From 14ae5eac1a4d7ff09191b76a4cd459092d633cb4 Mon Sep 17 00:00:00 2001
From: Ryan Horiguchi <ryan.horiguchi@gmail.com>
Date: Mon, 25 Nov 2024 19:18:32 +0100
Subject: [PATCH] WIP

---
 .../devices/headless/router/default.nix       |  13 +++
 .../devices/headless/router/librenms.nix      |  95 ++++++++++++++++++
 modules/default/librenms.nix                  |  19 ++++
 secrets.nix                                   | Bin 4808 -> 4857 bytes
 4 files changed, 127 insertions(+)
 create mode 100644 configuration/devices/headless/router/librenms.nix
 create mode 100644 modules/default/librenms.nix

diff --git a/configuration/devices/headless/router/default.nix b/configuration/devices/headless/router/default.nix
index 1ff4649d..7632be1c 100644
--- a/configuration/devices/headless/router/default.nix
+++ b/configuration/devices/headless/router/default.nix
@@ -6,6 +6,7 @@ in {
 
     ./adguardhome.nix
     ./firewall.nix
+    ./librenms.nix
     ./routing.nix
     ./web-proxy.nix
 
@@ -35,5 +36,17 @@ in {
       username = secrets.infomaniak.username;
       password = secrets.infomaniak.password;
     };
+
+    snmpd = {
+      enable = true;
+
+      listenAddress = "127.0.0.1";
+      configText = ''
+        rocommunity public
+
+        sysLocation Cabinet
+        sysContact ${config.security.acme.defaults.email}
+      '';
+    };
   };
 }
diff --git a/configuration/devices/headless/router/librenms.nix b/configuration/devices/headless/router/librenms.nix
new file mode 100644
index 00000000..1c99c5ee
--- /dev/null
+++ b/configuration/devices/headless/router/librenms.nix
@@ -0,0 +1,95 @@
+{ pkgs, config, lib, secrets, ... }:
+let defaultUser = "admin";
+in {
+  services = {
+    infomaniak = {
+      enable = true;
+
+      username = secrets.infomaniak.username;
+      password = secrets.infomaniak.password;
+      hostnames = [ "librenms.00a.ch" ];
+    };
+
+    # workaround for the nginx attributes since lib.mkMerge fails
+    nginx.virtualHosts."${config.services.librenms.hostname}".locations."/" = {
+      basicAuth = secrets.nginx.basicAuth."librenms.00a.ch";
+
+      extraConfig = ''
+        fastcgi_param REMOTE_USER ${defaultUser};
+
+        satisfy any;
+
+        allow 192.168.1.0/24;
+        deny all;
+      '';
+    };
+
+    # TODO vlan are not shown for router
+    # TODO ip table is empty for router
+    # TODO arp table is empty for router
+    librenms = {
+      enable = true;
+
+      hostname = "librenms.00a.ch";
+
+      settings = {
+        auth_mechanism = "http-auth";
+
+        autodiscovery.nets-exclude = [ ];
+        nets = [ "127.0.0.1" "192.168.1.0/24" ];
+
+        discovery_modules.discovery-arp = true;
+      };
+
+      database = {
+        createLocally = true;
+        socket = "/run/mysqld/mysqld.sock";
+      };
+
+      nginx = {
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+  };
+
+  systemd.services.librenms-add-admin-user = {
+    after = [ "librenms-setup.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      User = config.services.librenms.user;
+      Group = config.services.librenms.group;
+    };
+
+    script = let
+      pkg = builtins.head (builtins.filter (pkg: pkg.name == "lnms") config.environment.systemPackages);
+      lnms = "${pkg}/bin/lnms";
+    in ''
+      ${lnms} db:seed --force
+
+      ${lnms} user:add ${
+        lib.concatStringsSep " " [
+          ''--email "${config.security.acme.defaults.email}"''
+          ''--password "$(${pkgs.openssl}/bin/openssl rand --hex 16)"''
+          "--role admin"
+          "--no-interaction"
+        ]
+      } ${defaultUser} || true
+
+      echo "${
+        lib.concatStringsSep " " [
+          "UPDATE ${config.services.librenms.database.database}.users"
+          "SET auth_type = '${config.services.librenms.settings.auth_mechanism}'"
+          "WHERE username = '${defaultUser}'"
+        ]
+      };" | ${pkgs.mariadb}/bin/mysql --socket='${config.services.librenms.database.socket}' || true
+    '';
+  };
+
+  services.cron.systemCronJobs = [
+    "27 * * * *  ${config.services.librenms.user}  ${pkgs.python3}/bin/python /${config.services.librenms.package}/snmp-scan.py >> /dev/null 2>&1"
+  ];
+}
diff --git a/modules/default/librenms.nix b/modules/default/librenms.nix
new file mode 100644
index 00000000..6d722ac3
--- /dev/null
+++ b/modules/default/librenms.nix
@@ -0,0 +1,19 @@
+# TODO remove when merged https://nixpk.gs/pr-tracker.html?pr=359182
+
+{ modulesPath, ... }:
+let
+  src = let
+    owner = "NixOS";
+    repo = "nixpkgs";
+    rev = "cf4d89e473867d68587cfe098e0725194eddf149";
+    sha256 = "sha256:0an0xa61wpgympk391kyn6pdmx4jnbiyapcr193kc9qk9r3x3iaz";
+  in builtins.fetchTarball {
+    name = "nixpkgs";
+    url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz";
+    inherit sha256;
+  };
+in {
+  disabledModules = [ "${modulesPath}/services/monitoring/librenms.nix" ];
+
+  imports = [ "${src}/nixos/modules/services/monitoring/librenms.nix" ];
+}
diff --git a/secrets.nix b/secrets.nix
index 20939d6ccb4d105fd12f101a8b5a315ecf6249f8..c12327c767c159b88300967ceaa914e03ee4553a 100755
GIT binary patch
literal 4857
zcmV<V5(e!6M@dveQdv+`07-qd7Y}o2>GxaDz=@QfI*LwzGC`*uIDLBORdlBNuv4S^
z1SP0B4;13H(Vfb(w4hBMmFI!r6Gd`L+={w3D55!?lqtutaXkM9o|_>vN4!Fe_bTR0
z%&IO4Kb<dB*0q_lxlV0bI=oxDL<IfH@f^mdbwngaj&{g7pJTkOsleCO-pC)XtxTYu
zt2O{Tmq_h}7l&LePT-oljPzBE0DFdt@oXg;wbPssoGrPCFsfCrFiUz?D)12BI{^Oj
z>boRxWFwip`56~kw}Kw72K+Pn^hg-Fjq4WT$g_Vx21?sbX-;w<Dp)Y=g2Gt(SVvqg
zgZ^NjyFFo;Z~EycCj_t!`1z*W-dqK$-k?Qpc8}Aux?-gWgue6syL@1Gy>E0KgaD~b
z_vOUNhiBLwOkc~|f=vGJzu|(8gN`u(9;p|V7F_i4v9%aZAtr{iV8jGR&kl&)Xb^({
zF7h<oMimqT;|fBs0U18d)x09Ip-daR@P;`D26UKsjKmX#=Y}`$zMb-a`6=j{pNLLi
z7)s&a#ttjsr@YZp&$z1oQAp(LD$YToIj~|FYZ!vfjNOA{Ew%*b-^EVSMjV{lkhf9>
zkP^fJ8Q3-unEqd1XE$+}hSSK@Y^uPyO~y29wXoJ#Rms%FE+R1ABSrRV(sQNqOtJQA
zP>eD>Pk5}5h#{DwVH0^DjMU_rvuVH?kM!I&R>$ssA=7Bnugq(|1{a<W_TeD+kJVGv
zo0yC=g<fFh50TX2`yy-Ha^6~-_xC-9dB9g4iNDi450iz}Ws9_b`Qnwm`-n`4$rz0|
z-C&5Hc2GOELU&6=DdcGr6OL?!zk2F=u!<Aty8qV~QeqQb7bToY17%YJ*ZlyLP>346
z!DUMrSD~JO6jNfXEr5@s4!dypT#LjPk(520QbD>82qx<+k94Q>sPN2c1r4&d33Wo^
zF_R9jmn2ux0$(+Y#cTYr(zSo2rBi&1&efmYPq=pVB!w44<=&Mr<yK>cfGEi*4$QTs
zYai)?p-kJ^)&ugF2T^FsZqLR#i%-$Kwp7XV+A@N|+vr=4+0_NX%H(~IN1OM*K2LEI
zcyHW73w))|QCyfNe`#<D;!YfbgBzTsn;ZT%hNcR*c%L)ceVV8jAz$tuQi^%W5*O-I
zJ#xV_H6Sc0*DV~hbzv8ICw}n{mh%^dpd0%47>kY3zYF<c9wCW=?!1rZ30Ea0E7eTv
zsT#3=NOO>Smho{TI05+e91XU@FM#n05s<IUKc(joK2W7O=!6B3pJ&+~r!e+}Y^YfX
zQn3A&BPGO1?yWZaLN=QFkbOq^RtB!+!)MNR-II#FDAADL`_}X7&oKKm3m6WWXOzds
z!szt&+-jKgY7O3Eqp^Q$WX-xx${m3$CRcUqqR6!W(Qs5St0witG&mNhj@+t0O+Yv3
z*0Rru(-qkgJ^!$4!G`Wmb}3nL4=b*$(eM@H`}L>a&6ZCoiyAdX_jFMY53H2;^-&;l
ze;~cqy<Wk9Vml9R6QWFVWNaKPmu-A&6lm(*w_~?qan@?E$_CUMn=Hv@MF?6@3Y^NF
zLg%uef2ADM+iOCm+P2aoh9;W-`=J=J`0fF}o_(zV51V264ZoJD=p<kQU*rOjtEo9{
z%^~!w7;B7CaG@G_Z8#;-6^H}*%gC`ti1n25#=5aWr`K>>zqp#obgdf6PH-W2#iU@S
z<O!d4N!+7F5Wp{SHM8-hXl&bI68vInl5IsZd79?|V{qpTeWg1RtPtjA;T(6poY@^k
zrzm9pf?6kiD>Sv^L)={bLnzeV*V~I!fv1pfh(->-(@yicb&cra6_rN0nW{Ms_cjOn
z40X;m_Dt)z@@N(0PF4{aWOh(Xo1=7y51eG)lgBz5X4|B}jp;e~sV>x&Jm=ydfTozQ
z7p=*QZQbY0(yL;Odnyw5<WRSmW%CT$_<9gPVbphUWz7L*Wjcc~SF4vU%sj_q%=7w6
z)(9l?EE>UXq1C;{S{R<{sCiBmC<T+2%}dUfzVgkD`FPOB_Wq3b$_#=^$%#GQr@n4A
z0T~J&R3bb43qw<ir#R?Oe|^X2rDINc*3*}L60RTxsy9QNI$nXZNKQ_#ZJDRAt6O!7
z;_2D1+oX+x?*MqFhL8qPog5eOk?4Vr<JdEN-i&@bTw(c)w~Y+(xHcfg=bS3xOzC>0
zWL=#Uk;@lph&IXvhH8d5e(o7yw9>xSH~oi@<8NoYSDD4L#_NVOhE<r6`Y-9YO_Kb@
zAog{>2*vp-bLIE-xd$o=;Cv@cbj;aHW4uO|DQ|UsvaCyRVlV?kY%<j&!UCtC$^68L
z55ejJgO?0F4ePdTd4Z8g9RqLYt7SHVk(qu3LIjc{@1;XbPFZNcd{Jvjb($V=nXjll
z*Bu20u~ER6tUhK1y5?6fF8+fEglK!7SYylgbsYwdg;cvkcH0t9=^N_t_Dqz3^OpcW
zi%WvF^7+d`U8b<2725_rPQG3GRlhtUuI2x!`&<J0WXIdGo6V#M$C<uUT~_xz!oshV
zUSI1ogk2(ZWrC~WxTq;g;b?D#)*|lowzEU7-GLkb&}XB~uZgnmN`8KU6DJ&pEGV0_
zO?`ACh`)mLpo2v{wn-A3>R0-%YkK0fIK35bt;Yoh3Y$heEml*(R@-7RLORrF%K7oW
z&t``gB1~!4>b585_BAsk!lgyeEo+bM{jibu!P$L!DBUy0%|BTFImr9C7bHW5_L+!(
z#-olBTzoA1noA;YX~auO5Ns?fdt8=s)iS2GV3kSO)olH4kzb149fEhxJg}sC9B(Z-
zp`DlB2(F(5_KfH|$jTzXC)sl^4zCnQ`@4}!w%Keil>S8mrwyOyV_ar5;C|3+=*SS-
zUcNT;@?GdEC{_)N##J;nNndhvd}lrYJcKk}Uq~mw$4B#AcM50>#%JE5lcPMmG!Wvt
zze?>>Ku_An#yw}_L4Sq0Oc&UYnB5D{BUa3LAN;2k1K`P!;J`R}RR>{MAg(mlC;Oa1
zk2`KQhA701?7P&Crw^YsytuS!?o4@0S|W1jJh*Xpfc(dH=cnL<7qBgBTHBFUUTgdb
z%v>9FLzXZ?iQd8_F2-$9AEk*n42rV0re2ndD`y_ULtpPc8d$ZD-5m#Bb)9oXH7Pv?
zfX`F*r%P}ZYu*MQ@xnsD0FI*^lF8iu8x;(dg|_n)Aap|DP*d>RQ<xmn$fhH2nMrJ1
z3sK`Zmyi3H)6t3<#>^4rlEKIzLZ9KXOUCEc-b{euT*0B9dAk<shb$g#3pncA1O`<K
zufY_Tsm4;JjHhO`_D|gMe?j46AY$xCd7gu2?>61h;R)l6OqMlo*BL}GGUtIFqLakK
zUQUDYy4&J^{Z)S*ub}HHyH;(MFJevYs+ik{<e=M4y;o|-MPmc7t`|A@4Xi6u4aR&-
z7I*#nG<T5i(-q%$TnK=BJKLzq0uw%^Sy;=o3P~xz>~Bgm(S)x+o{r^ympQdSVMBH0
zt$R|`zh?(6r^=@h$W#s_PPke@DKAijSCh|E${ieCSdqfhW-c9A4`JXWO0y4xQl0ku
zNkw}A%BV|Gj<jp|KngNYEO#H8O{>Niiyp1A8x;NhHr1t<jg<QkAye7{ow+mf%yVo!
zJ$NZmS4L^FYTe2do|`l8yf#7MoH`oloQZ%lgnt&)NbQ?>po}oCN}#vKNXCTPyyyCv
zUdJh`ghLTw5Ck)W2J~wg=-YkuNTN95xrEf`R<h}a2Yl-Raq{Hk65LzQ3}o}rj1%xG
zm6x-S(#7Z2Pv7xadFZWwjDSle{81ni;{u6lWc5^zkr1*K1QwKR0Q&zM;x04XvHtdQ
z;VNr|H4GQDT;fsV3+83%=QKGHR5DW@J!FYx9E{>><B)0651N*pPlvX-NP_Q~?6hdc
zjnrvI=&GGtA!LwPKxlKf!(k{S&n|*!O;AwkQ?UmoVl4C})?)f=T%yY&r0&Y<-D-Uq
z#N8vKMX$eSFteliFn{zg3m5W1t8}Wu!n)IjiZw|~T19x}UV^Uyy+Yw#G0gXV+urBW
zO7(PwG9j3f-0J}F&(g$Ga3?_4%ntF&o`inM`EFHU0e^n1qULEfZq}L-q+6ei^)qzQ
zp&BX7NrGQ+^YVzAI!#a;am$v@p&Lha15=xwGZoKb`Af4!EvankP`eE%GE&ip_!pKd
z+MmDEd?i;&sUoND4@tjXT%Tu|i(mt6v^~h5!Ay1@MXM!9%606DunJKWCe7T9=G#j}
z7DDi6I#|P-?pUxf|7BXSeFw70j@i*0+>N_xk*{6&uXrwJy8bESSa|!ukqqdEuUl3W
zM{0S|#aIkC->iqrZ*6Vu+r&;u%cb`tW9DYH&{MghRZwceYKBrX#51Ir5ia)edxWTo
zwY&vVIGz7VO~HuE03mm!v%5T*wE=X$R618RbrQ^(O~QKd47y1Pii%X`5znWq`O^@*
zj4f4UFiGcP=&+W0)ovgdTuVEgFSBPqqKF!6YC_HDz75rm(Gw<6r4u}ydX`JUYNcB~
z|2_Duyn*hZ`vh>-OVD@Q1d!_==?M$VMCBtYZL<0v*ij@3l$>B=K+X-P^d@yK+{4{F
z6q!aMU!1V~4;czRn)XoKFOGGxXprmY78*!O=Lu0S5n8l)OYo^^B3!QJ5dgTG@4d(o
zyP~vF(d(Lw(B6H|r3kU9Yvodji^wSL<Kl8w5PY`7DSY~IUBR*A=nZ{%(-%T2$B1Ee
zmKX!E3>paNg$0M4FX>P<>)`$1xBJ)D-!bq=lMlc<OhSNxsxu#rKdt7}lhh{xUO1|e
zNBdB)22UE@Y7C{2nL_B0;Mzr-y+*frFfNEeUEEcQGlvX8C)Ws=X+U;0Xe{}LOQ|&=
z6zzd1B4-Yt!kLtAjG{FnWWrws!*Vv&XK97+66~--*m{0}tB|gUrG)+)*z|XqwY2eL
zdN60k1Se&HsKQ0UX^_SNZ+pg!v$0&7rciNuHLwsr9p&nffx`)?O}(xyvq`_%(xP{+
zPlubdp69Ik-$9UC6_Ka=o!MgCfrMPI_<|Q_HL+2>Sv&F36Yqf_eymN-iNa+k;qH7O
z|8`A5oSpT70G0U~&3{_)ez*cH@l+NkCXC)p7>@VGqEGbG@l8&(g&46&n{^Z;Hj-}*
zR}1al0Oj3ob+A$4{2pM`kL8Us9(o_<v^j+Tp@Jznu#6X?Hpj|ta+e?m6}cmBf#<WT
z0zsuIOQP|TC&H={JVmi?mV)EN9%nGJZn2<HvW(BrMKFh%T3*pt1=S=NzhKEl-(7?=
zmmP=tT}sa{rMskEV{Omw9Cy1o;Jv0^uE?dnxMN2Z;L`b>)#kBa?)}orTH}33x9EPC
z{|8Ki84M+9K3-KwkjI;?hlcP<l7W4<>1-CZF+=^~aE;~_3smJGLtvrGKAO>xFr5?N
zB|H$^(1!EfBRpk2VxD%GqaX0s6j6u`NNuNObb5{yvqikwhs3&xHZ0k2Y1-H=??nz0
zq2@3If8n)ZJ9%PDj6p3K!2!bXiagc#(J5gl>dJ7a#O6p5t-$*||7RRdVng#37M)@p
zL9N`w69zn82@Bk+*5^snUSZ+JFf8S>c1rg*|CU8-!u$DENg@r?j-%2t%1}1e?P(}_
zT0NW+tOYoGIROu+1hZL|)@&_~B9Zw})1=93^+5mGFow}55I`duRRZ_L8`qKnkY)^7
zRqVOLgF+@DM0P*Lhjw96t)tk?anbe?n4_RILZc_VXCPlp5wK#9<qi4BZjB$z-s`si
zG+<ibJkU7jCs}>3TGpyMqT%Ots_bPr^M~oCexl3oP=`oGybGQP*He89`Ujf>cyN;G
zd-LW=335KFz2H7B@xX6rpZEpzbLj?Or(YsObU9YFsksGj_=7d#P25r9+Fa!pSg<zf
zo%hAPzPyc9*5`)G-k3q_T9-l7(a2EZg7~Jsf>5M0kniFWVt;P3O*rBT6v@DU3{@YK
zCx<w~uSJIZDRPrfQTI?>_CoE8l{EqP7>=%N8W;l<Pd_(A+b(q1SZ=kcz&@pJId_n`
zWk1bRXezd-$*R3rzsD7tRGQql<W1*UG7Zo*l!&6%EJduewuXRka!OOt<SrFuQs@T(
zZ)-;kqPH!n`kMJuAcX?_xdi{%Ld^<;0#xR|x6<{PM;g^b(J%tIIz;BHV4wxVa%7Vr
zOq<D^XqjfzVaHVjev9a}+*$k22E>&SlsUT)Jo2JiWE3NK4x>oSfMb4s(%4dPth6*l
zZ1A+yrtquC%=i$J&`d9Peuc4(tXUe_qT`4)f2aVv79o1wn&^|z)-VMf$<Q`2bz+&1
zbRi(9Bc3rt8-prwIzx$7M;^rvleGgVaYaP)gCY<sV;Rmb09`Kl?ljn)ToZ9KpuOfz
fWC|#VmlE2e!Zy@(eFBI8l|$RMbX1b>)p2MDcgu<c

literal 4808
zcmV;(5;yGtM@dveQdv+`0H5sHT+XL9^00XfTV`@Y-Jqwr1OT~!!Y|i08dY;90`01J
z-%dnpQtOvtii9!QXcpXQAdpkJGc>oD8rY~P|L_IHzOxWck#&^j6e8zSS-Ut{SASX|
zf!p0a-!CqNB4IcJOMUyn6!#?taOrrFNvFBt^B=qV&pTD3JaIS7ws=En_a&32u-P>#
zy34;^gu!I@h+>%Xf1?4un|7A_BwCP2Qho!w&P#DO5@!bBF3Nw1HE0%e-cuFN?%g{%
zyGyO!Ns%b<D9aQ&S9-1cYi_>#SjS{9S#Su9r2|Unn4jiZ-EoS8OnANCeQ3CI+|H6^
zHTBr-8%dD2Eu%_j@I8vAy#-=$1i7&z#_jJ4B99j#W(BD|3)Aw#3MIyIp+<L5ocJe|
zU3|sf@2t7P-ihoS#pc>i@A<dR`eet~JtILUHRcke4-?mBcjOua9%g5Km6UpCKFX(V
zQhmn%@4}MqFdird&?|-bH=MCxE#r9T_qrJhCL^l<4}!G$S)ljNF9oQ)YT=l)c;2$m
zSb4p}sdFB#dnlID<mhzichycl=y0Q|w3PPRE!W$!xWio;EUH8w$2*%H^qG~BQ_X!$
zYEO2c=3u!QY-n<J`aXpka)xAnbRs#JrDKbP#E&wyr_0grY=*&^>#=r<H)M+xp3)8-
ze|JhPT`lRhqEF+8z<5$31hGjc&bQ$3%%(`}I8Gl1$jCNXcK^Gl-maI7q)6zII<j1}
zGpNo>U&j4McC$!xuC8HRubnzd5yt#V<iipU7~C{$P2IXe5527T#1xuOtB2SAj>A_=
zC1k;<`!iTNEVhw;_EBAULAf7!fbgYCvuC{)u=*Egt1Sk}M1lC-%$-1gLgd&y1zFz~
zGV<?h^r$>6iHGn=bny5)4YuyYQQ#MlcEZrE(hNJ=ch`1lIeidXKefnz?8{cEB38~~
zC!G8_sW?D>oM=l%VGg0|!o)cmn87lD48w2=)}tJ>Emf)bCqQ!kk(1$*uQSk<MB(ds
z?o+|1WD~I7oBG(IW=>gCcvCwBlfw3@d(E=Zc0PXo^XrK^9tSY>D5)5@gTTJ}%ORHw
z3Btdsw|Mk0AVu8LzA9*UAzuio$Vl|Q1vatT?a@At7BlMPYE(bp-FpIKrC`6@iEA@Y
z2)R70(ci&Kox`a3`?G}LPKU1eEMImj>D-FHwy7xSq2*RQT<)f3@V!M5tu}^-bmP8z
z$#Ru_Wf+V^=*o$KSH5=AeoaxQW*8D!pApwFDaAaf5J|Zd2m!W8=HgxoWyw1D?_^*b
zi&ZY^`9>-udE?2$aiQ(5<U>n5Y!4KUbd-1DfIk0B%Xeq9+(tY9iR>l<RSbGoOx?UR
zU~JG7PMyCk@MZz(C@I@3lrL;F>$VW+Sma*N$qcEo-?bS2nxD+Mcss6ltZoeP0M9&l
zFhlBN`n`)TRDdEJL0ZI{2Yv<Wu|7@{>r{=;t5;45w0_;iIHt!k;4hjUj%T$?lUGeb
z6eN9Tyo6SHh3mo7O6a4AuWaGN=X`IEdgHNV7xfZX3c)aS5}h^Z0)c2YvHa(qr<U}>
zPt86hUzWN(myp`bzdhZD{oyMEaLv#Ycas$lPZx|rf-D+q@8#4aLQsQ$1Ogm=$9RU!
z-w7~rssJ?cOcU}7*napo;HB_DG-R9qI7?~Jq1?eXnUpgCRPXH!S0_^K%zil=^cn>$
zw{<jXJI;i$;A4CHY*Fc&fogot!n)uH{8`6P0zxHajB4TwSN5@l`#$1u`F^j7y32Ct
zr(NY6D_j5<=d3>lLiYJ+fKGr>D4J|y?_V94dB+m=>Zq&P;2l~J#pHiyWrRX6GB%O&
zryJ407>Q3)<U)BFccKs@rY@1gHv2>)p4^rO9;x&`_;cM65Q|^S^sn?-nE9E-9Gx~{
zf-|OdgN+<6T?-7-JS~xMIjmZMuU^7qZ6H(ycjoGLOSwGt4N6~{#R)JPO)g&6nI8ed
zJ0Wg-1)c@I;O`>szxONQO`DTi4Lj9v?)$pFmhH==J*2Jw)Y!k``>HWKap!ud4gM!N
z0}dwwxk52O1CF}h!Z}NHq_!5!_iGO>ovBqWr)(va7j0GCW@r0hK2*wpQ>bim2`t%M
znbB(n@jR4z5ZyxFv*FTN#~$z3(`_mNr(d|WtQ9*tvA!Ik^x$T?;etk2KiJ<dc&c5>
za4*7+TP9vsQ|+?AI_?8cL7bA{{$D7Rr&a(Fp8WlK?@-!fBEG&2seXE`reNxyI5i_!
z06s4yU5|F#*!K(R{ojIBVLZs%7v4OqD@=TB=Vk!;QQa2~A52m#j!_umEl;jv;=Sy3
zn_?Rxn*JxrnE3~?3CD{Mh&>$=BE#{FJ*_*of<j(RNLXyNur5*_;G>XeKD)OLiK`#*
zWYqkiEwX(h=gFj=NB%=Z^V=Xl2bo~@Jpb;RJxEL5rvHbtxcyBeDI*&-MTHgw(da>V
zqCD^E-V}&r<p_Oh%jOetwbQ^qdYsN45i|A#ZSO~}n5nPjSla=)F+=$cT7c1I-fcgO
za=)NxTjp7F_71H?!P5%;(ctG&x%j7}3pz}M7xSaW341Gz=Zd2T>(#;goXB0BxhCaQ
z;u`%g8wu8`UxhLm-A-cPmAo=7V$MXM2UDo&IWWW{p8sGxh6E6mOE4@@teGZe;a?t4
z_m@eQmL=4yby-9>?8LMh%J?}9jlVbfaeW?;X=4&?+@cxR|4f|D;YPdCaIAt#n@kI>
z5JCw{Kf8cQ_6qFD6<8{<a}4mnJT9<<fJew#cT+&We+nOWW89BpEhBS5WCe<e?{q>*
z02p1yE7d&*W)818DO5T@STUhs?qrg*wTk^6Z{=NkyRRw%=Tn!f`C>X-SiPHVtgv$B
z`hyJ4y8{HjuL9`isFss$*lRS&Cp)-EGjjaU%R%MpR&-D|@%0X1Ay*e3WmvwGRDiJi
z$l64-{6ocQiBj0{W1q~5DBO5P>{E^WG}kS}`?i2DyGZFxs4aSD)pwwxjK*3Z8onKs
z^<Z$}RkNGaNn%=Q1?zYd7G`P5-q1b24~yv%6M)$d5ngGL=v^4lBN4dW>bae3Uh>fc
ziHD<c$q{#q(b|@xMeZM8acq5M_@wTbc9;!C7*4YD!Z$x_eS$}(gX>(uCi%J4G9T>G
z)Bz1&fA!&<Exc=m9l_6pz1;4}dWQzGW!l%E<e3Q+_dzQEF^Jnm)orOxgZZlXEIn@Q
z{AvLS=f84dBF$>GH4Axy8>K{b!8JocKS?rd3g)_Sr@uXamkMufn)sTpPDK1RWyo;c
zUC5H(r|ZN0m=dj}<PYygr_@SaUiKT_8;zZrO_;O>L&HBq_ZUE8MsJwQ#eg|k)^Jv3
z#~u4bpc={|2cA?SdCuWlZ?^6~<qHQZP}CgLYGVcl^Neu=!38uU3Ua2Yl4|s`FStcU
zNXNYyAGKm^4}(|gsWaK{iK~{g3TU;_YeQvID#4Vz01ScGQy2)PmcqUD=M$KJfA4v!
zC&wA7eBT$8^c_MClb~eZ_4vGgp85@R3X30V)>*nWe25VzdXKA2&aXoWVUL@tETg5;
z-?}ZG2z(L-H=Gr0xZiReLA9+gQ=tlDVYJjS2cl`e=wRHS*y+npoU?-SC9ZO_OMu5q
za=}0+2V6n|aZhShZJQ|0q{x8hU(cqKc;E<=ExN7FDr2K|=i+=$Q<kgHZ>kW+^B+!5
z=L;5BgQG=WiU6B+2sbRV9n?+i{If%-5B?>lA)lJCZOT!y`i0i+ap-CkO+UZr*P91(
z8E{KTv0M?8EC~No!XUtUG}LZWiW2x2I~i4i6Z|OO(Jt}tJy2u7e2j|qmS+Q_z*od<
z$7jNC3aV2(k=NI|-p=5tP7S<_iSX-rxtn(i1^0GwJ)xDgVvsj2vy>)8Hv}?(AeM1+
zfh&cCDWzf?%!B~AV33B*dw95u%;Ea7Jf5!rt@KeKzm2+`!1|JOrO@s;Ld*a_rAMNg
zF1l<vjrb|E&BNb`*prvy*uEA*0&hu4QKtD7()Sw$>-<%fXr`^$Pm&xEYqH(Ozdx`P
z|Nkh9p)&Ftlr~pR-l#1mhC(#gS3A%>gdrV>z+?>jN9Hp2brp^IXXNZ@9|(ZQh1vHo
z!3pI$+qL<__$CuCdoB95GqPXzT7!t`gx!!(GfOK_`Hn~+@pj0#S?)?v&G~>n&;xj|
zT}sG%FWt0P@x(Cot=Y+#VQavEmv`yf=)|&vCf2EkcQ=h+w`l(nFIj;6ArT{Y2Ltv8
z4+wI05)%|=Bo2V>@E`+TL8+e@>&c~ZUJke)c|N!&1Gd9gjw4nFaTM8S4q1KV1MfEv
z!m{TcX$f)w&F`%X`gMx=#-b@GC<MCDr7f}z#hCI*`Aw#>Bq`j=vWJx^zG=s+EK-@z
z^hO>&2hk*6Ld?0otR21bc*7rxRFckk8Vwep46TceXJ$;QTHYo5wQdbh%wFXvh>gNT
z-{<*?WV_#n){ER0+Qq`GZ`v?Pzo6O@hdT8fOm^<s^$#$=b2_OlOA3KC?(=mWb8j9R
zU3zGnDNZ9<NjAj>*Skx92j>LZC<q*eE_L7VlVlWY-Vk4_Q5xmlsIx_M+FgbipT+xm
zBn>Q*=nm-CYLzQM@`=m-D;(;x5L~W!`Z{o8ssFE>C&eY&eO_~K!?34@*Zinr*I6sQ
z!P0xWBdIHimKOBJvi>1+5mNdQI3P2H7GGf81>hi~)5oX~7MrczN8fs#wlNt~%Yb5_
z_C*awQD{v54A`0XK9@$t=O1?w6rWaTtAPJ6JZ&MOWx;4+(M8_Cna+6gA{HjKpV{0S
zC#l_ymaB+j$p1_vEj~3~8<5D96Yr+|OKAA^NL4K;|B>ef?TceUfmJ>Z?)?{QLI1Rr
zp)yW$Ala1T<+K{iw_Oh+>lH#U=UG_amBV(qoAM!uiB{|e5H+U^M_fXJv5igJSbTpZ
z;?jmE=CjGGBuGspbAQdNbXIzBb^-ctfiOEmfV1E<Bf&)iF&|%eU{uB}@0Ri#nFjF#
z{~J<hE^ZTlt8#J|`m6iB+C&O~MO4f*`R#z%(bR`p93u5u&DUvf;<-dRq_PTa?_YSK
z<64+tVJkWzqdHLA%R9GD2r!8trDv-#(&TK$2?>(JWT_peZ$2`^tStS%@WrAb9i5@}
zksV^d&cNEkq9~N!=@@AYCAQv8M^EwfNB5<&U2_47`3?zQg$8j?=(}yrjxWUjU10sT
z$A$MZ_S9n~Dm+?h-?^3THD9vW|7U5GNB0Nkz*>2b=C3l(g3)5R#oDG<acF+%h58ta
z;0tcRg4iZQbGW)3$C1$4M-YG)V@TMWyep8!hZz!p7ike3!#E)Y^DlSd(9#y}QQFR1
zX*RHT>Y?C9Z5{T=f=w>UoLl-w$ixp>1bA%x#Hle$Ry^~c33w_EY^FaB4p5^$p#ej<
z4=qvjPi-hkCf>=fRxlAH&#IM=qH+=$?3T*LS3efx5Hf1d*$B5jB(~M-P1?a7&b(oS
z(RmZ3JgAK4dkDg1`$g^AM-+H9+jcShRiHFzT$uYR+-x42J02jeDPC#V8!AHwHJiG_
z5Grz5xdXS_iv|R2wC-}p{9Ql`ww1gQqr;L8u%C^3*bj%rtrkvt=Mhisde%Sj(Gdx5
zk0QS?V1D2Yb&V7;F>zud(C-i;asNvPF1ck84?teEXqV`l#H7s-aw@7y3AKOtGlt*2
zOxrH14Stb!^0n%hmY@gwj#pE^zz*?L+WSYnEl1JY6~vS_8b?;NTZNgT7@E1BfdVS1
z%j7k5(*Em5F`-Xgq&)>|<^xjBT=$*~vz)Ky>G8pP1eSA72rqM2FltTgb{_jO($}}%
z2s+V~%zWNXphE(AHG_u7ukCGc$ae^`&XqcOypbXjU;fHPVj$dErKQ#xR`o|`WI)6L
zf;^DnoL(vx!xJ|Cu}Cp@&kAa%5>XxFs9kY(xCC8HDl~6121WX^>SKAg`ge3S=+;V#
z102Gvkbw9ittM)C7Wk;Ic!2Sbf;4z!R1GQ|Hk6I{*<9+0*%}}nbqb#y$)j%;o>k+b
zzEwi_`sB?oG-jh(do?^YRqeb7GddM$!mM?GtvPn@6NLBXwhZb=fb|`e*z>ReRoL@=
zy=TTAAdOEBzL>mZ{--fI;hcueG{{G1$?k?5SMHpph1)KwK?1=g`$R73Qse)$>lF{V
z>Vh%>^v1WE3GND5%lrAbN&PRh)&yb<FEnZm|MF(~GQ^`7_Ar9k(vSk1SwReGoM6kM
z8tOm=;1UdV#L@{}ma1U4x8Jzt>jrJsl6BAB#Il&ZBXJhvRU$+~E-GmPnvM!Jp7M?^
irbqXf3ppH^>WwUGP#sI64Beoln8!XJbEwI^)X6ed$X$m3