From 7c48e51320aa516b8eeee3f58f2395e467b254d2 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sun, 27 Aug 2023 01:17:11 +0200
Subject: [PATCH] feat: use kanidm secret provisioning

---
 README.md                                     |  92 ------------------
 hosts/sentinel/oauth2.nix                     |  26 ++++-
 .../sentinel/secrets/oauth2-cookie-secret.age |  10 ++
 .../sentinel/secrets/oauth2-proxy-secret.age  | Bin 561 -> 0 bytes
 hosts/ward/microvms/forgejo.nix               |   7 ++
 hosts/ward/microvms/grafana.nix               |  10 +-
 hosts/ward/microvms/kanidm.nix                |  82 ++++++++++++++--
 modules/repo/distributed-config.nix           |   4 +-
 secrets/global.nix.age                        | Bin 770 -> 1264 bytes
 9 files changed, 126 insertions(+), 105 deletions(-)
 create mode 100644 hosts/sentinel/secrets/oauth2-cookie-secret.age
 delete mode 100644 hosts/sentinel/secrets/oauth2-proxy-secret.age

diff --git a/README.md b/README.md
index 6fa8f6f..e6e0616 100644
--- a/README.md
+++ b/README.md
@@ -125,95 +125,3 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
   -keyout selfcert.key -out selfcert.crt -subj \
   "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:sub1.example.com,DNS:sub2.example.com,IP:10.0.0.1"
 ```
-
-
-
-
-
-
-```nix
-{
-  services.kanidm.provision = {
-    persons.myuser = {
-      legalname = "Full Name";
-      mail = "mail@example.com";
-      groups = ["grafana-access" "grafana-server-admins"];
-    };
-
-    groups.grafana-access = {};
-    groups.grafana-server-admins = {};
-    groups.grafana-admins = {};
-    groups.grafana-editors = {};
-
-    systems.oauth2.grafana = {
-      displayName = "Grafana";
-      originUrl = "https://grafana.${personalDomain}";
-      basicSecretFile = pkgs.writeText "bs" "verygoodsecret";
-      scopeMaps = {
-        grafana-access = ["openid" "email" "profile"];
-      };
-      supplementaryScopeMaps = {
-        grafana-server-admins = ["server_admin"];
-        grafana-admins = ["admin"];
-        grafana-editors = ["editor"];
-      };
-    };
-  };
-}
-```
-
-
-
-
-```bash
-# Recover admin account
-kanidmd recover-account admin
-> FrEELN4tfyVbUAfhGeuUyZyaKk8cbpFufuDwyCPhY3xhb3X2
-# Login with recovered root account
-kanidm login --name admin
-# Generate new credentials for idm_admin account
-kanidm service-account credential generate -D admin idm_admin
-> Yk0W24SQGzkLp97DNxxExCcryDLvA7Q2dR0A7ZuaVQevLR6B
-# Generate new oauth2 app for grafana
-kanidm group create grafana-access
-kanidm group create grafana-server-admins
-kanidm group create grafana-admins
-kanidm group create grafana-editors
-kanidm system oauth2 create grafana "Grafana" https://grafana.${personalDomain}
-kanidm system oauth2 update-scope-map grafana grafana-access openid email profile
-kanidm system oauth2 update-sup-scope-map grafana grafana-server-admins server_admin
-kanidm system oauth2 update-sup-scope-map grafana grafana-admins admin
-kanidm system oauth2 update-sup-scope-map grafana grafana-editors editor
-kanidm system oauth2 show-basic-secret grafana
-# Generate new oauth2 app for proxied webapps
-kanidm group create web-sentinel-access
-kanidm group create web-sentinel-adguardhome-access
-kanidm group create web-sentinel-influxdb-access
-kanidm system oauth2 create web-sentinel "Web services" https://oauth2.${personalDomain}
-kanidm system oauth2 update-scope-map web-sentinel web-sentinel-access openid email
-kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome
-kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-influxdb-access access_influxdb
-kanidm system oauth2 show-basic-secret web-sentinel
-# Generate new oauth2 app for forgejo
-kanidm group create forgejo-access
-kanidm group create forgejo-admins
-kanidm system oauth2 create forgejo "Forgejo" https://git.${personalDomain}
-kanidm system oauth2 update-scope-map forgejo forgejo-access openid email profile
-kanidm system oauth2 update-sup-scope-map forgejo forgejo-server-admins server_admin
-kanidm system oauth2 update-sup-scope-map forgejo forgejo-admins admin
-kanidm system oauth2 update-sup-scope-map forgejo forgejo-editors editor
-kanidm system oauth2 show-basic-secret forgejo
-# Add new user
-kanidm login --name idm_admin
-kanidm person create myuser "My User"
-kanidm person update myuser --legalname "Full Name" --mail "myuser@example.com"
-kanidm group add-members grafana-access myuser
-kanidm group add-members grafana-server-admins myuser
-kanidm group add-members web-sentinel-access myuser
-kanidm group add-members web-sentinel-adguardhome-access myuser
-kanidm group add-members web-sentinel-influxdb-access myuser
-```
-
-
-
-
diff --git a/hosts/sentinel/oauth2.nix b/hosts/sentinel/oauth2.nix
index 6130b11..19ff6f2 100644
--- a/hosts/sentinel/oauth2.nix
+++ b/hosts/sentinel/oauth2.nix
@@ -2,6 +2,7 @@
   lib,
   config,
   pkgs,
+  nodes,
   ...
 }: {
   meta.oauth2_proxy = {
@@ -11,8 +12,27 @@
     # TODO portal redirect to dashboard (in case someone clicks on kanidm "Web services")
   };
 
-  age.secrets.oauth2-proxy-secret = {
-    rekeyFile = ./secrets/oauth2-proxy-secret.age;
+  age.secrets.oauth2-cookie-secret = {
+    rekeyFile = ./secrets/oauth2-cookie-secret.age;
+    mode = "440";
+    group = "oauth2_proxy";
+  };
+
+  # Mirror the original oauth2 secret, but prepend OAUTH2_PROXY_CLIENT_SECRET=
+  # so it can be used as an EnvironmentFile
+  age.secrets.oauth2-client-secret = {
+    generator.dependencies = [
+      nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-web-sentinel
+    ];
+    generator.script = {
+      lib,
+      decrypt,
+      deps,
+      ...
+    }: ''
+      echo -n "OAUTH2_PROXY_CLIENT_SECRET="
+      ${decrypt} ${lib.escapeShellArg (lib.head deps).file}
+    '';
     mode = "440";
     group = "oauth2_proxy";
   };
@@ -26,7 +46,7 @@
     redeemURL = "https://${config.networking.providedDomains.kanidm}/oauth2/token";
     validateURL = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo";
     clientID = clientId;
-    keyFile = config.age.secrets.oauth2-proxy-secret.path;
+    keyFile = config.age.secrets.oauth2-cookie-secret.path;
     email.domains = ["*"];
 
     extraConfig = {
diff --git a/hosts/sentinel/secrets/oauth2-cookie-secret.age b/hosts/sentinel/secrets/oauth2-cookie-secret.age
new file mode 100644
index 0000000..e2b0718
--- /dev/null
+++ b/hosts/sentinel/secrets/oauth2-cookie-secret.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 KdpmgjrRS0ELGwUakn4bKF56nftZLenn3NB7PYgiNQE
+52zchN0TRUP3/fdSTQ83aDi+0DZ07zxRRANNBe9i0IY
+-> piv-p256 xqSe8Q An0xez98f0vVvi2E+pwwGzKOsI4HzQE7cJN59T8yl3n0
+vvX2Yqergv0XqNOV37Qs4YUbCEGQbIF5O9NxkRpy11Q
+-> S_J0JSh-grease ]
+5Wf2tYlp7iszD54QfYkV95WGpcQ3HEeGACA3Y97NTr7uzUck4OPuKJwEwgK6pman
+AjB3lmIusWODZvwnuAL3fG/X4JEOJ2T21eBp5/Qfg/TsvHGH
+--- qjh6E4UM8Yd5zl8gOaQQJLk2AH+vDh7dCEv0ig0rO2k
+P‡]7ã\ú¨¶¿p—˜(:'3E˜]ºšéÄRw8/²Z&Jz2I¼#“†Koç‚¦w	™‚qyW‹-«ìÚ/iÐØ)+Â+fÓÇSFž(Y_ý4 ¼ŸßÍÒº?ÂjØ2l®0#
\ No newline at end of file
diff --git a/hosts/sentinel/secrets/oauth2-proxy-secret.age b/hosts/sentinel/secrets/oauth2-proxy-secret.age
deleted file mode 100644
index 8208406a9489a1fe5baa0f5b271f8ebb05760a83..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 561
zcmV-10?z$mXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVLIZ0toWo3ADLS!pM
zWl3m9ZgM$ERzh`4LvvzyYeGeFMmAM&RyKG_R7DDEQdwt2Sb8f;M=Nk_a!p83a8OW9
zW=utSI8`)fHE?V%PeyhzW<_;IZFdSSJ|J*ub}eu+H8vo4aZ_bDQ6NESYDi^vdN4*!
zHf3rrV?#wqP%%kND{g96PgZSMPHc2EVo_9iXG1GVX-EoWX;N!vH&S^uV{|xEW<^mj
zNl0x=ctSEbM|E>VPijVUbW=uHL}^t}G*t>MJ|I>tXL4m>b7cy3QEGE;IXOd3IdnL4
zV`Fh^Xl-tHLsM@;a$#?Ab7oUeNm+McL`6hLFHd=8I8$muPFPcLRAo~!S5$FfW=%~B
zQAKDkazig_WmZ=!R#0;>V^DHwQAbB`ZB%axEiEk|Y;!|!Rz+<>QZZs{QBGB5a#S{R
zR%teRdRA?EGI?!kRADntVk=p4P*YV3e9MDoAZF6-ydLBXy|BDmD=1V{Xs}t`3LzG#
z>(GM4U$V+}ZbI33X`3U@rws~LXvU)D_}-!)vaq{I52!3=ZrD6wtWSiK6#=sK%z_Q;
z5<w#@cG&txRtp4y%}h?A(&6pzAof%58I=Gk4h0uw{#1gOkxKYWt|kd4aI+_D4rciq
znNL5AbHYqc&jS#fr1di(U?DK}Wpz`c1p*|J8?aD--E!`<hOHw~i@hB1JG*+6?I_Sp

diff --git a/hosts/ward/microvms/forgejo.nix b/hosts/ward/microvms/forgejo.nix
index 285e48d..dd575ef 100644
--- a/hosts/ward/microvms/forgejo.nix
+++ b/hosts/ward/microvms/forgejo.nix
@@ -20,6 +20,13 @@ in {
     inherit (config.services.gitea) group;
   };
 
+  # Mirror the original oauth2 secret
+  age.secrets.forgejo-oauth2-client-secret = {
+    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-forgejo) rekeyFile;
+    mode = "440";
+    inherit (config.services.gitea) group;
+  };
+
   nodes.sentinel = {
     networking.providedDomains.forgejo = forgejoDomain;
 
diff --git a/hosts/ward/microvms/grafana.nix b/hosts/ward/microvms/grafana.nix
index aa63d8f..a29839c 100644
--- a/hosts/ward/microvms/grafana.nix
+++ b/hosts/ward/microvms/grafana.nix
@@ -28,6 +28,13 @@ in {
     group = "grafana";
   };
 
+  # Mirror the original oauth2 secret
+  age.secrets.grafana-oauth2-client-secret = {
+    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-grafana) rekeyFile;
+    mode = "440";
+    group = "grafana";
+  };
+
   nodes.ward-influxdb = {
     # Mirror the original secret on the influx host
     age.secrets."grafana-influxdb-token-${config.node.name}" = {
@@ -100,8 +107,7 @@ in {
         allow_sign_up = true;
         #auto_login = true;
         client_id = "grafana";
-        #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
-        client_secret = "aZKNCM6KpjBy4RqwKJXMLXzyx9rKH6MZTFk4wYrKWuBqLj6t"; # TODO temporary test not a real secret
+        client_secret = "$__file{${config.age.secrets.grafana-oauth2-client-secret.path}}";
         scopes = "openid email profile";
         login_attribute_path = "prefered_username";
         auth_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/ui/oauth2";
diff --git a/hosts/ward/microvms/kanidm.nix b/hosts/ward/microvms/kanidm.nix
index 00c9473..dda7076 100644
--- a/hosts/ward/microvms/kanidm.nix
+++ b/hosts/ward/microvms/kanidm.nix
@@ -5,8 +5,9 @@
   pkgs,
   ...
 }: let
+  inherit (sentinelCfg.repo.secrets.local) personalDomain;
   sentinelCfg = nodes.sentinel.config;
-  kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}";
+  kanidmDomain = "auth.${personalDomain}";
   kanidmPort = 8300;
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort];
@@ -23,6 +24,27 @@ in {
     group = "kanidm";
   };
 
+  age.secrets.kanidm-oauth2-grafana = {
+    generator.script = "alnum";
+    generator.tags = ["oauth2"];
+    mode = "440";
+    group = "kanidm";
+  };
+
+  age.secrets.kanidm-oauth2-forgejo = {
+    generator.script = "alnum";
+    generator.tags = ["oauth2"];
+    mode = "440";
+    group = "kanidm";
+  };
+
+  age.secrets.kanidm-oauth2-web-sentinel = {
+    generator.script = "alnum";
+    generator.tags = ["oauth2"];
+    mode = "440";
+    group = "kanidm";
+  };
+
   nodes.sentinel = {
     networking.providedDomains.kanidm = kanidmDomain;
 
@@ -49,7 +71,6 @@ in {
 
   services.kanidm = {
     enableServer = true;
-    # enablePAM = true;
     serverSettings = {
       domain = kanidmDomain;
       origin = "https://${kanidmDomain}";
@@ -58,18 +79,65 @@ in {
       bindaddress = "0.0.0.0:${toString kanidmPort}";
       trust_x_forward_for = true;
     };
-  };
 
-  environment.systemPackages = [pkgs.kanidm];
-
-  services.kanidm = {
     enableClient = true;
     clientSettings = {
       uri = config.services.kanidm.serverSettings.origin;
       verify_ca = true;
       verify_hostnames = true;
     };
+
+    provision = {
+      inherit (config.secrets.global.kanidm) persons;
+
+      # Grafana
+      groups.grafana = {};
+      groups."grafana.admins" = {};
+      groups."grafana.editors" = {};
+      groups."grafana.server-admins" = {};
+      systems.oauth2.grafana = {
+        displayName = "Grafana";
+        originUrl = "https://${config.networking.providedDomains.grafana}";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
+        scopeMaps.grafana = ["openid" "email" "profile"];
+        supplementaryScopeMaps = {
+          "grafana.admins" = ["admin"];
+          "grafana.editors" = ["editor"];
+          "grafana.server-admins" = ["server_admin"];
+        };
+      };
+
+      # Forgejo
+      groups.forgejo = {};
+      groups."forgejo.admins" = {};
+      systems.oauth2.forgejo = {
+        displayName = "Forgejo";
+        originUrl = "https://${config.networking.providedDomains.forgejo}";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path;
+        scopeMaps.forgejo = ["openid" "email" "profile"];
+        supplementaryScopeMaps = {
+          "forgejo.admins" = ["admin"];
+          "forgejo.editors" = ["editor"];
+          "forgejo.server-admins" = ["server_admin"];
+        };
+      };
+
+      # Web Sentinel
+      groups.web-sentinel = {};
+      groups."web-sentinel.adguardhome" = {};
+      systems.oauth2.web-sentinel = {
+        displayName = "Web Sentinel";
+        originUrl = "https://oauth2.${personalDomain}";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
+        scopeMaps.web-sentinel = ["openid" "email"];
+        supplementaryScopeMaps = {
+          "web-sentinel.adguardhome" = ["access_adguardhome"];
+          "web-sentinel.influxdb" = ["access_influxdb"];
+        };
+      };
+    };
   };
 
-  systemd.services.grafana.serviceConfig.RestartSec = "60"; # Retry every minute
+  environment.systemPackages = [pkgs.kanidm];
+  systemd.services.kanidm.serviceConfig.RestartSec = "60"; # Retry every minute
 }
diff --git a/modules/repo/distributed-config.nix b/modules/repo/distributed-config.nix
index c11117e..becec99 100644
--- a/modules/repo/distributed-config.nix
+++ b/modules/repo/distributed-config.nix
@@ -47,6 +47,8 @@ in {
     networking.providedDomains = mergeFromOthers ["networking" "providedDomains"];
     services.nginx.upstreams = mergeFromOthers ["services" "nginx" "upstreams"];
     services.nginx.virtualHosts = mergeFromOthers ["services" "nginx" "virtualHosts"];
-    services.influxdb2.provision.organizations = mergeFromOthers ["services" "influxdb2" "organizations"];
+    services.influxdb2.provision.organizations = mergeFromOthers ["services" "influxdb2" "provision" "organizations"];
+    services.kanidm.provision.groups = mergeFromOthers ["services" "kanidm" "provision" "groups"];
+    services.kanidm.provision.systems.oauth2 = mergeFromOthers ["services" "kanidm" "provision" "systems" "oauth2"];
   };
 }
diff --git a/secrets/global.nix.age b/secrets/global.nix.age
index 34c4d440f533a7c26150d6d6b028635ea2e4b0ae..a5c6b36de5cf300669dd57efa3a681d6a3859796 100644
GIT binary patch
delta 1248
zcmV<61Rwi?2Ji`xAb(PFW>QFaRWn&xY<4R*QfF>sYGXJzT1szrLQqC_ZEI;lV@hZ?
zNP0nfcM5J<FjrYbb7V|1QAA8hPERX#ax`ITSZHQYPjypRW>+&Wb98rgW<yJ2MG7rG
zAaH4REpRe5HXwL$Q)M_&AVD`vGBi$EV@fb|RZLk^MKMova(_Z~Pgpl?WM*Y@Z7?fX
zb7gZzPkK{1LQM*FWHv8PaAa>~W@C7BcTj9^N=$P~W^zI_baqEHb9YHZHcw(mVQ5lf
zcy9_VJ|H@JIb%|KEoX9NVRK~)HB(c0W;RJeX=ihHQ*C8YVs$Y{a8p+}bXHblbW?Ix
zG;2>pNnv*|MSpKuVs}DrRX9;gWm;ElV`w%tD^X>2bP8idGE;I-S4(7gHBUoFNN#Uv
zPgOQScu!GrSVnI*RyZ?EdTt6WEiE8nS$T1FQf5a<FiK}RO?P8=Y%ersGBR&vWo%19
zNL4dMb2M&8ZdX%NI7tdkJwcUj+|^Kntc}`l@k^N1*nfoEi#J@rCKR&`nF{LkzJOz<
zq$D>qGow3LueBO4e~O(GO_g_7K3+0&lSi7Cux!d&<!cc%3blC9Js;)p3LnNNV71HK
zh^usBEIaN!d~CkER*=uuf66MM08nwZ%u*-|IZ9Fk*Ew3kato{W>`uOMYgyq>GzMq;
zT06i#e1A9ugLo4I-zHWiE+?BZGfWy1$mA#O9#OC|>tlgQK)46<$YRiTIWGEdp)xuV
z_59r?!UkiWus9g{%~!&$+;msizZ7j;`XH>+oz{4<H)@o|s!_xQ`Ltr==F9Vwa=4L8
z9pEp3;eNL>Rp}SEu-c?>enwtmh7JNmVs2di3V%PN{FdNeaBT|ra*<zRu8|w*uBn<Z
z6}Y0muEU+$+B-2A-oG5gV9m90NWk;z@|QCj)#`@w9d*!%2)U<6rTUcoO4vnWU;3j>
zSs>oev91eA2&fX3;Wj1QWutiQBxsAA`e`|3Y8$D?MFf~zWV&xqAdpE7vv1CH)%E5{
zx_{ecuC!Wn;;N<3A4x{Qv1<1Scv!cD(Rcvj%_4?n=sx2xn01uzBh3Uw6BgsaZws`K
zkH>cKJ`^|dz5F9jxX*d$I_s>7R0Qe)4ZuwDVR&DnYS3fTGdy;)j=2;0vHG~REOS<F
z39`}%Q8?j*=SMv=P`|A#K{bW(ek@JbWPd4SkcYsqcx)-G&ZzCnXv19RQrt`?C2p%&
z;Rr^D<VE+c>~G5%%h>WU+Dj6}vDpXnsVnI^P?gXTU)j8pvx1_5BDu(zPi#yy0Co}y
ztu)Jt`CGvIge7q#)9i#K8>8S`LxUb)>aBzO&|HLi;7RD?F{}W~X-*fygDOuKM}K1=
zKMNeb-NtoiJz9aWb1r---ohVP9XQbxhJdlQ#G~g}T0EXW!#Yd8XsSRw$(;jAR^9Bm
z@j^f2byIV2@qF89RNY*}HBs4F%Srvyc22O&rc9%wo1Cs{BT-RfOiO<35Rx5c<P$Hs
zSh*1u$dE~zceWyZaQuW7Q-xjxcUg30Ni{aSZS^Zhz4n;Suwn#}i?RX3ZiSZBxo5%s
zr^Z}ta)2ejL*aao0X!GvY`FZroHqvdt?m0?Cv>TJ@U`=m8N6#dYBV`YiZgPQO><y=
Kzg?`y1F{9isxUeL

delta 750
zcmV<K0ulZ234#WYAb)yEa4%w1NJC0lF=%ITNLhI?ZE{d{SVTl`LsVsUQ7d#;P)1T>
zc~*K;Gzv{oOm28pWp`$0NpLn+adtH@H#9S7IaG2vFic``LwI9TRV#Q>WHfDaQ3@?S
zAaH4REpRe5HXwL$Q)M_&AVD`_OlC}KaCT}@OLJOFO+{yPXn#sEFFANgdRk2}OG#*O
zL@;MFGeuBVd29++RCIW3bXi$hb81a)Pf2TQbxUqmOF3jsbZ~b`Lr-{ma5-}~bV4sh
zQAr9dJ|HYDXL4m>b7dedFj_GnFMDNGayK_LAR=5{NO5p&3QI~vWlcC!SW9m?T319=
zYFTY=K}uOxX@5CsI8$yfNoZzcP**f?D_M4WFljP2P--hnT0(kKb6QzWWOQyfNoWdW
zWlu&=S~qt=PE}GiHFGjiQb|~PY<O5nO>jYaST-_AY;bBTWK?WNX;yf5FK$J8V{<`a
zLNp33EiE8YHg!!mD|uy1W;SkkZfa*RHd9kHGh}yhD}QiAH!(prZdNg2G;KFISyXch
zD%ZrOYd}l!jXHR2`F85Mf1m#~)@-}Y-j*$O#j_w%qZ-5Ca5C4)YG)6116?(B?(e%V
zf*#h3X?krAE5Wqm;`Me|bASCC97+ECkvziILCY$VS+hY#^)<`3yhUJqGZ>(=4)Hrx
z8ASezzJG$E>>L&*nYaZj-({w_QE|EOk1QwbY4rm?>33_){e!f-$!8v#TeFI;^?)aE
z)CpTtw^EhwR{7Zdz6xxuc;&hmj83c;Ei>toh^uG}pL+Dx!ocJnN6H6rh6X#GmuK#6
zaE<LE$Tg;gj_JxATm>URveSJQ%eypTG<ITKVrLD>YfQFm8?&7*hM<ySv#lB?W{1(*
zUfl~mmWjGO6l_rSOeA?F!uN};pU<J6cH6TT_{**eTPE}(GwEBf;+VHTUho{ZRc>_F
gYQhQgclVx>IN;9wwdR!hIa5Sdpo`C3JNX~3UhZ8ri~s-t