xwu{Q6K@5cokPFmXicp7aXBPnYdl~;`kY+Wy%JHg=&XUZIHDi`fF zB;-N{2ZCg!<^8|x<5tIKC!(}^i^9B(WFM%T`xW*d&V4lVc!OEm9et@FXjt_CTZDEb5(=E*5x91KY zw{W;s+;(TiJZ|CBE8O8wprUO5A#NCZY7J=NPB+R6qXWJkszgteui{KlMGfIk{eyiJ zP)&e$Z@YuAvxv;@A#OU|;KL(9Yg?O^>{nV&(T`*;zYR})JHSoUgltcjJvI*8+1bGz zeDM%MAP`F6k6%bCOC5Zh$P4qUqo>M{f(V3!r?aK56hBx*Ku$*-%oKLO&F5?IA&e_m zaR;qF00JRyYQc|aoGLaz@L{o7z6Yub2!vB=&*^jwLfli(wu|pc!!B-*Pr)TXga4`d zQv^cDq#nzsoH~Q;Lm+IcP5E|rcM%BP)!l#bY*2_b#--YY)tdR!t(O6;(a4=VS6oYonOCxO@AF(TU$#g^U7>_ zk>4Ha8Et~WU^X{5x3{-bZ5|<=DwF);eDxe`{B>SFevA-$8d{w0nCe+m(DZ%F!4?k> zE+Q`tXn9=t^^O1Hi@OvOpCX&zOH5GkHdtpx2Z&EM3N8xzR879hGzQ$&I9p zTII>v(dsZFNq~(28h}zeOGT-{z>hRI#o)8RQJQBN9;Of8J>)4r^ug#A4Yw~Z>}|gm zb$J}aM3C;7;#)p+J5qR0K}BKV$>%zKF}Fa*m>6 zXH`e8C0^(!viYKvcrBD|=|YW1d{iz}j<-X@Ih^ZF+9QW21K(z|uJl{*vUAeFS-BJB zJr5sCiN`YQ5fho`$*lq~iiEiMfK&}`Z9HaOMucPvr8$=EJtHDN+&$B0uL_Y%qqe(A z_+()vQUCh|H|B-k!4En4zGp4O>lhRaQhiIe6L52VCRC4)&M6eAP#xat+b6wpRlYfl z>$XP8WuRuU*iH|kHRP>wD=~Ld0)wRkV#*@G-#H^i&xbleoadkmBSz|T<~UABJn|se2p|S zFFO&=-e$}U3XUaXg@KIEw}te|cK2m{VS}Gf#{_TTf0Q32`U$M+`GjksL*vEC%tTB= z@yJ>RdL7@2$m%lHa7N3k3&zFI`X)wl)v52o2tN;DN^D!UgBJI7;!Bj+Z;bJf7k^9G zddLBD2+wb2Ur0ynJh+EG81zZjtLcBG|)IIg*R; zjQ{8pBvzm{!mwYortD`6jq7uv(-sR0%0e1)V)~qU$_++)1X5Dx(19Smnz{jw!o0^a zEZ$_}LWpMCP-H~jL>#hRhKPE9AtDVJkwz4X zA`=c}mjl==Q&7}<>yZ3Bk!k#c$ZB3_h`V*hfV-2Y%vi?l{8rSvw?wen@ zzZu+=;;qC`J-uPz?6SQt&T1jH=MjOSSa|w`H*J z(bU6uHO+38OoUEqZ@y{x>ewaLDy{(Z1y_m>=JGP@3v(31MzhNv=RK4u>rs7LrV|+7 z>F3k5TI+kvRy8ebL&uqyR~X8T^+@=QlS&``Ts>oBa0Oo$)|*L_-G;m>_;8eS9odc@ zzAubYDQLac_f(`qA(OE$?G{(8_JrmNZC~V*L+&;`Mdh_f(hXN{yPIxFIT5C(u2ffU z0fOO&nD}h079~Hi;_hznM(c1cf(E^TT!Z|%g`NpT{l7%w)yrN5(lAW5z zVT)-y@s&TIRa#y|kC>l8n2RajDKm4Amyg+=MY+9wGC7s?>G~ZgaZC_F zQNzsVgNeH9FZh={kR@=OjKZ#qIWVjD(oAewaCla=u@MT^#+&-=cAM?SyKJd$ewGfz`hma6;?zfw@H%Y154peLhK(9Qa3i%*YU?nf%9nIzHj|aFeKS)o?~`E> zW0s~nQpBR6DlM`D>f$eVVOn!054a|Rd0La0>#!>YE`&hTRY(xG@+)nW zF4tZlOVrNT0_EfsF!@*Cp+ zJ=64k5Tn<5Fl6*7%6~*Q<46+*F&ryih#44lE32^N+M>$u0Ysaj10BIFRTVm3~Wiv5&qglO786_w9W+ zeD_Bmx^wH-iPS- z2OHxa_7n@KIc~n1$@*8NNnui93mV$N}4`Z>2&ZfPe27W zSs$NT_^V;dr-@G=rTM;%?`*jz=Dpe@pqiv&T!=n7@^8m&=%ZLf1^p?%BBqs_y!MH@ z8dv%(J#p1V*jOBz%k2&_B|I$Iy2NZdO*W?+ho#e?i%Z7W@23yMbsfsakfThfS%{tZ z2xe-t(K$Gq2fEjAr$nZwVl3TPo5j28wmRbKwzd`UICrh3eYlWI*JM^z1$Zi&~`nVe>j z(jao8VuXt4*hqa?AUe*vc@7~@&2gTBFa7Plk{)g_U;n;MpIoGJKkG^N~-nog(M*G@X1+QZLXPUL0FZrUV@SiQV)y}vBXs*POMC0;q%-gEhl zjclE#4;#ttt^TSw%EY2a|tOhPsnd^-X@NLcQ zLjehFGp9=+{XuWZbqH|K%>ntja+Lst3lus4cK!yFZ~{pkW}fd>dv2tjg}rJ0Vpme>I$5As@gkRv^WeR6u8`5# z4*`B(k6V30QeDNogZX4WjXG@>Vlb>tvd%OeO4v`DZo}LO3w3q|u-&jscc9g+Kmj|+ z3|$v+5K`}CiC{C2;7`bNU*Y=V%CGdrVZx_aS{h?arMF*7>}PS5Px`@qWxhFov6QyL zMN`Jr$*?hrINU)ghV4rFqRLS}ak%4sR&rH|{`#WdmCX-RbIm;gcVY{lA(P$ZJC2Kn z8HPrNUkquT^5J4q+b0FBC8I-ioI#?; zG|5iV78{7KnS)a~+=)<`dtz2mXoAIcgDZTq_!5O!0_x7u+Rl(Q6(Q?7q-W z;N2>^syC(YxBvUrcIQ>{AmDT30H%Q(z*O#WY-1~zs~27oQj8`g;LLr@P0H?sMr1L^ zxUCw?wjMy=q}Dk$zkc$cV&DGK_&90=or0Q~d=1G8sw$Td4QJ;Z8&4T_uj2J@sKP2A z@7|TG5s2xl^&!88RMbtXPf4=xOnHO`+p1?NerwXiMjSI9P-s9-#Vr3QiYLqO$ruTl z^y}q$m`5wS*{%V+jnj;H=dT z7&R6Lf5qriX}NsQrWox;t>1}84Wpk;Ii+?(x2{Zs;%0A!+4ExfuOe=I`B$;)+CSNUR!Qi0`wZ6z{^}MG zwO97rkFsU;fg}$BN^;DK-V11$S7DOFB&bZi?I%W|``yR(Bhl%7PYS*#JEeiJ#;{gF z+6b@hoN|WCr(+jG+{HB`pIpo6ICgNkGE?qxMS-28|zC!vn>XA{~%!Py3r_tK05 zkHcylkZJ6jO4nNYB6NZjVBbiS_ZY5a@_pBA!|n{NAhtV+`JRmtb&qo1r>*#rHXx>j zy3r?-)tTbsZr{tOk%9zS0D_nE`#O$^mOwH`G*OTrlDr4Y6kVzaL4!|lw0#opBPxoGcTwxES6EZz+Vgof1e#uP@v-5Alk8O8nLBu-K=w>IQp(Zk zoN1}}E?jN{#rVFbvxOYCQ}n@at>i1KHPWbm^7Ho>u5Bv=@0=GWL+JKB z%I6%uh|FjKKEVq|$d@LiANc>+#`UYXf4G3!;bseWYlDKgy^d*>K#2X2Ee$MardZwM zF8p&_)}`W6kX2w8Dm}<0EgC*lmdWVu;!I={X_l1w#jNm>%k@-)eN@SR#7nm(Ppt2T zziK7(&c7gL&>EaGI{ZP1^A}bTrLzzuV~c{-}^L<<>3Y`wB`EfAWmBvE#&n!Ki5>aFJ%@f%qXf}Z)JP<8U^ z;-SH92OU))9>3u8!?@CqLw5_G_X;OO!C@~pGLxu3K#KK;wc9~A4|_7{{>X9741^re zpP9bYUY2feM-C98cJ2@mHlBrkCJJ!6Oh`Zi0Q%q`5A9QeGgMeozXJRv`aAC|(Qj33 z1E8u&fuH?W(>G;Z_r%C|J8Fi$>9WXe?lG|45?-rjI`#)Jzx-fK9!K~{nD81-nByT; zi}x>@sk>30hsI>AJWp)9W6+|roW!wGf2vV;o`;8iG@>u7(Z`zLUH#S8s0}>hK+FWf zv-QeRYZM__qb~swKCo8GSzd!~)lCm$6j53zdbUEfGoL~{2gU$6LGm6>FUsL$ZsJHu zJ;Zs=yTp+v9Q{KSBO=B6SMSC>Ne+!qY}Aw!QA@sC(9XkFUn!xn z|3WY7$C{LypzD~+IlgjehF{JmL0V5}$`?YwGaN zr!cn(1mXXJwV_7PzZn+<0KZH~K2w8b=M;ss9{Of4>@mZ3&XHiii7#7#r2XCs;+$m7 zgt;Z$81xo(K*mZbMD*#DHPk-zPLs!hcs0^WZEvTzJZ;22WI1Cd=U6n3d+0WUs@L6;IpCYZF>qi8+pYtHlZw({GuU z4Pg)&!KBzQR``;k?#Y-*hU#Eh1G+w_oNzf}D5reo#vws_N%O_?DYSN z0HM|oXdSvxbwRnZrTXz&bM`7KCTr2Q+p+Hoh90laxU3q%hS9U;pHKyd+&bdARD7>1 zy55VsY}o~t z4&M62iPR!W{FSuXAQN&+CPu;a`$qTd3NlA~E~U1R$mqre5qv=p{X0G(D z5#UikKD_m|sYr)j7nTf3+3KahGzn@>mq{;p+-nnvr+?S$VJD@TZ09bm`HN16Hp7o< zRVoTR4j9smn#cRF$)iI2h-851jIa=11P)Z{@=6sp^UV$2u0Vh&wqf6PD72hEWr!?D zb!XaYqrO~*`Y~#00v~nVw>(=@kf}gqZ3qz^Y~^&qL_m0?;@u@G>a;hIDzhI8KVzhb z74EJ`0J^vQCblU--?N>_jb53$k0rt(dT@~e_Tq)jZO;L7nk~rn(M1Y7j);4y6W2!D z>FJY1tyEuTJ_tdhLC&okGvEH>qPNYm47N})=Hd~Ri}^8IwisyuoXJ*XZIR7J%`u?S z&88at5mSB~O{|d`A^{_-O5VHahE->;`DjE*F}i4+Qv=`iB!DoOj9aOiHj+-;M#-ip#P6>7}#S3KE~QNDE0D zpga5eAo35g$vFnlLJ0AJ8RB1XxmyHe#*Z(b(-xkRK)4fJ&c{>hZ-Voe2vi9BLt$ww z0KNr%cE*u*eL*q92&bG+0PQf`spL}FpT*DW2Vh0(&(GVWh6nu9_CKI|4iB01!fP_k zEg6p0j;>=bL#*B^VN6EiuWxKQxVBwOZtRne)u?x9`qgb8&33xuh*4)$FQ{+*VbFfO z#ZAKZ^Ju&`)I*aM5~P^Z=m8$=9ABdAI^Mp4DP;zz%qqkMj?!`-lB;W_g)t^;o87Tn zR5hBop)9=+y9Ov9z$l(3@6DLZs9yx$%Y~Uu{vJ`k=LgK^aI+P+8e=-kmfT~ByL6vM zyM0=cQPctgSbPYG${#v!-Q8jffY;89)bX3B$Fx8XHC9-&qs8a@iaBt{m9Oq8XT-2S zGj$#`3uKhD`y2u%&>+#Pu4*s(GK1>aKk#U;SjLhxaQD`3NFC+pc0wtTjFfg2?5IH& zpH-cOxd61|O2u_j@<_5`U=2JOa;b%k;nT>7k#Y?QAm`&+EBQO|Q7$uayubr6voO zy>~X#VX|T3FSW-*iD%3>M3h|ai#<46_AI3L<4t@bI$fgvbe_b=@8+Rh}e;3s` zo$cTu=j-UtW%XYxh&o-VAWef$Cv%ZOe3gaQDv7aN^~wB7TuX{k4hvOWvbsw~VAQT8 z?h-xOG>~0UxZ+EofBfoRyc038D>oQp$Dr?2jhNE22Q)oS1d&&@I!VIlU$G?er6}K+ zW|XO-&h^MrUPSfF6&b1>FW-~qYxYy8+&RFnZ+opk=ekh(J$A1`?wam;X@jd5C1m#+ zLCpBFP;$(3cuI(oaHH#%d6ExBc}k7jQEYeQ@}u*f==;o<++mZathlrFwKAvNqq+Du z(sr?nUHCfa+G{B5VCCq(;Ae5-{z_C7BDR98v8^L4+G>#L;Yzscn9X&jX;=VFt!1!!X3)uJ2U3{@KFX~n=Su5#Q_KTR_Rsks^oOz9#5+CgD=J-jb|f& ztF#_z|CWlCY_8kL@-7$}h1Xg$Ktv?B5I;dysPzX7fd~2EK<*AV|l+ki!0(5KSO`SIqMt>xoIG=DSnGiIF zN8FDiG@s%#7hXy?e=6d^an8oQGB|D(Z1hfOZ+AUK{>#We@qcoBV&vdV%6yfUi>5Jt4~9zBwYs^0>ID j##|X_lf}dPNT^>g@V0C|Kmz>F8a#O!73m_$$Eg1S7p*QP literal 0 HcmV?d00001 diff --git a/images/pihole-unbound.png b/images/pihole-unbound.png new file mode 100644 index 0000000000000000000000000000000000000000..30e8175bfadef8f3266efc9b0befed76378b0d2f GIT binary patch literal 35561 zcmd4&RajhGvo;Jz@C0Z)K(LUY!67)TMuWRM1b25x=*BGx?m-)O*Wd(qcXxOFCS>hr zKmX}}@Lv0*BiEc`l-yN!RgEzNWu-+?Q3z0;J$r^K_E|{&*)zD}XU|@wBfS9r$7e_{ z=Gn8LVlg4GqRaH|+?jKvO3Uw~3kDbGg}rgy075YvI_cmx8)s)ay2uy864aUW)z~QQ zM9cg8$=~6Y<3ebg8rU-osWY+T;(A{%4Aj7kFA^gqlU=j=sxJ60?gu=9O`iRx-SV!6 zd;Hr!pvPUGAqhPGJ_92?{*od+fBXZE?D6+2>CQL7-9>$<1M83|g3Q6F<9C>+)q^ zUWAjC6|_GYRO0}?_3OjGLBmaIl*f;h zO;Jv*&Ku5qeSxYe1FQ&wejVeGbEw%EvmL;M>N_+nP3&C^ttkJKGGl%>P>5&#(8L#KgN#3#=NnZAb%R6fpR;zuaQ`lD2^mvm0 zAB|dAHW5x~+bH<*7xLXT{~JLcQ3i2U_l(Ui$r-W*Dkr$WbAS)0MH+HVrAI~AU$;E} zMrWYfRUOA9(b#`O-M}Q#i(7j18h8vz;P-3>!BuSr?>f2w69U3@10Ii?_-OsX3Az#6 zTEN|BS8m`bAdc3_jW+lOxJH%198`lUA*tZ!W%{^8^jvcEMS~@4|1QPD>Q=y!&}a#f z4I%s1$VX-nLs{=#aGWJXK16t0&jzdnu+GRZ{wX^Rd94=yNF|u#5{!k0dP<1HWh&ZX zOnqibbDjVo5HNRaQ0T?bH51z-U7s8Ol?^& z4P46mNQu<$!anFMIhm0Z=YIVDO1&Za0>B?&23^dt?&~$%89F+og;&Q!7;lTItXvo8 zbaRwDX8v7-FGsnN_wGho<;6!jB#q9DfUVA8Z!1OiV`)GZfEz<3^Cs>zJu)xO0;BPv ztv(*2{!)_(4F_SjXm#NL!#+Op@m9NKaHfpz6H@yjD)E`^_PVARy%ZqAqm)^*S<6GI z5;~+v?z6`vZ+J?)2VE2pmjXz2Qgk0G#7HvOjciQMfK+xwH zCq`|B#MnGTqhO9S!(>KXwcDV}TDVZ{);fg0Yrn81Sc>87tkohqc_AUH%5bbCoaxKiNHA5$SoE>3NsI*Q}y`g$P@Zfg}5h2OBr{>gJ!j3VM(r=4Rq?*xrt$vtJ&6{hGjFm=wE}VbWV+I}61X z-kRjeR*UWUul=&OSH0LNnoc>P_XSeb?``kCFWOR|3Xs?ud2VicPU(zNnY$nYegw#q zp-@qoliY5uheVR$JPMzH*;cBXk|fKDgqZnH26&Tjm*ta1Z%JCZT|qAm_iZCMUFA#<`us)X_QNrF zvbJaQ*RLV-h^pP5J0MfmKmT@5fg-^4Lg3cvi$xQx-qVDwMks^Jk^YUgp|WOTWU zR4;Vx$Grr(2z}_A`%M=&P%^`{oYZ4k3fN4{^mJOL%xl}tv%JJd_9HIQ8xHk+B3^k9 zH>2L+Z+{o>@D07HI4xH%s{9^IJt1ySpwN$fS59lVcHAZRs#UZ+On8Yr8j9{+NXnye znWPR|y$1mMm}XEK@D?7<70D4&-#{Sh$&@^5ZdTH}L16InN14|}2gC|wOlN%4^&PVn z$;GmfAE=Ed{4Ujk$!~FQlYJO4pbMDLzX`<7F}DNWmV}TUiKG`ROg*9gYNE8K2WtWy zmDnKR+RC!#dypQC|@7|JXRx<WNA)J7p-J-4j5aYzVs2Sj)o)3sqiU1~n{39tXX`lIN^%C08?gk1XGW0_TRf{S8 zaH-waxmD+f5Du&whH|czR9v53GiU)UN-#vQHuoyClV3cRpMO?m^w$vN&}a%dw4H|# z`N{W{l4(Dz25t)-e-2iIC!5w>TjcU0*!`454|-?0dA{TiK^RFVjU@vXzTJ|nsn_5a zMsdh7*3cWtOkcxeJhyKVsT>E^WXxFpxbd&MViNy$R-^nKYIjJq__=jfg3$J+hn1sVHF)Lg_~%WZJkOV6_4jhMfjBx=R@k+G+g7 z4=1Z>yb6WofgSH}Y%o>F;3CtGLRH5&#ctn~lgr^GSqEB+ZR)+w#xC33`_%bgMUgQ? zy?6SyqZ~hc3R;E0)nrBD$^qxvrtDAyJ=2EaZ z_3NNm2Wra@*)mcPehJ$U0+vH$Y<`b<_bty|`W43WGOr@=2>endbjq-==3?gbBPx)f zd_XQ0qqzjQ?bgg%pdc*~e*}1o&vWr(k@n@A8(#+lfdxxaz1+*3*mDU(v>>(R*Oz@_ zJx2aF0R*gqAg>>_Y3g47gqTnM?G-g2)XG8HayI|DZR61u~VwnzK_)1|&m(XYy%q z#(Jk%>Bb}0KYT|T3{&Sk1@*>sUaX}ph*3+ z-3oBUJzRaq{>v;ak&G{#lNh3@trvjGy!5qb0#8CNEf_f)O^V~}P zDnGF}wX)v(cID7nAa* z!!5NH%XOllo9gWMB9ydCi`h4iN3!W#4fcYmoFb`B#8>#>bWzkHsfsyM&M>gUFLRF) zPm3XgR`Ny;()8sGvp^x^X`0BLQ}%7c5xZQj50ST5h8&$Z=;Cw>^6In{ug7|EUjSK* zCAd(EfS9>w^l@2y44(Cy+m{!SV|o|w);sC(ad$6{0o+eR4Go8X#^f~9xV9&sN|m+V zshba4fUDo>w>jhQeAsrg5_s0}L76B3KF!!HUihGfml~b~&3`hDKJY_=gjxG(QlNak zSl&ZnX^Fdh&WcXcYbMR*ApfkW2h}mEchNL(0CldX4^lfDKTM9Df~owhyQ&R@DHGU+ zH{&O3N`gZ$p(8DwS~d1ZzLdxbqoIf=jqzA~+j^++bVw?qS6UzE2fkrF3z6XYi8o2A z6X{*F5|OoXPt#EuIm)&Z(&VAlD^FZMvwFu<^hMoitX(}vs7KxHv2w%J5Biu#?QJ)T z!UC5%sqY|gdHQNC=0p5?z;?E4Nw7cSP16@p80yhf)V)|z?m4`dQ-!u;#qDl=fbEE& zXgog>e*k`rHeNds((eH3SUMF;nj9P%WG)_!ue@*dlMiFe0&U49Z#N1LMQT*ht~D7% zJW67vHRWW97V;IhT}wfaT$`+3#Hr+Fs5|)OQ3gW?{k9OosH!jOYMPcU!@Qr4f@cs3LhF0W6oGn7ioV7_4%5u~#brS(U?T)5AO$WTVAo3bkt^cDUC3?d6&nQ9elML#R+O5{nIbQ29 zW=BwEvLFYqnU$hc{(U1~4xg*->~YNN7F)8$&S12_t;UTTDPdP*U*Uvx4^p-9c8v0OjYN-9QOR*^=DBU?h zNaI)p2+?OF;+9?bcqNlO0Q~T^qKmm2m=qH4V^m|xS-pG*Ag(QVuLPLJDGS^RmC{j? zZY7U~I5E;;evg{pa#)#pt=JEkz4$Gt&z3paz#@{S8t+}CA)nJK;V{v9t*)bKkWY!+ z?v=`~_-VT7G!Ij7SBi`FV!r?(PAJa+mHM%8#);DQEIpNf_>F9YBv6tR;^JmwIqdJ+ z2d~c`JL)$Yg`6jh)o26i4@-Qbf_2y1B)m1U9iiOOkI6Pk0R({EYRRlj!WinT<1_6L zp+Ypef*UHBcp~j4w#t{teM~_~mgu~45m#UNBrhesiW2Qu15LS!wqdp!=a)S@A4Ie! zPyiSn>Hz#tw{_#TKw#-dYB8nHI(ZOrO2pP39oH~=J(_9Tqr-tj=@0*wfhWVe5^Mg$ zc1HughK6~ul+R)Mq*x#unOlE4;^FP7o1mTPp6C$#{KQB|lm@!LjGJ&{3x~v1`=?YE zyWEgl6a$n7pHlYsF%{mg5}0y4 zj6PUr>E?!K$sT^`5|q+MO)^Sjet+*w4dKf^p04jYvc!SvyB)&vr7*J)pYu?bXdf2} z9jOV;fB$6xJLE~9`1R%>YYqd}O1L%_L`g_#tP;O0%q6^zjy!PlE;B!0EI-Z={>cwC zLlR44M_x2{eOO$ae9C1Nzi#Gj z|N1JMf}rO#4HADy5@{Bqs~hNd8P-7G7%Of6m)WDHAM3b3C@H!nG1T>6OVveK){`cF zi6^y4qHzeOe~S_8m|DHAUG|e34hX|H5gfkDE`NNVgRuY!^d&%O3IHpgATEWgC1l2nSg|}C_?(Y{+MA<^8Mk4_ z(#n_Br5I?a1-`todDW)|(gLX}77UdjkvwiElT>>&vP*IeAI2gB3c3@ejnq{9nsPVB82pEV_t4kP_F)y%F`_n0wCxlw51oFaW=S=5|h5`0|RiPYXUu0^a zDxLECqkor<3~kf?iJm%_dgzg`9<+wq;rT$H(L zb)O|m_o76PNuXy%qg5xbzg5z$WlO6BLDBuH#qVCQTo|ihPn-;>K4R;=@9?m2Aj#u) zhv@isO8pa|+galW^y|nmZFF9Rq}X{P2IlV`%)(Y56?nyO?nU;gg$CQrc z_i3NWz(zOwGoqwXx*gE^KWWISxr6R27bIQwF9&yDT`6Ib??pYvkG5%AzC2;sMqAO2 zBlqvu0AW=ZBX4x~=Q+?E&9#&J4zbC-GQhh;yx}td1=&`fM#duFo(#OBAco`>4g|g# zQ3g|;{}jtcGb*9_3WMotiuD~A@6v)J_3`xnb&s>6ux?{BhvxT3t&f=^PMwyldRT6(8Q5vLu z@9yrQXXJ<_s_@vq#^C6raM2n0y86f_avp(){he2xiE&MZ94}`#IS1ZA^OkW(sq!9f z$={EPFa#!F7bEoHLwm?Y@4r{%D66%H!Yu}xCE$q4OZYEH+Ozg;`4s7b?mxXdo=5HF ziIh{O`(dB({IN}@baD;Mk&4H!%RSh8rhu6G<~dnT9X}DU);f$i)}4odYlmg%+@&bQB4#wFMrh@_haN97=ko1v(wP?pD#;f3h!Xz@&X0us}?%svXLEq7YER9gSH=- zwrdp!{>F~T{dOjG07yvykP140Hx3imQse$O6XKZBRgnN3-~x`5s*%8Ae{`bi+q#Tj zHH%AC%A2b&327-5!i!VV#JAht8H=6#S^1x;w>x?d<<`+#P;Dd959UC1D>fU?TolC| zM^vcWJquxzqH7wTnWvl{t$K1ZEB(Nl`m0)`Me4Ec(}u=wb^pN5mzd+@aGB+%KofXa z{Mw+FBEkA_H{ldfyCvKF4LLPE1rv%T=*d4YnKepHe6M9!u$z}JLy`v`0meC~wh96? z4B5o4AD(I3>W7*%Xgbm~wDB{}(S7W+fW5+mhNHy{Cd%nebt(j#8;Uo4yEA%(sy%xu zN7?lP)>hn6nq_>Z&PF@7lsU#?4RiC`2ujEJSRASSgVdwgr+ko{$9cFf zviNvfB<^Pd7T`%9_COK0($m}Q!#JSOUC>RzIqC_Hf2ARlYNC{vKb277?qTv93-It- ziG3--2#HsNDg)Qfj}^o|5R`B^%TGls3*k9Wq=r%x=cj=ik)ZahMOqwaQ;MqU22_n_RT)Hsr?(X%2BdY6q=JHR$ zNJ=l&mJ{0$S?%C4P*uHd8Rz|c17}Pu*%gz+I$I8ORf{!j*@WKI4UBAVL%;v=R)Ev{ zCt#sJWG{T5eq=iB&skv4GH%GLBhQaWFhBUjk6ihq)a?Qzlkow*LkfUdd(uS?2Ikd< z6FZTyo)L4!XwP1$|5Oqh%6khfNH^EL&KcE5J%K*%1E1}XyLufGYRWC@CvDLu@Hple zA&2>@`16me>zBp-&P^yIhw!R_tS~93ALKn8%wn6wAU1lJU5+IR3{k}9 zvST*aJYSXd$pj_!*6OO{^9`-OlVT?{qM`lyoSVI}5C1qf6Bt!5$lbq9%6qjk@fwxb zV3zb0{d_L^UaTN@y~LU(+2FR~bhP}?HXLE8?fVbz5k6e^fziC}^DiFn%my96)vUu0 zWuq0qR7gB2(f!$P!7I|bmU_a z{Scr9bzY~>QNG?dP^B)KOsqfYrU4eY#5-uDcclF{0_zgfYa^3zFxzm(h zF-D=QHqGG*ts*iWHrPv{K@uAB^WImaiCFt(9Co{vt5GW5(sMs>^3G`HWuM8A-A9b| zE-K!1dH4*fLl`SfR*NuD?e0y{0r!U_`nuI9CyzwBm#&^pXPjY?XQ85>0~0;~ba8mR zv^9KNMUB3bpN%xO{r;pjvb2bLr<}C65*ccL1eCli3QRgO>{#!rt1^#rW^-e+e)qNM z!;d_Q_c4>5*ci}pLTE!_+ZfHIG2df{fohxO5t{qyRQr;>W`QA4hm*^qr3`Ut_3&td zrjXCD-AKT4H*M2&q(!7aMw5@-uH_ZnQZHjlyWC18MG=pJ17ibUiQ33%n{e*4L!qg) zu~z-#0#+ze%lHs4YngK9k`V$BKosw3B(kDny1M~4?e$!lDYe8SFGYy>h8&@udy9j@ zkdGEp9@1k?Z}a$-Q=?L-csSTT{v(MgjeO$SL7IrM&dshr`g1c-iC$18<%&e0*P)Vf`5wY%&LqRaDQ@BQXUqGKia@t`?WilS+T2IaO0+ z-!z|CYpQlTOpT#`Jg8$qL+)eaeog6^TMNU@0$4f=U=lKi>Nh~XC}&*Y#4u3q?3?>h zd+(pvup#axogYda6ID!){S5pW1Poz;VU>IU&&YNKbAe>40&1B3^4w`>1d z>w%c0D6{yK`>KgNv!;QmI(ogM>x?xL%A)&^D-kJnO*{%7tQp%P;#wYZ_SzN4g^DvD z&jV9mJ_kYJ$iR=p|FHqRy<0w1JAIT|iEC^@Iq~vEU~P%A8u<`wpj#xs(@6paD#85F z7jXXo(!h}csCgX8{rk3sU$c!4tgdK$R)q?cIWASr>^m#r`=8N6v$MzEneq*qR)Z${ zJ7;t{uYn2?(C5)RJ7NE14$G<(F;EQ)cbYM14c$6?t}v)NzB}s{?ujhhpv@ZiF%V0e zQm0yJV|sEt_A@jA$3M)ha6!>mH2dV$sgx8#W)R2!ic?HO6V+HPfGR4M4| zQR%*CW*G4>8of8mu4Y0K4*~btces#L;0!{2!?&C7yer%7aIE3i-dck%?pIhGczCY<4K9zFB|$aAWS zuf^jX|Kw~lG%AP0y+7HeaNMR^zt;W;|G=~ARLG21R7-p?n^0A~vgyX=JTBt5a|UYF9aMDo3B|aus+m&OMPjA zMZ;Y^>u3{9!ubBiKV_ATt)AsSD?_PGOw5K8c^NKfSC2c|NFQ%w)_53d z8Q~`M0mn7S0#C;gr@DqwW*f$(g`OeRkZh*-L1F!a=-pjgUR{SjeHtH0;QvQGkt_yU zm4drLo`lZ&u2kPJV(NZkyleFCyQ@fL`i;96hsJvN?FY~=k5GK79xHxnr$oRstMjGK z!(G=Y9B`y!SBH-*2KcrXyo$_B7Cm1c#s-9>c|8Ia2-U;4ZMe+%YC-rXA6HYGVMRoi zcH3{ZrjMX18><6Nvf~pc`_KQC`YT=$*i$)7ze6(zQs+Cd*h-P_xb4z6be63G8)ayc zmxy;oe?ris94A<`!Ys@<3dUkdTWeW7#U>?dJNgCyn1L2N`LMh!62wbI}k}ymmO} z80_D#t~2hQ_cRNHI^+Bg25*zbqten4lDO3k9(Q*t6z(UInc^m~Fm^7ruL9&X+N1g( zKfBN{u~VI6C-Jn3Zy=B)y|-{W4RAQ(7@fbDb+5xBYKXY-0%HN8`Y*h19Z`dLg<%6F z=LENVVglR~GDm&i(-Mj;jH|7I!xoid}f!6B;D+oMAWX2p&_W$$%=+BC(! z_ZWooyE}_r>62{y*Sb7uhM6W=`qLIOv4kERkxqplq=_kalhAmO1el~0j z+5 zsq1do9m}vln~I3`Vykx)ge~bVo&w_u>cw{i7IB2-Q6n2EOi1R5JpEIgyi9=hgMH*j zBLj+|p|eE)QR#QIxok{)VJ!1Wlq&W0XV9mq8g0viLly9(olygTbl#MzUaV4wed)Pv4v)xX*Yr@BSc+%=wA}wbE9k(bWw)JIDStYYTI}58cyc{M`gmeK zCB`Fjsk=uNEczU<@Oz}kTCM^MHW0jlKq=+Twt=AGKipr@^=AdZWD{zO|9_eKG39!r z21TV6IiUunZZE12H(#ll9agdI@bX0P-)PRY#hv|Y3m^rGR}^9=acFIC9??wb_Po|Z zoEScr7ER_vBH87hrZ&AG2Ey$x)&V=yzIXazn$v7rbUC|74&L-Qb@eGe^Jsw*)v0o$ z{D=1PgH);Glc!39U$b4Nu|Ux;h;TNratRWuVUHp9R~I%AfIwHsa!s>}qs$N`!je6& z;H7^>`n=Z9i(O03l<%4U6E}d2X%)$Q{8lLT5bsIFj`@bshLN(j+(#-W(7-xA!#%41 zP;c=j!6+<~mSW%+0!a#)!#T|X_vZJ8m0);139MSTfD>fSGUC5*e6-Q~q{g-SW|hm+ zD;RvL`-a_uoIg<#Fs^-6oO7#eAZqu&bov-PDJ-%}&E-X750QCmH(=$fVD#43&NGhG zB98L(5Yu?Pibn=Wp^xBw!~jN{J!JXxDjJJo)})CaT@5j2y`NXXxQ};x_xvY#@|q_# zmh#KOe*xh+5FB^|s9dgtUNUF`+$vkYF5Xc}^Db{51BdISPNQWJv6PCV#ZLc0<@0i~ z5_wj(f;A|zauDAKq`kRSmi75#RF2u^W~#@F9h>`c)h7zVQm7ZC|FMusI)UVXuFOyq zx`4{Twc`#$BloN-+vP$TmD9dF8>#tUdlI|I;Rv@Sd%T# z^aDu{%W2mvj`GWY8J|%Fb=y&lItY1}`ucTizmjJ5ZBY~N(%94{Fx6wiySS98q|VK& zq5WSxZw2xSYpf%p~1iR%p?FG)%-W5a2sC|knklT4uOOyYTJOL17w22Qv-?v{< z14*kRb(8nkRYySrixG*1wRPH4$ZRDQM^vOM=hxJ@4kYuo-cJ{3RJHkszcM@n$4dXL z4}J%k%N9v|R)hPeL&KS(;r4be2fl&3X8i5BqhzJg#Dt@2JTOPLF$a!)eXVT6Ags98bM$ZgH3RA?S@cLC2B4WKW|GQio`hACid0=vexPj%? zWlL7gVvhK%zS5nIzeY3{(+3`B_>H?rHI5OR%axN{8H2v9C z{vzxqzB7`Yc(Ckn7B3cQn1mp22lu9_4@- zR7&YXA?mo^PMkF&kuX5!lDZtGqbb7h*hH8vSjaMv6C7S+NR2;)9rsiG%6t)wa!(S zg}kkGr%0#!ZWRWw;N&C*=L5%vg0i6IIr5w7dm856li zm*j#hO~f0CKJlBX11bfKszb)}a`x9}a8yIW>{#A-jzNyf1c!0BM!!|eT!UAov)P~U z^K--pGY1=v(dMOq^b-bNcO61@GP}LnUhBrZY7b$%J-_=dZc()x(fjE8lI0AkN+R>|D!_B2YD3E#`--SC_k`>LX?&S$3YJ zU;@t0BlB2A>aq3Dwtn8aqy0rZM=c^7hg+H|HVrWvP)k+s%u~1L^%$yzr-$|5a8HuB zd;|Ij4vP({bG{lzi!ZnP17;BltYd7~KJVtPByuzJup$0EnhnAM>S~}`*Sv8{MxM!e z1(>q&?O}S?`X}@j(eW^4duJ>tDUyzEbvvH7+R!id?M#sO^whKw)6w51L}Iv9o>eK4 zohlhqk)vA0dH3hy&{lnLCmDC=oyhiY{%~@qFk?hC>Fe9zj@uUyZEqb4mH^Jyq9!~B z!S$&=vvq_yuAFhNY=)*0E(}Ve)wXL@iR|WwWVI%Pn8!Tzh>Q*5*5Q3@YF3dZ0!Ms zzqgjx-A?+sW^rIJQ`hZUdEq`b9@iBDb=`uE)sSNipOEe3BePimMugIR9?E ze&Kt9`QVm1;TUPuw*KL{`D&<*22h zEftmUySO!JggzQJsHUZL^*9WwUd1p1Q+a%|-S-p{tyJpmEn~U@pB(MgXKco@- zZk)8_@A^+&JBQ5<^{^=R?j`3&+q522l*hGAAg#8Vs#YrVUZ_gZm?cBrNqI8GU%lH2 zKGG-;=nRjRn1|$TFu8BMw6y(xZ6M`h^?R{C0>;WbMWUUnDypu2e#15VTpku?S$P!F zke9E3zP9aneHwBT&(EWt{zH7F%8Gw^(IO7uuRqdSEZ(yW+LRZ3k6H%`THJ48=+qZx zXDQ||wHjiud{2p)2u3w}`xJSD2)wEa>1uV2%>@e3V1Lze*Fk|=AjWbE=U6UCJOru& z95bXawZ25USjh0%MP9KdV=Tz=nC5WW_sgn0T%Ncrmk0Lt2Dgf+TcB2I&y4W8;Uzcy znlPz;c#N}fR9JPI^GLUMwi!01VC>#EgB)pwu-uEDY@1M83M8QE`if5-6<^etcd_|) zdDkl&(g5FYXh_79akb*p`+&LgxvZ4UKb+dAH_CC#GHgl!kHMDI-{?WFWT_8J=Ld)7 zJNt*{63N6K9Q3b=l#^oHD1m|oe7U(9sal#<%+;ut!*a8(;MRJlS>xtzs&%j`|K#sj z-$~_DW!)8Sh~S>ac{r!Zk2$+sje&ZFrp?Iirdw)Of|3T$B)g69kurN)a)~yX)fP_fcVyM#!C9B z)%>(^qx zA>-nrCJY=r&Ndiy%D}#e~%+OX;aTU8d%}=7RLwDBCP&9opRHaa1Fp_5O`7K)Y9@ z4hkBJ)tAarjiVkn4pNH8b#IS!6Ud>L|l z3^1oXrN9&lxRT#(S`qXrW|@aO_%(-#@0MNV!|&X#?4~K( z(cMT?RPf2VhAC<#pO}l~E;Os<9UloGF*8!TxJ1dke10vqIRomrH$IM=pnjR1lAhy0 zhWy{K;lcB?)M}sgh0RQn6!$xD>K|Y?ctLVYhSCbR8`|1*YA;HcNj(k&jPAE|;sAQl zGXPU%4Yd(Slnj^luM>#u`r2nobJ4-N+v^p4pT?l$QW*F|3l$sBcM^$j_f%V)uT>~N z%vHsT36u~?OtUW#IXabXlVX#98NzgofDRymk!Fwte)#BXWvXgXkE@!!Mo6en))!5b z&s<-e%hEG-)?7wl84r`zqnT~czd)B1+pWeKaF!xUha;%OwBhh*qy?$+y zj!9b%!SM1gsMlz#-d$PH)V3m1si5Jyo@l&7S9?(6UEhtqpSwup2ZLH_A&krmN4nW3 zAqTbfWv+9GFnxWLvrk;Slj51fA|mTWnvV4f1EKvZO*Xg3ex9oIPk>Ku)6ITZ>)k_~ z`J;NnF*H=Sx%@$*I$Pg+sNC98ufb$zbf>_Sr4518Lm5dx)et1I&Yc+QtZqA*`9Ps^ zp;Ty<$HOyT&u%fXKTwE+H(_E?s5fe6DJR#r-nW5>KD9J-_BTg}#7pz>D6 zgAVzksmQ;rN_Hf!pUPYjSDC;mETk1C3KX%k*IC)SOD#H>S7>TeQexY-)QcFpS%y(D z6!E(->SqjW%+K%4%`M>Z8<~SDZ+D4llNPSJj_y|8h3}=K{B|3xF)`6X|5;$YWXKm;2l@Xp?p*|igzPt>nJLA%)-Lk6{Jt&>2n)#&Fw&Jw*4ZN)AoPgZY>J(Oz z@X0)bnU4vMET0sq_2jLz5J&&jbWW$b@kTp6y+kr5G%bmTtMGtdcft>KV|e&L)c}_U zd%G=TSSe4sVZ>TgbO3d^(^VZ*`_a)!ZF$x;Y6Z%R#y@Z6TFjXB6w!-gnJRfbUen$~ z&Fx0RYXK1Z;|-ln#qCe^xm-~+h6^#vL)-~9x%vS_3JDTDmt8=v*d)cKB^&7A%;(*m zbT5e55is8H1+I_~6S2Fvdh@t+883JdYRbx5($RiyfBF3iek^6LhRNj6>gc*%=17-E z5X8mcWT&<|>RHj+a_K-p2+4217kbSz#(EuJ)`c>NpJBRokM%|=4zm;>9pL+&R@X+R+ zUSEgSyb7C925Fz4S<`&9XwAztGpXkD`WXtp1e9VDh1zVJmyR%DZSDDb*Au_E`Nd|) zg4fL+3@#N0+i*Woieg|qK@r(mFy1W4 zRS_=}`u+R&#igYq{-U2H2A#@EN=M@wnxLSHuuj3f^@FmV(!qIKKS=BAbhy;)j|>NW zFA?_VOV{kg#cR|psgu%WO@2o7OnBN9$}DKjCw+2vvt*VAarI)V4D{PK&aG;lBU;V) zf5CbT_Iet{vom%C)QS=Z4A=vXPVKCpy_(Vx(>rm?yGAwKZPguGR&_v%;<6MYWByFR3126PrV@TEVD11%b|@}8KAv11Y4DK03Y%N2NP%WQ%#T!v5HVGCbYqQ07v_qukO67YHkyU&=Hca}1WU}2a^Qt{`v%xQ56ZTBV-0Hcs0@rKpIlU3N z8}mQsL-0>bR7nJ_Fs?l>E&tc#Hh=>&4N9Fc98NSCfl(pIS@#VkR zzRPij6==_=#F8U%OM>t!lTKF8`A8ftkJIkX5@2`Z-GmBtcvT%T|X! zoNl+Vd7Wf4b-Azb%;O(tWqw=2av&i2cesG_lFVFYwzh$vk5DQoAY&G(DQ-9 z&0^>4H+N@GHx}-j!knT&X_$;e(PZV`HTNCg#eR9gSzQ7f(oFcB%+1h)ZOX7$M;MyF zRmIya@S{6)Bfu`xxRAq+NYiZ!F%2!HlB;eeJm;BLEsL(NM*I3a%#Z}$XnB}5|N3>> z6cW1mqApKt?-Q|0-9t;&-i!JBa2-Mb6J_*T&S8XA4~xy4xw#ZSEP-xUz2JUd>(9gj z6ans*v@ymRwr7b8-4h9xxO2MsTIJqvRkci8_p0Rl$JLWVJ_*Zdn7hxU1lU^6!YL^z zXlRWk8dP!$zTxst^#dlTdO_UVMLvvKUHeYzHw<2$=98uDd!7q!?rj>@H|4G%KC1FP zUNrV}k<0t2x(-%gNi)(POLY7myf$E-8$<97l4WUQ>-XWRC3?z`vvly(;2LJm|Nwjoc5GpJJ3S2+qq?i~%nM zWcExc`jJ980o@1bsaE(28{Hdb+Ps@MH-TVoIO+iPycUqNO5!?ryLB?RKVTJXK*q|T zD72i|T3^3ipi$JszDsxn00xepa~W}!TdrSpH57Vb+f+ymP$ z(W;ndlvdW}qH=N?-=LRPkXl%i)UA6KNOr(Py88N(c-_xsM+g~pe`{DboJC4wX>on& z0MzotQWoPasD!K;hO5a<^aae5mxksPMkHx!8I6kq1dbv}!-)8u8ZU_)Cj@ zk}4H3_#=ZghX;r9d&3ELjJ!RtlF02AhZ)bCQZ^ZYN%v^00 zdBokFSg~Er_3hQ@l)ZF7tjF#^$t|hJUPa@B+e#9<$j4oqPo)(=F98&u`9E_@j=Hl; zDx>MorQ`VbCURzWb=^vEj0b10Djmey`N}(!=Iky!b5v-qMq?vlBNI67*A;vY50_fs zjaAE5VnLTUt?8$ZiXKjHCYs#TfeWoeH9h^!f{nL}kYIfLD4M8qu?OC@MuD6_87fcj zIp60mF9O-p!arhF zo9?+-`J1kX(y80}nWi|MFLsgN@~qMxu@&f8w1Y2;k{`?_9ttil0xy6WEYO3{n64gY zqfgAJf|B>AV4v73P>XWGFxpz1p^mV3JPR-#M+ZqlqffvQ;y^y1dTt#Qo5 zO_S9)@WFGseT)_sB@ve=S50H1VTG%sLx{lEpm}>j3foXJnLHGFV87cW-HXT5jdepOefbCfTRJx&S>XkPzp^UEOzN z9y}WA=-~BsTwn`$WkxBgCCj^~Tb*tfSM>@TTHf~r=4dTez%!i*!Ih5T{gh8^&Zi#} z5LA4a(!f149L9`cJ`NmPO`o@jAI#Qp8piKgFikg;=>en#RoFs)G->5xO-H zzKHPEdG;|f8V~-c2uu8Rw|N_}g?R7&Vn^OUd%j(d++yRo0NzCiiPvz|Sy7jICbM2A zeL|eu-Bf$S;qTO&d_3T^pp0y|k=z7WqbZ<65V9C}R`!!COSDg?Cy|fqoavTYx^r{ef;qpubPuhp zLQmk4nimVY#d&ZkU;&#nfH(Qf^rWzMwjYZiX??^<` z5si+6&Sk^*d-L|Af5x_pa?8w*VswHF6s|HrP)03~6AAO4_rsPjNZlG#dq$|Eu+a6S zn$qy+OtM#aB$f8%=MJ1pTUx+Wd`)xG-PX40bklGw#-T}-VYY>I%?1I5}?e2HYVhlyBGO4CeZWq zKyH4V8FzJAlN|>`c5C&69Ad=jsid>R+&Y`B#^|#&I5NrX5;-o9O9!99T*%^ys8IeP)8iii!jalV zB>Z|;{P)c)Q02E!2tr?OQH;%#JQc6~YEMI69fTIoCox(}rBJVP(jC+ibiai3pL%r? zKn~N4VSeeI2j(1V!KBbX1!^}}=0%QVNCoUjD*2a+9VJ*md8o=(p!uWJIfY|#4tS&5 zy)z%;e};RNP@}6haEcpRL9iOBK}d85D;cR!r3D zRD<%Xia*c*s{!{~SJ$wdD@L_-kpOSJ1NoOw+)SEREgd+BDd7Kxk*jaC5COF#-WBv)YtwUc*OiM~`4|ObSm=v}B%EfBGoe9$s$xSEPR-8jZ?n}4Qgg&~@@7h(mm3FWrvU(8FV=jnEcji^b3&Qg|xsUl?u0i~$J7nbOH45%6iq=Q*wS*!Y ztJ?+#T^?K;leE*RIZk%O4(P|_AVj+ZQ=D^J^|P`Xo&G+gP}l6Sca=XRBfY7_9OiIRz|M=f)^Y%8?okL&ecD5o?2VdTKTMUE{G@)F5O9;WII! z*-RqMWYfu-AX&wbq9^U_d%LW>@F?yIlm76(Q;Y! zjONFHGN$|Z96K*034+u$Ku!k})@C9i80?I|zMljnF_nddQ-~P5f}{stsg(7Ka#*N;{g$aNJ2;SyRqWoWU)Bxw z&g5P|!YlSrwb3EVg1WGnsb=mr@$IH2yd-Ckx}z->*3_zk??vaAdO0m6}-<6z!hn;_dWUEPE{% zMXz1@|5f+aL2X7~yJ!o=S}3$waca10aVw=ogF6&=cQ3_Sw57Nf3&Ab86)2@>fCPfO zy9E#2m;S!*&YYP$XU;!o&bj#~!(@|p@3ogaYdvf4WT8oT*KHotj#ydNCM+5&l~UlN zCMS`M%5?+kOm7Kj>)oQg+<$NyFk}_1gh&!~UjMG{D$@@FKry|PHL2A3xITJ5==OHH zx&Ht%RJ*%OH@`j!EAMywzQAqz0GIN!j0>k;3n;R-p}CoaNsCF@*^6_J_9@@*S-8`F zYQ9CGon_~%2l3x-_jPdO(qh?C71ss==8^mg4zGMRF&;=Sv|fRpKJ)hfrQ(yzwYEoA z))f%I9#AL$^>awLjqU6bW3A^zYe$mjW5}%8=D46!wol~jlJpPe zRC3Pt_HED(9Q%;Asqw|F>#(m?RexIJ;#8WvBpk0_C5C=wvOF8lTaf6%SI5Sm_8RBu zPIyr;G7@eM!QcfRK05}zhh4I|=+Z@+5Iz%o; z&!89~m>r~=Dw)EHX)?Cdy^R*N=CC26C&JiAMa1Xllds=^YC=~9x?LT3efNb?7!_2_ zN)UhRPH@?XlAdgWvwxxLFwvvkjJz$uujxE54`+P%%iq&I`a%2yqrzx*{;)amwY}R7 z9~nneNBIeX9P)2Ejm`rjoTXzf4nplb7gx-S!a5x znpo0v!}rSMY;NV(?H}n~n~kmr#t3}FOgANQKBW`wbkpXH8UKu#JnEUH!Xd@S>&FDa zM2%}SZULEnrUE4kJv_h^;kOvBe+&gjpT2B^Vp6H4U-))!T^-!f}i-$pUa(z#>pDrz249*fyEj(r17yV>Z>>G2D0Vh z=0w6bnOltbvMa%4vVEE#As!i~8XW8;U_Ubp-i@qpEOxfZdEtA#JLHI*>BE_Bemk8o zD%~@2sIHdu=CkA%gZ;^xpF(c+-dfx0l^}JDMG@T4u!n*rYPB%nSjsgm4woDWFb(t0 zH`%))f||YT1lwnU(;PD}P7l~qVnRC2xDL?-?AxixDcL5Uw}N&wA|~>qU*R7(uVny? z*X)SSs@v60^wcfSqMLLt)_kjBhZV%Cn#WOFrI%xtf00Do?BlN-9sm{(!wSM7!@%IT^T zux|k?P8vrg>*+E5co|$Y&6A$n7hDpVcv9!_#&O*pR-`D|JNjLAhXf1N^8K+Rv(3T9 zBg@FAxZl^UO%}fr3krK>?XAodR4UnFn4Dq*#Kcf$v!aCidE^i;X2`u@qF)lcCiXj+ z`wmoY!o-e6Myv~cn!9nfk$>DbQ%jHpmORw&8k6E|=7k)0eutvcUwG}cHJh&X=5(EU zZ9oeGLo_Y=I5^boU8K@qSG<^?H{K9wCxMRK>Xo*Ae{HXwT#23qPdvscgg+kgk{52P zbW`>*5BsI9l3&%~@*^G-)8_**?su=S@ONeUUeFIeMr0%FUK3d=(6eck284va1S&5? zPoMTa!Uy)YG6j#$aXP0lPpCEvgq~5k=3{y;EG)z(>N)fKOMLA92g>Vp`%xzCxQ#T_ zvR-Y}{;k{ZP-gMGp4lDvzI@M65Y)!2#is;wo^Q&qX6P|&YnoMSQnkF3L;I}t@eoc_ zf~Zmc3YHv@Iy=H5r^1;SOEzUMsn1ymVlz{A_F++}z^>nhXQa5_-qcLG)oGRqSHAtK z{GgK!r*rAGux9B*(B%oca5f&^*B0pAwj<3u+ieG|MYl3>I_Ie~_nqd;VN!Thf^x#i zeuVIkP3&r{X!$p9Cxv^aoBuTW{`MJb1`Kl{Si?@UdZc^exug;}2dw;vM=i|6f4zhTorRn4{(J(PziiDfL$ ztVdVGGb1jR;UN$@@1+iga#s~|*HoFVdZpqelXAFP?lgoZb1pNg#6dm!oNNwa1O`cH z#KbSU9~m`0kZ$S85+%^9S<{(qGTYhpdxFc03xMuck0hhxe(}sxxBR z%f5UIHMAC6?(Tjn;>~pUyXddHk$H<^G^=pZR~iW+i&=VJ+2e$Rg995lc&yHTzAfPE z*HW)eiQhep;=U)YM+s&8w$Ut_#pJ=mM7Ro*H=weqzuaa5=jZ3!28W;TFKLa+La`J#=IKUNQVA|c#JpIxaI^<)V~2e9X~ejQV9Co6a&ubvrRnG>@dVcx z3#i5iqpvDNJ+>STsAaYR+maNp?4)TH&_wxeyU963W~TEAEnav3jU4;pGw!G-_{P=# z=#gzC#)T>f^t&xUTdzKAcSW=^!9o0SXk7p)mOeD2(P8@H(Qb zTzWt+=p>%W)zNHPpnAbf^tcq{g4p0ruP_dhCV6ltD=CKPv)Sf-b_?kkvAykKX3N>| zjp{^PKdk~Oj}%b5)V*{4w{Lff;9h=bMyho)&LUT5LU$8lQMdH2-|JV-Xd$Mh?JB^z z`>yZ5CmQ6M&+Jc&zwf%qX_Ik!IR1t-Eav4!ihMgWl2F&MIl$tVz5nbrBV$D9TZdWS z9Hn%ua>uUue#wm;p6h8Ra>tqTh$Ilhp#UxsaLnph@!58b-I*oKzMQ+JZ|HEZb?c<>9ni@K9>aJTh+b=xz%iTXr@e zTsm#}t6las9x^8XYJ6l`f}lULNWk7TTxL*G2&DKGMfA(AyZg0K(~5{K)N7T6m_~uH zA09khb#f4y$be7NbkRrJo|59t!2v+LZ^x;_Ua&THep@T#%m^yW=zd5QvGco#!IvV7GQ#Y37hBo9h0C9&iL~o{_OVAI$WrR6$<8%?}y0 z*CJyyRw&XOJ+vAO^3%y%JE7n`ooz#BBt5;86vt3#Rh6DfLwCtq`T&ig!SLEi{cav* z{g+o)x*5!rzZ6yPIdKRGEcPY#$V50Co@AtnVCK}ZXcj(x*04DGI_c4!@9>e559$oK zs<#z0(dxk?Cxr@4SAMWBbNUiwS^SrYAUyPl2lHENl{3)DFxyn&$;!*2jU}yJ?~*A} zfoLl#e36U?M2f#Msa&;t5GzzEDi=gAx~s`r?&|UMXI0nl^IilA)`8Ys{g3!;aRS}u zQ-hH3X|2q_X9_9!<$~yLNpn9&vq9Tp>+w<;BX|D_O|`|9Am5`C}on*IiAywD+zWjkaluSsXt)tPazCN??N z-Nb5ALCc|jr}jlgyftoeq_}a-4L!n*KQM2F)DzNj@6BPwkYx#@J`OLiulA_~_5@e9 z^d#J13ebpns*EH&x({sn3R;Eq@UYGA6pTpeRbtczZ)S6O?S5sh!3Fa^Jy8<7V58=?g@~uYBit_^86E(!;Na%GWX~F znsDzfZRuBhwhq|ZTCtJVc#0~$=+X+=st!Xu3(pTQ0}j^lQ;csRd?6}$R!c2yGxw2Yuv#4Ha7o1!MNh^2fpz= zG1{ja*M>meolX+rim@nej~t)9l-myr>vs0N4*+%l?|1=cd((O)L$2wj6gZv652toG zcF9&Y$P(w9VK_YMB$9hMInrVEO6eScTt-`W64-F0XX`!Ejge)|L?k2yJuAQeq1m;r zxBl15G5{@&9P}1j9Q`anr7$7Jx=561Y!wMErNRdT;+bI*61q5C{&w*wcC4iRS2sUA zxKeA^=XjkCb(jMp1LXV7m^Wv?4V~UYjwYP#Gw3vEX*I|6vWEzG(WMW{*BF4Sjdt+udxwBoE_uj^6 zr|h0^!*7yWnAPlh{~x7PDJ9i=KA-0xFJ3MyX9vD8Y3!Yvg7 zX`!04SRPmAbMyBA2l?vtD^Vd=cm3H*vh`Rp4&RPRvEqgRbMY;~jijjn@q}cYPc5>o zFC6CsbNGWFkx^6excea;?WSvui-K?n=LDSQMu0~0ja!CS!zvhe)^e%%EPKK0;A7vL zoW{ny{)eQKhEQ{zC)2K*NaO=~U{LZ*_N$fifo&+D0ZRP*9nJfxFUxr~K8{F#EIrtD}s6Fq-&A z3;LT~zwk_)=p7LM)Ayi#G4ZC8r)N#Je&>c$8B|>xmHLFbb|l1yJ$#t`w{Zl`)<@-3Ydwfz7|XS zURUM(Y(|y+rGak#x#4>CcUk*+SXwUc+N%gPbrRshFu*C7S)p&xcVU%ZxdG}tBJ)`J zd!6$BVpGRvO*|&W-5r&HBk)edTVA526W%Gi2`v)aP9}q1%#JTs>0hM0@Z49SbU*%* z&YSHK0z4e>i43V+;){oiFXueA3Sx*ks+c|dY7L;R3M+oR0uYZ7lSKn-U?70(YElpO z8}q^<*;vhM=7tuF(&gM$n_IH6XP3YO?;qo?JOxApY`o5iHtaI3HhG%F&?x`Bif6U! z=$zg}UP%>2g=ms$g8gTdIh(`YMx8J!h~40%KHk&IuwQOm3cr{O=9ir%lgy40+5|F`g|cou8mg#P@iYSnmBddxT z;NN|1>WfZs-@OEK0)yB88Cn0DTVVWbA;-*N%8+%FC|5U4sMQ(-f4jWKDSvvlJ_?Mw z!!90rYLLx5BpBABQ*hb8bUGsR^bx;!QE}CcUzpf84;zWSt{>yr_6{2Hfua~9IFJq)aA|jxUa>sE18$K!}on4xq$d0hJwO*K)k)%wVZ5GlrdR(#_Rcy($O& zviF7U=*#()Z{H+{iG^Z-Z@hyf!j#1fHm0ry{;u}+uI`FzZ{Mm}>!?{+#wb_phC8UMD6ZN*JKh4vbGpIX}qR zPh=G|cF?YvLp%!M#RN?E-mfdgLx9w2GcsatZP6=m7%QnaYH+Uo{DP737MCz?W76$Q zi5-nLvdJbrU4OPMK+eq)*#3L>yt56PJ*Q_|Z*b@)TBpQsCQN>RvEk;f%E-8W$;Vgv z;YazVF*aSG_3duGg!6y>3k=g_vU)yW1tZ&k35crr7$)M6LKl_NJr!8h1hlfMYOlEj*x37|(%8e7cq=D9z2wd->wUiv>~GGD`h=RJ_VQ{OZB_wT(A7CJWJg{}3DncM-s z^K?P>$U2AqwZS+Vk)$gxaVDmX(Ej=TN`Lvh08xsCN zyG&2B!g02GZ%^21{%q&Muuz%5rKPX2*-m9|rtvry&ivnt^p>!pRt)i;q~gjF_Zfw{ zm@&%rn94@_-)t7%p0xwK=I#D1DW{e_awxO$+TQwLH@Q1XtS_;KUAOv|wsF8o2hNn+ zZcs@QJHPpvqkk;wz~mgN(^LGEuGji zY<3M2r4_S9^w0&S1j0yhr=d2-ju<&v7L%g|v8Si)9QtHWsjqwJf~>(CGmUPfSWW=F zLrm&LIHX;6p2d$rN-@nv%=`S3PL*J zeBD?TT8Z(&QdopMK(!7q>HPc^aeGrA(uxizpsKdhTIq@)G|b36Hl;@t(TZ3OFwzAi zs0R<9jpXU^+u~D*z7b_p>?gmvK9E@sC$Jhy8M(UJ=jZZXzVw(~+Zf3s?MpUpwIwB% z3$B;i&wcVlHI7zHJm_ZY`^&<|)NcY$Hd6bOozAat%(o(jE+wDQ(z@(t!BTn23F(ym zn&9Ld27X5?KKAwob#w^2AOnD}SSdG*@Z5P*>35bR6QO)_*kchO!NPJWmhMGFQM4T3 zy7-x6X%kxGyE%#?=fpUPXcv@7?dZr6betJ^WOlaKCH%whj8@3!D6ZLyE_@L})0cONTuqXUPvj)n=BJrI*+x_9cpV>@;|f zycpz#f=|9!J|8dEJ=R>?oGVLDf&t}T0V2nlhLIZiL^mtgO=?q`Y6%XbQU(P1i9>5! ztBj08=jVPzSeVDnUNc9g2oCmx1I*7Y3Uq_yoJPDpN1wH)5k*n4G$M9`>mF#xR#(8~ zm92i|$HX|8nSxiN$Mzg&dughm)5ZLB}ec8vUzseh(`tj2JE@T{TSIm}Z+T~E;Ja}Mnx-RzWmHl)bx-YmpQgifz z+Yhv<7TL9)-JHOrs#||{I!8`TZ91qv(}tF8wgMWW7zS!x^>+FasiMfrQf}I&Gzos_ z36HYtpOSDI387_o<^n3E)4~Ov=G)pW2ge;}u{SM1l|MOh-LT13BQB0%#I&LZwSj-N zw|Vzwe13A-IPDiGfP1RkDLqK0KA@GPu9mm2GKdG(lHDpBos0fy1Q5OB>oIr%J_ zX`3$tu}yj_Z6p$D(brj);zUV+&r$79LK{^W;dEnfXRG2_4gbWWRIfdn*~*mSRgNIc z)@t#7tuXRBM5)MrW4JetPNIf^NUL;W!uhPq%u1gQ*TZ^qzr-#ppd}pQzUYy9PUu(_% z)3_b_E;cP3x>i5Wq6zug*m1XwHPpC|$k+-~Lmy(N4k}FX3Gn-$BZh}76|tl(crD60 z!^EnIMjw(m)A8Fj&7GGC)ys#7`QqQef@Z3nt!>ixN;(AT=-Q*_&0R%_Sln&KOR&+^ z&e2Us6^R&R1sn;MiXmVj*g~a-S&clgVf=rWJIR<0Sup?84&~b@oLFY`f` zNBuPv)HQG0sFl%IabxkFGt{`oe)8&s@FiKq%n^m!v=vIgaD`*1YR z&#UY?Vxg?faWYqS>XBr(Wr;>HU%(V}r}*I`B3$F{SM0z=GPaX#0rP?AcXs&Bf4}u+ ziV(WH6q%i#>M26T?3|wB@_XjH@}xDNFUP$E5Y>GB{>EdPOWTJf@8}2T+Env~+S*ij z-teZWwV8B1F8j{w=l)t=<6sOE;ww2Jr1?)wNfSt@digh z5@Q}37LmK8apZ!}i<_ctAaI3pmF({n?a9Ud5VF{`0FF!;SgCnS_fKqQfvvD_2areA zuuS@+Jt+PGP*)zJn^fV3e75fb?{%g+7SF598eb7@AzN-*%DyXxQKL(YyPQVlxm%%f z<6XA*lq`f2BNK~wrc<8#VVaP6eyFGB^@aBJ7W3wh6WRW92H>Nxf-h4UuBKb3l}dIo zt^KZE?dZEF_c0c!u%%aV%EZ(QhzhDNjuG$x6$yuRAIm<)v?V&71 z>DhSSyRsNQ8hb?5*{+EEx?Gr!ru{o1t^JNm?HZ#*E=_W1&@DG52k(q3g<8o%me?_D zHJED`xPp1LNUz9kjZIw;SLp~5-`~z@3T0`A%>VJ4Cjgk};_GZF7roX9JMZC>QM-Fu zIeWi?i30;+?z<XOZ!I z+skl5ZNqCr5wE#MH@RkWW*PCL!_BG2n(@!&SLidjI9i)li1_v9Gt?&>LfY$cb;dGU z0KzgV0SL^$OY(d%!jt8w=#m3o$f-3iA^S1_EO=#br`r_WqdVez_CN*7l1uzeyc7kI#vpDDZkQVk<(m;iJ@QiS|6=8Tis%nNGd{wu z-vqTdUV9xyF37h&91?_DP1cJS^hGdvSXWjzP6GNHur_=$G> ziiRnhcHPcufAYL7y}tvF>{$EA-yB*rlmyU||q4N&SpS8A$ER-?+ zyCLl+^crg|?uVxJ9ESD}$(6JHlmx}X#_yNww29708xs}u1zepn_X^q|-lx_n?@l#+ zQ3$+P?FhlimjaysYa$js^KW8`ML(lV4wMwS1FsxvP{CXQX1;dTEhU;I`viDO_umD; z2Ip=rj+4P%x?5gBOTX!~!i@-Qg@nfVM5SXW%f{Yt11gmmsX2|u3M-sj9JBsCoGHDk zkJ970iUtT}0QK_D82PA?s}kFl`m0gGLx5Dc2P5a*EhVBNn@pm~ea~KiC`;5wt&G_{ zgr~ebS)Em9O@m%>QVr)M{4qr?+sRbnaGEH;nKO&w6xRbQ8~E@H^7bMw(oH-7V6CyF zXC;YETSdhrE*CIay*?}#@LCN)6Yy$zfjZP9pwS0NFg7gT-mRCLh$Yhc*gMMFa}$`qH`U5#6OGnlu4ic2J)}#0E zBM`nkdTOkOG|F|j%f7{-^q)|r16g*U;A=&|t*1Ybw!rIp$)s?7)Sp&Qj%#syvmEv? zk(VT&LeMdGlB&YEeU>Xc)pvPvTq09>2gt1O6Sbia9A}$$ErFVQqa?&5oQ1$P#a%e) zM!x3${)Jl*DKSqbr!V@FW;^@)zo}>7gCcW{RW%!|lbeBctDwZNa|MHw~tQa}PHHv9(xE=OPzbrbvCgEFsK+KMlH#vdUV5d zH;sR6z>rjzQqVTPkT)i*DOI>-zRjawjlF~I0pK|eNR`^JuifA>o|W~;xnj$>@>!rl zBifg!&c-*R$gPH@T>}E)&=a+t1%n)3X(aNYLm+$BJ+bJ4tb!*m!2zd}64+;aO+W>x zSJ99>=0h=F#NteGR~C@J?R(L;cx<;dy`_vTmx&0xxd|SZczIVgx+g@83mg?FqfE3h z0UKost7N5IxUGpi4%Ooc+El4m>p$3sfoMxx&;0H0syw;v z@$yW80M$edL}JHIMHA4SHAZF%+nWuiX>dU|`I@D?EAn)hPNU&g?|)ls!jL5r36LxnXB!0R@iL;dr|hevapSnsrT3mfdbUc zT);Jw>4J9PDk=E%_5dU@dh<($=Nf%Q z*;-P4pT}72jzZGV*gcC?Hl!G|H2Y6H_odee-59Uk4o7Xn1!CljgbUu?S`MXfdk@ps zN@*jdRx`9q*7&T)+l?h8jExoAb<6NV(vwK)%`Q#hpaK#IHOitL^bZALhnT3h-qn z3R{f68pH_L+;^HFnN7aEEb;sW@&*I=s%1)w{uNOgwsaS+i7jyGM}Wwd8pb6J0Xl`^ zQ<5+jC2Lw)=k_JNH{&lPtplhC|1GJSmxzUd`NI0O(Q^l^ht}$cr2KnuL1Rsw5eE`k z5`khrA7&5pnTXjmNyubj+UVxein$GZAw_Gu^#i>|13!C@TAgAlt9E(HoX!s}Qg;GD zE$%VQt22FJMOiJH&x;)L$h>#414)wJyHmACfWFWgdmS~`BG z=W@TZjth@IYlp58^g-8`%1Y;d#cEf2B5*hMV7X#D^8^G``1Ge*ZgDXr+$wHw7Fn*l ze0;EIr$4Prj7z$hAjE5(hs^bHgEwZTJ`A0kn*&q8)aW(((AU{rUxRk93lx$bs}nrm z8Y{EYsj;$o%TW^yT0dC%N?f-l{9?<9!X7N>IF>7GZvKkXn+O*#bW<$gQaWZI-wrpO zZ_`#Fi-7u#@;Vnf#=%}xIkV|o(YEXLxez?e4M+@oBV;YgjRlRQ9A=vcMmv@Nd+ID* zhzfnL-v^6&B+1nTG{qG?adZ{Tc>o}hb$bs~M~hvP!NhOofkcR#709)l*pdWL8s1$` zI(OHw(ImJPX^#MA`8f3hJ>uSMSvpw>1H?NTdljET5z{@u_bl*O5;9FE>RkzmQ39up zq$|a-r}3+!HH{ALOa$KS1?%CmJIsrto~qk5JCy=5Gm8!8iWaC9>^tC%S6TJ-Rk|8! zcr7i(?L}PHhcH!OYvFn7C70_k65sZrx-c86`Qy@j{fLN4~2*#pPDp?4Q{ABQsU-7rtU$f%p?h}e!Xo0 zWpT^Gol=9nPIq3*q9TA|j0*?y7YE~@-K-lagl`}MLSgCDV%BqCrtR`Xy)Zi{>m%APD*V1&Oq!#$<@v=r z$K0GBG4YR5{Lm?}ny#-t97M$rbs`=I5Xh~sXeeX~{bOGMV^E|QbzS))%u4B4iu#ep zZD(V}Vc4>Y@$*wEF4ZXdx_F9-9bL2bV(mr}^7Tz5ywB-2x@QQeDD#L&E8LM7_ks_~ za5|^!okXUlsT@l$vTa*(l0v}s$o(BsRxQYGGvEgj^#z>jNN^=?tmqXt-6o(#mg{L^ z6O2G@%3)^0Jrq>J+SS$ReIGOFuIeR?wY(57yorU4t^Wjf`PiBs8hE1UACNs>j4G4P ze9mK2KR9PpsC)=>)}9pJXuIhN*W_eN4_vbIeS-JcvBL+QbA7qUJ{ricZD%I3zhI@}4e zN@{8>W72NkouN>gRb(<>RUK?oTyAdyYT9plVyMo(0zU9UODthBWQ?ajJLqy#b3IO5 zzjvwI!+IQfe*Y*PhtPj}+`;M`QuYN>lut3EAdz2u=)Ls2@pSiU4FH(dg&fEF^?N>t zFBWQHCBeUaj*apsEp?sllFLQM*X|KB>gc==ie^RX+etTB@NVCkHEi4@Na75 zr6oz*OGrxVv649WAJjnyz`B{XLe}r&mjA?#`S22an{D>s70G3S z7b?L+)s{;U7+7SSdgh+rK!q*2L;qjVvq8c&A(YaUzU#S&1w#kDtBqiXiTm|q1wUQ&w#&SJd zID}bHcRBWQfHk=vz80b925_DOfB#z7sGOW1);LU`-kvWrvH#%>g&91<)dWESx+5Ho zu&eOgt@9Prx%`n0=9_PD0ep;ciMEpiC{$GvSTGq-X*vzHavu^Hc7SY@YzMbJt*v*NLIBBx6iZe4N_ zJ%NGqhzh5==8r&*Qs*$mmLhQr93Ztd30gmOKxvD5o znu{17SSa4HBJmgT3ZPIdw;W0t@bK~DfYSkE3HUbB>5lhUQ%Pb{y;zQ;Q8ZJdeHc3B zjtkH(BZ{3Aynz6bMQHJgrU-lRq@qpSb7!a0MBV)j*z0g;lnZcm>>^Cl1jlAkj294Oog}zIn9P{ci zdfQxRG$xQ_Rb*0geY9WgQv!@KdeZFGe_0<&^4zK~1Cru%yq21jG;+Ehgx&@~Pz|#N zx^NZz677m{rrgP- zr&FwkA_c=x8aTj1T@@upUK&4)(Q`=YV0v*tE8=|+iv1IxE}4|^(X9zRV!T*l&eZ8FWcX&VI_;3Uu1;sIXww|2Du(!eb6# znKm0oy-wT(1V}YzYJE{!9$V0{_Psq6)EYD|=;vr?U~A{;_@{7nATt53j4{+G`!L-gsVL1!U(PH`*E(A zq`S299)?LBR;PrzeDGBeKn~!n9U1*em(F~*GL$Kn-XSL`At6!r40?i_rX*~3=?=G% zzBKdOH)X)1>d{hX~mQ79Lz21nwE630fQ%NAFctpyQU5}B|3E&u>6t2_`@D>ltv%Gh> z<2%KX{ky71S={;WU7yP>;i+E!53J&6DB**SV z82`SJxaN8RbZLf!Qf_*FpSc1qzd> zzW^8N?CHuw5Zdgy$487?@4!nCx@Xa6(91=%m0ZtbQW#6a&yR2y%h?1A^HH81pPtqs z#9oLgF=^60@<Vh9Fy1W^Aj^@m`6RLzDjnI9Z!jW-q{y-d!;NasVidn|B=+r`i1p23;Kk z-`WwvXzP%VDpX~BYsXOg&2_fPL3r!Lr`che?tBs_nCR13@WCehXtl2ZOInkzcTUoK z>D-0g1|Cx4an&6~UbFpuY@`FK|I>67V6hdQO21iB;+Ek<(rkpRPIn%z_NR~2D7A;G zd@TuT50p=#h$8@#KYP~T-WyM8WJJlLNcV_UyLiPa=l1tJU1uki?(Q*kbqay$k*uK9TlLW zBJ_9<``D4*H##xx$E>`et0w3*_)FCH1d5XIwSpOqrZs89AWDP{rrqxp>XB2tyYb^P zEL7HTa!T5kpm{kJhzy8r2k8|3M+mskfKomlAO@|jPSIMi1e7zaSI*<5uWglepw?l? z*ahaj@e-tztf>Y?cUoK6rcGAyXM=QsR)PR5c#mF8MRDaI0L{*Jgi81Pg^!EhPUXnV zpA;f`i@+SY1yR)w)8hL2u=a|NePDZ_V@-AY>=+>a^p28mC{UjOC|A4Y&EKUPq-8zR z5cT-?XfNUnl_IgD3WiG7hCPgWLt z8sFwrAq;nLLwy1?FCCVvttv%V3y{2R;UV38_P|H6@bx_E<@1G-~2 z_u~DpPB95u+k^{*yC@9a@^1}mDl~t#NxxB_~H>u$)f$o-xfYb1T2vxw4;i>lx|zEPl)Q5!@rf_SsTIMXDcY~LLDL0QDSHM3A$;nesyRPfr%{|Wo` zR`eK_+Nhrg1FH5?h6N|B)m*3z_OHe5UsEH{^LE#idH43O0q(AE`0kH?{dfQ09|01& zd)+nm{p*vvdjlBvySM+-AN{W`;eWEa|GggpZGQh3iR*vZwg0^f|6kUw|H(A|Pixoz xAg=#W|Nk#mJdEdscPjUP+&2IJBE3&Sw*U#OfS4TPcD|F_2U+E}<