From 7c61ac80fa7b7dffabadc62c695f278f835bcb6e Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Thu, 23 Jan 2025 17:26:35 +0100
Subject: [PATCH] feat: enable cross VLAN mdns

---
 globals.nix                  |   4 ++
 hosts/ward/default.nix       |   1 +
 hosts/ward/mdns-repeater.nix |  78 +++++++++++++++++++++++++++++++++++
 hosts/ward/net.nix           |   2 +
 pkgs/default.nix             |   2 +
 pkgs/mdns-repeater.nix       |  30 ++++++++++++++
 secrets/global.nix.age       | Bin 3372 -> 3431 bytes
 7 files changed, 117 insertions(+)
 create mode 100644 hosts/ward/mdns-repeater.nix
 create mode 100644 pkgs/mdns-repeater.nix

diff --git a/globals.nix b/globals.nix
index 57e1b83..4dcd2d3 100644
--- a/globals.nix
+++ b/globals.nix
@@ -66,6 +66,10 @@ in
               id = 23;
               mac = globals.macs.scanner-ads-4300n;
             };
+            hosts.epsondc44f7 = {
+              id = 30;
+              mac = globals.macs.epsondc44f7;
+            };
             hosts.wallbox = {
               id = 40;
               mac = globals.macs.wallbox;
diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index 7cd7c60..09e5af2 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -20,6 +20,7 @@
     ./fs.nix
     ./net.nix
     ./kea.nix
+    ./mdns-repeater.nix
   ];
 
   topology.self.hardware.image = ../../topology/images/odroid-h3.png;
diff --git a/hosts/ward/mdns-repeater.nix b/hosts/ward/mdns-repeater.nix
new file mode 100644
index 0000000..365181c
--- /dev/null
+++ b/hosts/ward/mdns-repeater.nix
@@ -0,0 +1,78 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+let
+  interfaces = [
+    "me-services"
+    "me-devices"
+    "me-iot"
+    "wan"
+  ];
+  interfacesRegex = "(${lib.concatStringsSep "|" (interfaces ++ [ "me-home" ])})";
+  cfg = {
+    interfaces = interfacesRegex;
+    rules =
+      [
+        {
+          from = interfacesRegex;
+          to = "me-home";
+          allow_answers = ".*";
+        }
+      ]
+      ++ lib.forEach interfaces (to: {
+        from = "me-home";
+        inherit to;
+        allow_questions = ".*";
+      });
+  };
+in
+{
+  systemd.services.mdns-repeater = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+
+    environment.RUST_LOG = "info";
+
+    serviceConfig = {
+      Restart = "on-failure";
+      ExecStart = "${lib.getExe pkgs.mdns-repeater} --config ${pkgs.writeText "config.json" (builtins.toJSON cfg)}";
+
+      # Hardening
+      DynamicUser = true;
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateUsers = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      RemoveIPC = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_NETLINK"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0027";
+    };
+  };
+}
diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index 96ff4bc..12b5d75 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -102,6 +102,7 @@
         gateway = [ globals.net.home-wan.hosts.fritzbox.ipv4 ];
         matchConfig.Name = "wan";
         networkConfig.IPv6PrivacyExtensions = "yes";
+        networkConfig.MulticastDNS = true;
         # dhcpV6Config.PrefixDelegationHint = "::/64";
         # FIXME: This should not be needed, but for some reason part of networkd
         # isn't seeing the RAs and not triggering DHCPv6. Even though some other
@@ -229,6 +230,7 @@
         to = [
           "vlan-services"
           "vlan-devices"
+          "vlan-iot"
         ];
         late = true;
         verdict = "accept";
diff --git a/pkgs/default.nix b/pkgs/default.nix
index d551c37..f354ade 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -23,6 +23,8 @@ _inputs: [
     firezone-server-web = prev.callPackage ./firezone-server-web/package.nix { };
     firezone-server-api = prev.callPackage ./firezone-server-api/package.nix { };
 
+    mdns-repeater = prev.callPackage ./mdns-repeater.nix { };
+
     formats = prev.formats // {
       ron = import ./ron.nix { inherit (prev) lib pkgs; };
     };
diff --git a/pkgs/mdns-repeater.nix b/pkgs/mdns-repeater.nix
new file mode 100644
index 0000000..07ed6c0
--- /dev/null
+++ b/pkgs/mdns-repeater.nix
@@ -0,0 +1,30 @@
+{
+  lib,
+  fetchFromGitHub,
+  rustPlatform,
+}:
+rustPlatform.buildRustPackage {
+  pname = "mdns-repeater";
+  version = "unstable-git";
+
+  src = fetchFromGitHub {
+    owner = "PatrickDaG";
+    repo = "mdns-repeater";
+    rev = "5178041edbd0382bdeac462223549e093b26fe12";
+    hash = "sha256-cIrHSzdzFqfArE2bqWPm+CULuQU/KajkRN+i0b+seD0=";
+  };
+
+  cargoHash = "sha256-00Vh2AVECtqvkmLZmyDCR43tUqKdN4j1B8GnnRiWAmU=";
+
+  meta = {
+    description = "mDNS packet relayer";
+    homepage = "https://github.com/PatrickDaG/mdns-repeater";
+    license = lib.licenses.asl20;
+    maintainers = with lib.maintainers; [
+      oddlama
+      patrickdag
+    ];
+    mainProgram = "mdns-repeater";
+    platforms = lib.platforms.linux;
+  };
+}
diff --git a/secrets/global.nix.age b/secrets/global.nix.age
index 65fa807334a076f77ab4f64848c5cf7cba0ef6ed..7571462ef267b513c56e1a5a470c838a966b7d71 100644
GIT binary patch
literal 3431
zcmV-t4Vdy_XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVfXgE`HPk3c^V@pg;
zYdAD<b7NvKZFo~dMn_0BNlZp|bxJT&G*fOXLrn^9P<KyQSWI<MPGVz9F-=x_FGnz9
zOi?&7QEp^Ka7|-qa8gxeY&myuYIh1PJ|J*ub}eu+H8vo4aZ_bDQ6NDpK~qRKFGXTm
zbTLdXIWt35L{fE4QEFpxN@I3nQb<8)Fm`KMHE1|dMK}stX>&C)c5+rmMKm*1GC@^q
zF>o?xVK+5VXl+eYbYpXJIc-*PcQr+NV>k*eJ|HG=GBjf~DJ^GmWnpt=AU0@ZATUQx
zdm&a(ejq3#NMSx<B1a%QOD<g{3Sw<iRcmQ#c0q4>c1kcgX-#A}ba`YrFKT02D`GWi
za7R>bMM-%_Zc=(TbXY4vN=-*IcWQW1Z!$ShN<&y{3N0-yAVXSpFE(pMW;IAQV_7wK
zHgZpObW${UOlwLnW^X}BYFTV)YFbA&L{d|83j1Ri3Q_h3_s~`evT|d7<!*eKQD#fq
z9v~j_<ScYs?1C-~xF`qb4tCmi;~&VL@=|Q@R7dNT)NISyqHCWXzKRZug5@*7WYsy^
z!G88kF0^-%%k3qD7Z(jZ_V#$FT~TG82TTPzs##-({n&jN7@!-$Kl?Gn?Y1U1t}?`s
z=I@v*sEl<-5?RFWuO;b)%B~n+9#!q8Uxd|A3!*M2Jm5uCt>L5D5Qi;JLqE3|X6|~1
zU27s?0?}N2mE|7C6QJGP8Dv=+-Ov};fzeD6n8an%z8(gw$+$b}i7KwXZi%ruNC|~I
zi8<r|C+@_GF*g2Yl6Vps_JkrkxDpB-q2sH85C%K8Iq0}cp|d1#<?7^OX0-W~;-lg7
zV83%kBimNuq${_Ie8DWj7u-dOE!MhZsFsS>x4boP1Y4NDLbcVN$Qanfu?%V*))e`H
z&*;y}N32;Pr?9+ND+G4+BS*S%gejxcShMtwRMR9mf0fG1%<5r3CmwNHg?MMMS>9y+
zIxtfaF8#yPG05*PU|)}#5FOR(<Ynh(8x)ZH(WXCLyy35pRM%F5bjyBjYTzeUt08;h
z;-P~YXfW@j^oAG0nWus|$>k0-j)2Al%o%P<-psN&DxUu-F)<7iI4D1aL(+Kxb~{{2
z#0i@!jP${2^{_W->LKz^5p)T{o52=gZ=Z4-mw-VvMh^qISq@IdyHHw!Z7c^j8c8vT
zB6)ta;ls2W=u_k`B6`?%CI2LRFdX43H0xDXXElv*cDnIVNNI+G4Hit6mr$D6myHY#
z4I+cQy@%b;KKpgk+UX#+i?h7$euU|N!z2|*6+jDO3HxG_z03_h<g5gc>XoAgB^Pk3
zt-XkYs`K7hc>2XJ6=?_s5>NmYa{g%uL@rAbD_RfnnlPDBgGm;815h?`GOh>qx%nh_
z&QdD;sMg*~IryTU6*7U<j0%WcznF228TFd&i(S8fX?xRHLsu5UMr{zVYAu(Pgklw5
zliDb!<Bb~D7i6It1Cg2%Nb#3E4?A8P2OBHC#7_dhN~r`{YlMDu%Nr^m+r5uBz!5r1
zQ2j3nV*=8HuA6fxRjR|y`~E3LJw;FYk2jD-2WJX$3w8j&Fhno+je)g4!&ibDI_lJ~
zvAq%R3iDS=-lO5@mawYq`FUrKPK*Fxt8XKEplde{BXv>^j>FoJH6;Fh<_{kpN15!8
z(I?J@AvoGPV{6(w>l;7B^hib*fhAZJRs>Ib>{YLRByFM^N`NF7eeDc#4`(uC@;Muf
z%=K(x<B{;jyWLeA^8)n8>ra<mrKn_I_fAQ3d)EWPxE$1!n?@;KU*~+lK0==maiSvv
zZ!r$LnUllun7VVXb&fvw=jX(dyCp?<dI>2&@Bdwx_LuGVc@Aw(mwr}IZ9rsk3e%B`
zyFh#dZ~e96^4!~spQgL7FzmWvS|u&!u?4*&gzr&}FK_C@(f57CD+vp}DL$mez&G=@
zEeYJ-mIZ(a8crUWLoeFqN{vTpRShqS(r4QRW0TBWCk4yDP@`4a{pQ($q@>BY_2`Sg
zHt?W7wftQhH=<xe!OrUVe`4@^5vG<k4_l{6)ZT&cYMaq;%MH8CSmGc_LeFIY?HMQc
z)geqC0uGw^CL3Eq?+i;@GRlg{$xmp6)EVE4ZVrV5qfC7LNRez1n;~cCStZiPDb@A}
zqCNhawii3^U(03B1;5LU9<e5nA`>CtHnsm9#o-k({DSZ6NOPEvsk;%+X@jFwd)CCj
zcR-5C6ND`c%9Y_o`QQVv&YJY@2In+{Xcy5xuy0`Q_Bs>(bM<T)&t(SEn(olbmv8B>
z=FS{Yr$W1OC23WEs2I~LK&0Q)mUBv#KOigtAdCfOCBik^++38K4*nzJ!bRf}I`V}O
zV>=O8b^s<nw}at;Pp|~lVEf}}FWAr>{1$ZxMcaIX_=<rrm|RdZM^J!wF|#a?s-*$j
zK$)v`b$Jp0U(27eeqS~f<?Q6<uV2CKlpwP{2fLIY^B;N_#@#d7FP6zAUJ&7KuVGN^
zcG(Wot<1)|KqJxtvE(=_1I`Qg*1ReQCClSn=#{Ift-!l~*KP1uY*UcJpKd~mtbGm9
zps=|YBY{l>jrWO){q{5uf=ev9Y2JMI^@Q27Xzv?Lc;SYF`+NJoT?8dya#OuPUGc(!
zm3VWVr}`wxEZ0Rd@#3G1%RP-#{@4u5fo|+Yh^Tj*?U9Fi*g&iZh_tCTt9@^%)93c4
zpavL869ii-F}d5%@*t;6jGXMYLRxXcU_=3VJmfX*cRK2q7fyGT>058{zE>Iann+k~
z^x}4KXkiS^9d_LwUJPyvE=M)XTR|$&LbBHyb&KOi5=Hpi7{)t7Y&OXJjUzt~Pr>Gr
z3hOOoNywQ`0R%fXXQf~qv>%e&>vtfq0=biN<b=6>6KMMGSD&eGUa#|4VoFH;qVI{i
zSaq)9sM2=_WCGR6?=%*4oTW4ZQKjSDobqYvkc%304&b*pV?7SI$-1C%zuw>zxmgqA
zg~Yq?y_du;ZRDipILW~*O&$(>WJW8bUS7sO&Z!9@f1B`Rt<Kvgv*=X0P#AF^ks3xU
zh&Yk|OYdW7i*0K*?W|a{#JLdz3(Q9CGIsrhJBf|=%2o54(FcPr20zdSz_7_0Tz`jN
zf*y*n!BKgMsVfX=^m5WYr$;I?s{&kNxmM6T<7xD3_4Z|ezXh@6bxSNhGbw*8%sJKT
zlC-<qUsK)Iqp!hQEq89*uM_E-r}1<_Xezmgi-0!rL{(;+hJi-TJcb5J{r>GIDxNB@
zh$9tYZLZ}+@?70`;3zTs%2-jATGGeK56ph|4~fr9`h7(rpwjkcR`is&U(+Vn-+Xgj
z8;QcB5s3{A1ygf=u0@|Nf!i!T2_&8AZ5uKrFz<bwGE9=+3XOU-Low-Awc3hUK(6aN
zB*>XccpL|^X49cfmFU0nCW021X%I~SY>UZh(}8V9xCY<I6s*~Y@=|g%z&<{JQas+<
zyGKt-78!JVl>ux;9krb-pVpX)1AKJdzPm)S2}eJ7d~h}+z|4SJr&dA9rFA5Dgm;qp
zJ+OF-($&rMaDcBCg1>Mb(=>&HmC>@oFqjj{hs9D7++F`{$dZD_#IC!qbB<SCloM57
zSu5K?6aGO&KTX;DK2*3aNcok>lgI7e>lTNLPmG7_rX9is)#t<l+1>7DZOEH30NM0#
zH~V^q%Q$9a`BJ6NpklDa&c?GbKDq@3PYYeiUY9RxRf{p6Orj%ypiqCEST8_!%Z7_t
zCRP+Gy*Q-i@EgnxqG;qhDN%X+88&-%JDDnl=1cNIG203n{W-mMDqsp@HQZkN-K>2K
zt<;H;mSj#2d3S;Lw#m!vnCy2kh&spx5waH-OH%g+e{u?IhRmg_@d8v`D7#j(UXvO#
zWJfe+Y3p+*&E<yvyK(}B*UqZf3Bb>U&<igyBN0kL!R+}vS?<YNv`egxSh5E!SgLGR
zwm9fpd=MW{zwAGjFtXe&vaKqv=Qq_XOUhp07#YWrtGmuXp9vWDSaI4c`B1tjr|iEJ
zgK+`p$b7}uy~GICn*uM)Vx9<sQSR<^!96S{E$6$f&}b<_^^3L&<DM~kA^hnJ#C)<o
zIYCPC<fcMeh%s>dFYX=NNvX?^(!L0dHPb54+sYQ<M8oL<M!>-fT$g$|lIW)$VeaBl
zY_cxhg|_R_7@A4O584Zt*U5L+q<gY!z(9W4MQ4<ks46=0FWH7sT^bTS{NZhx5FVwM
z3v;=j-O3OftmJCbEl2bvf+REF=a2ESS{u-_UXR>FW;ZE!q*S)B0(a#kbyTiFGwJhw
zq54r$jA)Qzpc^AhWh2M6qRUJ(`*|oEV(R%~waZ{O8Oaxv(PO{RUfWFx@#tXPuOWu9
z_qeA=k(+W4xU^TuINfX_J7aO<^WS&gUvcwg0cukL-*wqNQ{M>C9>EPLALij76y%6z
zI^6FLqW~sFMvC%;_#*(B&#k8^APM-)g;tFXttkT8Z)HH`aN*ATlEbcEGa~1(Shzs0
JV>(mIZ!om~S;+tZ

literal 3372
zcmV+{4b$>rXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zV?R%~=mNoq(!RCzIF
zY)W}SX+|$dOK(_7O?hZ;c};UpG)!tmO;SNkYfTDxR!cKQSwv@HL}h3>V`pzTZDU1f
zOJ-qHWOFiFPjXUFXjn5%Q#d&@P)!OgJ|J*ub}eu+H8vo4aZ_bDQ6NDubz*5vWJh6j
zICn)+SXxMGHB?nZZBB4xQ(9v+K{-t@PiIq5YF9IOdRhuZW@=DPHcm4|M{qATYi&hL
zIBje>L}X}VWNlhULP|$OdUrTwP)%1!LrDrPJ|HM$S#@eKKrLr-Wnpt=AW%s|UsQ1*
zNq%K^Pd{NGQZyiBB?@9VctmPeVoPW+YB*$UT1hupV{lqZHcM`Ic|}=AQ%q-5b}(2;
zVKr!4azt=)STS@lYe5PvEiE8JZ9yw&Q*?J&cwuK)Sxz@NWK}SFOJQ$kcv)99Lr6<g
zcuh$-Z9#ZBW=RUN*ab-YwRhUZUqua_nq1=!Jaa3o`Mz6$Z(6}aW;d8i1m!4npRMr}
z-QTg@k180tB1LwC5M+a!2dr}}ewrpkADIkTBVg06;A!V>vpi>zAW@F!uYFG4^O0#k
ztC`BYe-uE6((vUdMj&-f3!U}9@l6eT&b-jy@3PdmMhZl=s@+UiDn4x-IcNX90+pK^
zY6oRgx?mx5YE~2ycvabN1kp{IY-O~fX|zY%SJX~<Ne-r&pOYHrTPmR-fzU`T!Ty)J
zl%jKd3kq=#gy%we)>ZOIz>+w=V#K;iMkeO($Mf=1QoFM3H=lns4m$7~YnmZF+Qo<{
z#kr=08+@)MP-m${nC=R*vrXsTM)}z~sUcRkn3rjt9sK2MQ(H2Ia-Zt8>X9XZgW{9L
z@U&}X4o4{M7Mh>&{fp1N_htzmy4NxoMsVLh1rqw7+f_rW7CjzLyV`zDF5#;B;Zyxv
zn+L#PGiha=I*1V!ZqsZf;vTZIuuEoG6}L8IQ4%L#TjM5n@Wl<e-h&vRxRKU&-Y&WB
zIU=d_->ctRi~jdMbgm@@qJrW)!jd1;;1E`(Jxl^tHV8OsdP??^_T}JxiZ;^A#Igdd
zm|a(Kt&7jRh0G741w~DRjAEZNdbG^G#qoIc>9w??T`NOjw=UwKWYT-D5#K^BJeY@(
zfRmrI_+NI7x@%CYF{vxY#IwasJWGUN6jr%JIfGL@!OZg6pAXj1Rs?h0!msrnjw7v$
z@&nlSI(2Xp<cb!h8-^FTE=FY82@Bc4bg2wq((bEn7<T&i=vLve!eLNJ#$e8atU6z~
zb0syHME_5z8WibCul(pqX6a_N732Z5O_LEUj?6NAy)+BK^eYb_ERVZFCH(_%?Zg-H
z6;y)+*GrF97xPR4Vt^cmfsx0rood(mYgMiiQqVC|a(Ia~0iQqvpZOapNf@F*7N@&W
zKiV&-$0hgJ=7>A<0h5f95DYK-cFYU(lrj<fO^~-AwD#U3ul>pa&QXUkDBuX6=t8(E
z{^Kvy;U2}7x*MVOUWDbPpMkP<ORXd--GlF(7D#m=C<|8+z>RymQjV_0-NfEr5b*Z~
z_B`ZP#?-_4`17${#lMIe=pBRDANVLQ_I)tQvmcQ9sP5u6@+-U21OpsMy$MH4n^l2^
z8@<rvWRAJWR8VLYH|eAmvjOE%iu6I=`8?W}5=WEUS@5eaHQHo_tNQ2~dwyP?<Gwh=
zhZk5pjBTOreOEySJY^lY;AkD&?<@>U`p8;F#w<$itC{&xh58k%eSI}&K=*eYvHRUw
z46>q4Qd2cSVf8;u52@)#(MSFrT~}j$#B$a%OyNTDpmJ^AOj(BIi}tA~lmCwx8k6op
zjp%lPsi>z&CvIEQNXhjt06fY*GV0CfgRxVD>(>2;0aeH#H>1!izp=ZuP6e0DQc!Xk
zSiviDB|Pegv@Nx{T4Sg7%o0w6l61viIbxyBMo*?l5%oLMX@;e-m#vuaqX%x?_fR>$
zvhg7~O@uqKk7-veUPtp=3c{3$wiJY@KZ44lAY3-W4TwYw{WE;{1vx`SY=x35SyXM3
z?l6MWEHB`ddRnG5NUyLrL)QrUdrmj^uD{x@LasEt!|o{*bPCXr?1BB}7Bpmm*~5gz
zgzmHsL;>aA1Hfx!-2@-U;;~zI^|D)7bygWZ0!y$Qg0Gvr+PRC?cUtbwn?WR}AgT(C
z{ENxv0U1~(T{M}@G;*0|Y~}_`T%v-!&?ye;!45?Vpg2-d^K97Z4^~#=Qk3DB1bR+>
zMTOa<_mlT}^Q$pn?`4mU-~28j+WM^IoGAG&Jysk`lQ!5Pl4m=flWnEGzeEt$&12?!
zxXf@N=KHM+sxXg$HAWzrz@LakCzAz0JDM7Jah?%FIA*@xq9o?ixGxatuXMX3m2r1h
zX^mUE6|##Rwsty8pQZ<5iJ~!@BQAIeqzzZ4+L$?Wc%a#s&CoJn#D8eSD)~t%;?-b6
zK3}4li6Dq(OdkvBagMMHFM3sTYqZP^eycjWS>vXKUJ!k=<1ye#AuVki?xEqtCh^+e
z?>NGk4|?iSoEG;CQGfo~rpf8wpHFrf(pkEa<MO?xOI4@^)+*<C?SzBUj|sn+V{Mdm
zKu^7mrxQ9^WAlJTAMi_-8<LH$WaV4UgRFg49@X?0W<R5@PJ}lLL&yBUjCnIr#E+NZ
zy&Euh#Nr!{Hw_veynBTF7@0@+TA+emhLQR434GnJOu<$Z7%fIs<VM$@emN*?-<re{
zcH+0lJIl#ZokDc)W1VEK#0HhtqP*^5eW7CajOJWbGFI}YM$^&Ghy8r7(5RLTX;~g{
z5UROhP0W??Ms4Vz%<e^Mkmj?>qni;$njl*5ejLMEKc{N>MAR8yh;;nV9*?o<(MS7+
zNUl&OPxS+?UiO*@Vq5@rrO9zjMA;ah6xWs5SDp5K<_~$Zp-J5c<A*^T?XH*SB1y_-
znYpjeI6stf;%qQb509<)R~y{0Ix)bwH!j2W4(of8Q4~-xSolmp??kTEWK0=1bs>C)
zihUzB;oG=3V6>ZdUokUi&BTONJQp2<1;L=%LM6$EK3A4uD|S{sZ0%0f6JncWPP7#<
z9b4NNwnj{zvsMFJTfk-JG*d^SsC1N~qVZ|vXCN*UI#$FX2$*Aj4(8q@wGJ_U7GAw3
zVvjoFD63LwdI5VEM21~)?OnUYuWlDolSvjbLYhIugJnEcZPS7qBlKl90RxN<=snhw
zSN=on4#Y(7WpP704Z8ghh40T;nVAS0AaIGgQlN!0XM+h+L964d{rd*j^V1D;H!-7K
zD_+J0YQ^&TRw#ZZ4-RL>dV(cDZ_{-b$j!zrJ9%Q~myAE6QBv+1Nl1}r{0Ujnof6F-
z=aYZ6X$kR_3VI=cnqSWS6npX)pMnzQ8*0G>jU_P0!Y1c0^%lAoF$Lm4%v*JMrrLex
zwNNwDn@%4!?Px|*6R4j>F@1$9NfLl-TnMPlW15K?oi<QaA|Y<sgYz^pQzwZ`gy{y~
zvAa7fa(d9n34KhFF{Ao6RkA!3|1|X2^G($W^VvD*aJaim{mlv{ue)kh&_1WPlJAp{
z?70)3+~psiJkNG1fpuHp{oLvBeZD5fp2UqM>|G03rbkiEs@8TD>oGSiC5Ijzm;z)e
zO(NTNe<3~~zhmYT(py^;u()Tvt1<ZFnaTSiK{@$>OY5qPuc#>t8@t7>>p%4jR@SZH
ztRPpcFX~6_BO)nMG6X>4xbui1FH3_B4#*u*)YNB~Ih392fvdfZ`u@ekJrlZA1s>=L
zW6y5tvU%3Xfc6b1?^1(lbbk_e+fvL5Yvpui5k}&zQ^}FDwUHd4xHLdNCa=5b(rIFo
z;k9N7VQH{paurUYG$d7`ETHl@dar(u7e4s|$35cb+G$<*k=J&p<5osW?~?*xC}8f>
zM;$E6Yzbe-?<jO144R)0BZOC4K=7+J9^|Y~ireIE8`asc;VuOu`{=AcW3@+ur_Skc
z?o=eL<&k(EKBe1#q)&{nmyiwoo^)j&8YLD_9A;)Sn&D}`pT)&EtH^c+d+QJb@0Q}<
zjlZi=OSRM2Uzoj4K<&_nd%FXEhKPl5i+T=rc7OLo`%paIAso}v15{%)G+KAPP18`I
zX^z#srhaWwYtc8h?}EiswaBIKSM{k(JM5ZP%gFHa6$Giy?Y4GgdX5;8WnQ;J4^v9L
z23HP}aqBkTG``+Sno$0A^>n8&25Kqga^!-XS4=S!F^TQ2Or|rjp?tw*qeL;6im#Ut
z$s<BD>Fbf|lco_ov~Uan)FiMGAx?$<n!3|=y7^D@%H`RWc|JDdTo_3Ji0Et&^AnUK
zpM?^qS?*4COHAE9^I5qI2^`}Va9tG!e4idS72^#AFwq7<%;56DDcS>->Fz53PKVsb
z!St{lQBOx@n({OfQI+$68TVKyjmOZk*1U>G{udO+oD$8=UfQ<{3hz_eW2Q@z(7i=1
CY)J$F