From 8f97124adbedd0ce731b8accdad7f9a6a2f10402 Mon Sep 17 00:00:00 2001 From: silversword411 Date: Sun, 26 Sep 2021 13:55:09 -0400 Subject: [PATCH 1/6] docs troubleshooting tweak --- docs/docs/troubleshooting.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/docs/troubleshooting.md b/docs/docs/troubleshooting.md index 594c54d5..d689ac0a 100644 --- a/docs/docs/troubleshooting.md +++ b/docs/docs/troubleshooting.md @@ -26,7 +26,7 @@ ping mesh.example.com The IP address for all 3 should reflect your Tactical RMM server -## Problems after new install +## Problems after new server install In the very unlikely event you have issues after install please wipe the box and install again (following all the steps including downloading the install script but not running it) use the following command which will log the install progress and if you continue to have issues will assist with support of the installation. @@ -47,9 +47,9 @@ If you see an error about SSL or certificate expired, then your Let's Encrypt ce Refer to the Let's Encrypt cert renewal instructions [here](update_server.md#keeping-your-lets-encrypt-certificate-up-to-date) -## Agents not updating +## Agents not installing or updating -The most common problem we've seen of agents not updating is due to Antivirus blocking the updater executable. +The most common problem we've seen of agents not installing or updating is due to Antivirus blocking the updater executable. Windows Defender will 100% of the time block the updater from running unless an exclusion is set. From ad570e9b1684596b60b73e135f676eab9aae8169 Mon Sep 17 00:00:00 2001 From: silversword411 Date: Tue, 28 Sep 2021 14:30:34 -0400 Subject: [PATCH 2/6] wip and howitallworks tweaks --- docs/docs/howitallworks.md | 10 ++++++++++ scripts_wip/Win_Bitlocker_Enable.ps1 | 27 +++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 scripts_wip/Win_Bitlocker_Enable.ps1 diff --git a/docs/docs/howitallworks.md b/docs/docs/howitallworks.md index 77904685..48125b83 100644 --- a/docs/docs/howitallworks.md +++ b/docs/docs/howitallworks.md @@ -136,6 +136,16 @@ Files create `c:\Windows\temp\Tacticalxxxx\` folder for install (and log files) *** +### Agent Recovery + +#### Mesh Agent Recovery + +Tactical Agent just runs `mesh_agent.exe -something` to get the mesh agent id and saves it to the django database. + +#### Tactical RPC Recovery + +#### Tactical Agent Recovery + ### Windows Update Management Tactical RMM Agent sets: diff --git a/scripts_wip/Win_Bitlocker_Enable.ps1 b/scripts_wip/Win_Bitlocker_Enable.ps1 new file mode 100644 index 00000000..5127c96c --- /dev/null +++ b/scripts_wip/Win_Bitlocker_Enable.ps1 @@ -0,0 +1,27 @@ +<# +.SYNOPSIS + Enables Bitlocker + +.DESCRIPTION + Enables bitlocker, and shows recovery keys + +.OUTPUTS + Results are printed to the console. + +.NOTES + Change Log + V1.0 Initial release from dinger1986 https://discord.com/channels/736478043522072608/744281869499105290/836871708790882384 +#> + +If(!(test-path C:\TEMP\)) +{ + New-Item -ItemType Directory -Force -Path C:\TEMP\ +} + +Enable-Bitlocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector +manage-bde -protectors C: -get + +$bitlockerkey = manage-bde -protectors C: -get +( +echo $bitlockerkey +)>"C:\Temp\bitlockerkey.txt" \ No newline at end of file From 9b1b9244cf2e327de7dc7689e580fbd7692c8b6e Mon Sep 17 00:00:00 2001 From: silversword411 Date: Wed, 29 Sep 2021 13:56:33 -0400 Subject: [PATCH 3/6] full chain cert docs --- docs/docs/unsupported_scripts.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/docs/unsupported_scripts.md b/docs/docs/unsupported_scripts.md index 99fccf90..287ff128 100644 --- a/docs/docs/unsupported_scripts.md +++ b/docs/docs/unsupported_scripts.md @@ -539,3 +539,9 @@ done ###Renew certs can be done by sudo letsencrypt renew (this should automatically be in /etc/cron.d/certbot) ``` + +### Using your own certs + +Let's Encrypt is the only officially supported method of obtaining wildcard certificates. Publicly signed certificates should work but have not been fully tested. + +If you are providing your own publicly signed certificates, ensure you download the **full chain** (combined CA/Root + Intermediary) certificate in pem format. If certificates are not provided, a self-signed certificate will be generated and most agent functions won't work. From 2b4e1c4b678f8274e2446a3297f45cbc658e1b92 Mon Sep 17 00:00:00 2001 From: silversword411 Date: Wed, 29 Sep 2021 14:47:47 -0400 Subject: [PATCH 4/6] docker add --- docs/docs/unsupported_scripts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/unsupported_scripts.md b/docs/docs/unsupported_scripts.md index 287ff128..22a7b1ea 100644 --- a/docs/docs/unsupported_scripts.md +++ b/docs/docs/unsupported_scripts.md @@ -540,7 +540,7 @@ done ###Renew certs can be done by sudo letsencrypt renew (this should automatically be in /etc/cron.d/certbot) ``` -### Using your own certs +### Using your own certs with Docker Let's Encrypt is the only officially supported method of obtaining wildcard certificates. Publicly signed certificates should work but have not been fully tested. From 23a0ad3c4ebdd1c0dd5b3dd84a204f7d5a2bc096 Mon Sep 17 00:00:00 2001 From: silversword411 Date: Wed, 29 Sep 2021 22:41:11 -0400 Subject: [PATCH 5/6] docs updating docker with LE info and improving headers --- docs/docs/install_docker.md | 43 +++++++++++++++++++++++++++---------- docs/docs/install_server.md | 2 +- 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/docs/docs/install_docker.md b/docs/docs/install_docker.md index 44be4bb7..9f707461 100644 --- a/docs/docs/install_docker.md +++ b/docs/docs/install_docker.md @@ -1,27 +1,48 @@ # Docker Setup -- Install docker and docker-compose -- Obtain valid wildcard certificate for your domain. If certificates are not provided, a self-signed certificate will be generated and most agent functions won't work. See below on how to generate a free Let's Encrypt! +## 1. Install Docker -## Generate certificates with certbot +Install docker -Install Certbot +## 2. Acquire Lets Encrypt Wildcard certs with certbot + +!!!warning + If the Lets Encrypt wildcard certificates are not provided, a self-signed certificate will be generated and most agent functions won't work. + +### 2a. Install Certbot ```bash sudo apt-get install certbot ``` -Generate the wildcard certificate. Add the DNS entry for domain validation. Replace `example.com` with your root doamin +### 2b. Generate the wildcard Lets Encrypt certificates + +#### Deploy the TXT record in your DNS manager + +!!!warning + TXT records can take anywhere from 1 minute to a few hours to propogate depending on your DNS provider.
+ You should verify the TXT record has been deployed first before pressing Enter.
+ A quick way to check is with the following command:
`dig -t txt _acme-challenge.example.com`
+ or test using: Enter: `_acme-challenge.example.com` + +![txtrecord](images/txtrecord.png) + +![dnstxt](images/dnstxt.png) + +#### Request Lets Encrypt Wildcard cert ```bash sudo certbot certonly --manual -d *.example.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns ``` -## Configure DNS and firewall +!!!note + Replace `example.com` with your root domain + +## 3. Configure DNS and firewall You will need to add DNS entries so that the three subdomains resolve to the IP of the docker host. There is a reverse proxy running that will route the hostnames to the correct container. On the host, you will need to ensure the firewall is open on tcp ports 80, 443 and 4222. -## Setting up the environment +## 4. Setting up the environment Get the docker-compose and .env.example file on the host you which to install on @@ -35,7 +56,7 @@ Change the values in .env to match your environment. If you are supplying certificates through Let's Encrypt or another source, see the section below about base64 encoding the certificate files. -## Base64 encoding certificates to pass as env variables +### 4a. Base64 encoding certificates to pass as env variables Use the below command to add the the correct values to the .env. @@ -54,7 +75,7 @@ echo "CERT_PUB_KEY=$(sudo base64 -w 0 /path/to/pub/key)" >> .env echo "CERT_PRIV_KEY=$(sudo base64 -w 0 /path/to/priv/key)" >> .env ``` -## Starting the environment +## 5. Starting the environment Run the below command to start the environment. @@ -64,7 +85,7 @@ sudo docker-compose up -d Removing the -d will start the containers in the foreground and is useful for debugging. -## Get MeshCentral EXE download link +## 6. Get MeshCentral EXE download link Run the below command to get the download link for the mesh central exe. This needs to be uploaded on first successful signin. @@ -72,6 +93,6 @@ Run the below command to get the download link for the mesh central exe. This ne sudo docker-compose exec tactical-backend python manage.py get_mesh_exe_url ``` -## Backups +## Note about Backups The backup script **does not** work with docker. To backup your install use [standard docker backup/restore](https://docs.docker.com/desktop/backup-and-restore/) processes. diff --git a/docs/docs/install_server.md b/docs/docs/install_server.md index 6179accc..6d147861 100644 --- a/docs/docs/install_server.md +++ b/docs/docs/install_server.md @@ -131,7 +131,7 @@ Answer the initial questions when prompted. Replace `example.com` with your doma ![questions](images/install_questions.png) -### Deploy the TXT record in your DNS manager +### Deploy the TXT record in your DNS manager for Lets Encrypt wildcard certs !!!warning TXT records can take anywhere from 1 minute to a few hours to propogate depending on your DNS provider.
From 0db497916dfdd98f67f88a825549972351a91c15 Mon Sep 17 00:00:00 2001 From: silversword411 Date: Thu, 30 Sep 2021 00:32:53 -0400 Subject: [PATCH 6/6] docs install tweaks --- docs/docs/images/meshagentdl.png | Bin 18911 -> 19435 bytes docs/docs/install_docker.md | 48 +++++++++++++++++++++++-------- docs/docs/install_server.md | 5 ++++ 3 files changed, 41 insertions(+), 12 deletions(-) diff --git a/docs/docs/images/meshagentdl.png b/docs/docs/images/meshagentdl.png index 85defd464b4e20d60cdcb4cd97100b83c89d8f63..8bf10feaff9d3bf2ee303e2a075c35f41516e851 100644 GIT binary patch literal 19435 zcmbTdbx>Q;_b*zcP)d>F6n76rife(Q#ajvl_ZAIatUz&hC|aD-;tjzy1lJY|8VK$Z z9B%r(zu$fH=G}QS_x^F_%swY)?X}llS++kbN?TKz;OUE}j~+cDP*qXXee?(;1AXB= z!9hRy@bse$`i9}ItNi*=)hO*YdVp;w|5pCdquK=gTZ_l&F`lc6q5Gpp6m0)43{_p$ zqeqX_zo;t8>-(7Q=i)b*D*0ZFUCVqj^!!}~*tPjPJz15GoV27IntW$GUJwbCdh@&? zy5yrVuYdGPTsVs*F`15hS4iF?dB*iOjKqxWOsn(k_|*jMkX`^AP@s+n&maBo8@httzSVX*>)k4 zuVN^V#C!1(pWR!*{jX=d3!rRf-) zJu>3G@X@(x*UKHg==}|YpSN-(`fug%JDwoNbY5dy3O3y?p=+m;p>L;`VQ6P~@rdsW zyBtly^YN$lI1Qor!*4asorM~Wf~n=!6AY?_GfaKMu1+ohFa79HZ-tJgd&vG#!W70d z!WjADmDmYvMB%vi@Vz&8?tm`%Z#vnobm1}xdoKo5izA9plOJ=TmmH1#4P*aH`0bvZ ztWbjNJ!G!IA!V-4CT6bLvyvL}aDOu*I@T_nWvGLu4f?ly;!FY>k<2(6(Qh32{*zMY zfAnluP?ABGOXn3XY(oE}s77cHYr9zbMDMeLaeCB4lntZz`}T6K%9X9g;2S}tvUsMBAt ztpD61P}Im@)fcddA@uPyYo91{EJn<%k$}cI7Uiw{cG1w^xX+-vkaO@4&I{0HuJ^b6 z`?E6JyX$l4Db$Bf6MpSC1Q#?T#=y(Or`_So6Pswfs1i-C#7p&p+139_T zF4^O_xsQS9Es(xH@gvF{(ULX~zyIALhWP??v)|ZKQk#_Y{NjUP-U}MY{q=4N_0tt= zfuha_I=X$IUZ}(gfgnBd>W-8LAai$@5htJ87abi_$Voa{vC*6V_3!ry<>AHzz#8gd zf+bLC;JW0uyQYn=WdYNN7cDmjEsK*>i{8`_)cmIu>d1Qhi2Ub-91=_ro`Cf5^cG?; z972cyiQrN1d)G(M$OOinf|5IU7O9gdk+v?rtnQWHPw$LH7Q8s_P(d@M03n|Yq?d|Am ztr-DcwONrmSQRjRnyGr_z36FhtRm>VL-f@RC3oBKTFxgWAChi4mEbQ}ni9yI zwSJI2v=9RjhZ88)7-*5Wf~3asoZGjKzzi0rBm<*k)MPZqu~w&?ls1>meV zlQg5Ux?LhGSkk{;78FUYEP0=Wf43oe(WE!}R39^AY;GP1oJ5K`WjxT00IBLU$tjg| zyrjJPKz@+TlaTYC+dO=K-3ULxIPrZim2|vR&Bwn#tivsFnAVs%wsM_UV|(6pcvme= zP}o5HsV$y_Ae6Y*t>Q&MgRjSLHJ~mWxs7mVZU9mj*qUEPX%i+g<;6;s%J0aruZQN? zCPLu83|hcs5{ciUTisit)Dw2JuAeoQv8EtJ6BXIZwpLK02f+01XVoCH?Al=k)Ga;X zVEztR+8`h*9s<0ct1@!40B_pLp#R}cdKZnnExCWM4uJ(sq6@B}q#1q(O|ZLP>ife= z4$+j4$+4AmN?FEr7#J^7jnIi|&2A-)A)_U~W38yun$>`D8M@Flw_YQ$1 zKA{=BE<~X1Sz$vw8D;BdGw45iK~2dG_-B!J%ORX5r_GK2!#SvLCL<%&K5+tASm+(b z2t2{97IZiJ9diW}ZI|_3@{Wm)nIvae_6?`L>)_WS)I>9a^Kf?^q>}frsLcZ~ZghT^ z8e(_Q4!=D>a`Q$D(#-~5Ays9^$;c^71jgt+v_Zt&(Sqkb2YfE7*TJReiR0!_WkD|p z+G)I(7jr$ZyNq9!9!!R%WXWIY43GX2e8_m zh?o*LeYlQuC$w564rn7WnJI#sSIBv%oV^M8KN~d%UzG3% zsOqH3MC8|V?Tj8f>$vH>NTKneYIq@Rzx6P#Y7W}G{Gk0mA94d;2y4U_APUdenu5y^ zh4MY?PxMrPZ-$SCF+Q;f*oV)QOul`|6Y-Nz!B&ae8Tj+1f|Bt~c^jVvO)9Mqmz$wq z_ZRV_!V!xh+&vm9v5B7qaDZcu9U-mQ_%NIbp%rOK6Fy?Q)b;mT*nXTiqMbP7>U5Js zNEjwL-zCn1Z1?Q3)jr5(d_P1V zOYRY&Fs{*avEz-JA)Gu-s8VS7Qg{>@rG0-goBD8_&CqZ(InVI7SD%InL>J6)MrCgH ztiwyKb1lbg3C_Lr;i74&mCxQ6CnobcV`rv zjxs7{@fv;A>&CI0gZjxNO8O#G-0@9~>~O60b&`1Ku?)a<^@6yPqpl08XPP~FZ#Gl) zGqHfSZYubU^^N7#OFQqRY7OIg#1K`E5U{UEW{E@RZqW)~m9VuK^1)DCfY-ap^)xE* zJ&9u9&=<%#Zx~VyOWDwwEbpz>gWB{dh(k8u40@SmGL+K>UdQlQ}1T34fgR zHGDfB$4J{pT^Lw5*2lqnhMsrp%{e>!5q`1;tsr~Zyryfl#b9sivxvD7 z-3aEcM4@;U$FE1Tou}y{-wBQTM!-M2-;j_!w2*NUytw993EpPqeezE(bks5Gk=nlG z3{|Z>KASJZ7r(%jw`~dE*eGw)M5{}=V=hYC8}O$EH!rw|-7B`lh)mDDb)W*YKlDPQ z9?=TlF?gkvcTTuJx90^omy(RJCN5WWyL=f_WpJ#)Zo~1Dea_ z)-Y;dxT#78;d*Z@jsmIDPD-?+_J5=t@B-2xFL3Gjoucl-gHz(s6s`ecLp9_{ghqW#acH`eyZ%iloE#2-cZYGu ztK)|+A1J#W$KNP++LElV5J_c@ku?)%FfuB&l4eg{!5k{PS8T-*rublWnt(hIe1@`7 zJ~aFuk2sUvB03WPh%mm?G41AQR}#_4i6)J!^0TLQdz?yg64qH>_9d>Rnu?CJy%n{P z8h?tchT%lIQpDe4@IxpcEfaAV zVN^a& z(2`u2Egrq7|7HGtP&C(Qk5}xxQbO;iPgc^gvgsJz?A~fzhbSDfjAj)*dTIa4eti7l zdrIf}=y7eq1=^*o_s8HE zwx|!hW-Etav+DytM@6eYH)=xU{Xo1Po&8;H3VeZf4U`0JPhbo|{wJq>v!dPy3pL~s zTpWO_&Q<%Mt{&5~SBT^RJub6RV4;6q>*dsN2_1Fu+b+}l zfz=Zh%Rdwksx}6J$5B@4BBV3wj$s4AGyB7A^P4$l_V~ozDYw8{*Gw4#_r6u3KAEv7 zo7^skwUquy7RgJH{yH&Fd={Lcs?X`Fw$gBAE7H+TTbMw5u2Nd$=y5H8trL|hm z&*tIMi(=b`CUj8-@TUvDKge$fNCOYZXr`5YCt>8>D$4a<5+|X$%@eQ+k5R`P{zFE& z0bKNQjXutxwko3;+9?XT1N={DUR_aV%{GoG_lJj>#zGX}mCt zrQ6)Phmh~?UjNtbZRLH{2(%5BTogIac2xMY1j*5V5X*k*H!I-E9?nN=hp1+ z`vURkd2o$+YhtIXMOV9iW}#5VB!&cR5UM0*S~%?{!9gRrvOdg~UG@g}6)T~)R5y@U zQB_x@DF9egF2ltBWezL5!i)!bM)gS%wDKyyNd=cT#GQTpNePP;lh`npp3OU2lKLWM zitZ-nqg#UBFgRt}J3D1&pWr9;;oWl^Sk>xaCeUmlfeOueMa=AgLKvFMmB z+*!Rdyuq0HgHz2$-%iOPzEsUbnYn^Bi17bn*r5-}KSv{jM>M{wO`Qok)W?H>$ zvwJ7s4+?YLmeZ~*jEU(#Y6bJQh|WeQV^udnW*KRdy?+FU{xT;U{nbY;$-y~wLoE3U z`@JUAmmT{jn_I*#ycmg;2CHT%Q_SaCr+RvM(80B*F_q*@*LSeoOl&z zDKFAu+);(UkRM!cSX!i-WX6f{pOuqRd_}u3+6<9irK{r5c(4#cH=BbWKq}~73kj?_ z?}---A|{?T`z@4#_Z5d${szVin9O3MwV14}@gT?L=;f(nS(PfWa#ja^+$a8S8Cp4W z5OV^va6}-cY;!$J+UnvgTPFJi|3t-9!!{HG=PsygCliTS|64GE07qrFQTYtbStvPS zizX1{t9X@E&>OPqSO}qjhV8}J(aQs$8h@RAvKr&KD*!HB@B9P+EDewmvWe-at>v(~ zJL`%)<#-`3zx`kP%drmCuQq@dbAxcmwwtMPm(tH3g z@^$m~w1o=0-V%`nPBXFn$z!aITR0izN52V5WP6vPg3Xob6-(99Temlox&w4D32#Dgw*IG_jg$VBG{W-L(&sDAJ%_` zm($njJi#D}gR;#=fhrEHO`cTTTLeT&e1zL`%^U1R-2H8jcCwaFg`L_{1!ZC)3WXmd zDEZx?-3walIHpEu>m^t7BLp2HdpzR?OyLZFULRI~+5o#uu58l-&~9Qw9%>^&oWA~p zxey_^M9f#R{SzIdGXIweKF>zm-~uK(bj06|Hs%)N+|iTENA4m@i{eXshHevMv^>fG z%jiP_70etovaz&uQtyjK+<_h6tA$HPg3CD79ws)#tNxkz2Js_w)kSt*3ij^*GwKf( zZT58+%q`?hA@z+fn-o@pDme_FO74>pwAxYds+8)H*_<2?_p5jWhUz!}C!z6OiF5h+ zOa`4Au^XG7|0rg#|4$ZDDSNlQ&Ztjjvs3GpACMeaz{L$vvpQglX^a(YIj8LO)nHZP8{#{B#I$DR)J->(oQhw7q}9{ht!(;IMOmXMb8U&pyR zw(Z^Q$#0MapS8GwyTLzLL7sjm1030g^|oBmf?=7`eqh69k8McU;|BJB>0b0}v>4I% zUq%0w5dN#9L{CcmKe^!l=B1(AHcAM_V@r@39Q>^QJ?m*~cA5hCmZ_eZywNj^y3Uj6 zmj;weFAN=_+nR6GP^iJjo$!+u%_|0WZwIVB97&8Z>;YIA>BG|S#m~uV~DSBdp*(K z4htBxCZ#Ig51!}mQ|9kgx+a^cs?(IEz!@o^C1NsB0)8w0wJ%u`pXaY&2DRZ9e1}#g zbGkL&Wn~`QfxyEgNNhF^f*I9P`|?x&Jk$IW*;P~q>Xnx9jJFz{bkk^H>|@ zo;ZQpvc6th{rMBc(=&lI){6(YjaN3JOJD@Qbp_R9)}gTA9YhdiIX8>mB7j^y0%al$hI>zJ+EIO zq!X0NUJ7=UU#$Jn`)+65=_fd2)4RhRmW=W&Hd5AzaMv#88EtG9*>v?KfkFG41RbwP zoEvHItLSG*;t2*l0?6PqZ~uw)3xpMipT-B;&KZwG9CR14{DM%FH>r52^hDl3;o18NSz3d@-BV(&^B4 z&GkJ#_y<2iibyNHhDv~zJ=R~Fu^14r_sZJ%u8ER?r*W+0*w+I82^l$4q9Ec%Kt9#y%u^+Y@>_hJ520`)`?=%2w;8>#<;R zmPu)18pgA78_>H?z@DEwd~(9987eigI8ELDkVSXh0d{=zzmcrsv`&XfZHHWri>DKN zaoejk=6B(a9W?k%aStOdvoMrr%6n=WQf5GH{c$L}_^fr#5Dcdo4!|v{EaRLZiWGCQ z{i2BcDj_tg4Gxp6A7u34h@k3(ys+Bu;;oQ!V>`wpPdjuRJ+mM)Slke~ks%FG*;k#* zmt58L90xZjGv}!N&~gtT`>Sv#=ez3&x~y9ZXdTN&1^sY*lPWSx1?Jfd|2c&mp=GF( zT}O*FF3E`y^~Oqlp5wafuc43($hX%g22Kipw=YVZKyCmi!Lu1^kLmO3`KP8-Znc*w z&qE^^da*5DN;*>4@tVd5?Ud3sKp8Ps9ZJp~eJ7=#?P?YD^2)KkTL?5QE0Izif>`Fm zHD~llXjKYZ9T}oiL=PX8OW$sbrY9g277B80j%_HSV>CAkX{P}WT48k$RxlD`E9LH~ zW{%nqX4Xy!-=dQecc&>xhQH%kcIETp_>prB&tzgr?%UB*T+rg`#R0>Ur z=oCbk)6dpP*%ima+nTr??;u_niqdyy&w_POp2jyIsea{-ua|G<({%nlHlo@g;S?HM zR1E@$i8LD^_58Og)jD(yW6Moi7n+YTAktB_hMoMJ5~*2xRvF5BG1uL?4Zpra65m$T z;a^fIbZGltDtwq{VCX3C;6Xyyr#AY$3Io?;;;{}HKGjoQxQQ1oPecsdmp8%^rV?dS zag(k1C7fSvs*1_HmGQ+eqV8e*80x~1Hn*oo)>fkA_B@o4)@R-;jufjCwkqoRaiIwQurvfBgEuTZe7zGq;nktkD?pP7+&|a3W3}W$Q}0^pu^RZu;d2 zXaN$uCQ2h$lQwvS)$()M$qolTd-J0YJl{@o$F17HGh-0g;;d2QMA-PdO5=9)%uQ-K zU{T3T5ta{Ub6kI!ji`GZRmTJ4+~JS@G=4bH&~3XUn|2*K#R0!^D-%eHRzJgUeD!xm zX-n^)qYsTL?}5$t z!?pH~{som-#e2_|9Kd>eGOZuRomvDH$|4D)cZTk~94b9CE<@$q(lj$X1q&O}B<4ET zoy>hxQ2n5Fkw)B(ImS4ge03NOvjSLvKGoA>!oU;!_dIR!O;d}%SKgc#x~zP&8ZmQp zxRKQ6^~!+GHF8emQ@XG17V+tlLBQb8Ybd{eQ)`}D?klU;;7|rhQ_Z&wGpLFoWw5K{ zw>f=duRogam--{;P+|O;9E3-AVfQ_U#zfcN_4_T$uZp&WGBSRr>4;A&I&}=9`kj2^ zdjkxo4fiRX$Hv;*^P4_ahYssek>*SFFEsD^jgVTz#u`P0H#qpIy*X@~i4$Fth0CH$ z-P8DX%X)g4Or$hf*2SK~udFtlxUb)*>usA2^~KqqHSZ2j4<&HHCi+^2rTq>O@f^7f zT6Dra=R+wRxz<(ph#`d64DGIn!y(OeofR)K_!m9Z(&~Yz1eHzky>ec2{ALG_SEM`= zv5(q4tEmQqV^_rnHIg)!*jd z&lq^oaC9s9?OTBlYhjtQ*LfG2PRrNn)FytP4T^Xf7o~$ zcbLpeNFtoJeJVM$R8zsaWm0aFHu{OkekW(5z|EZ4&U4Rx4tS>b`?ak~3HZ+Sp!4!& zeh@H+Y%E|$Z=-3wd@~n-hq{!hum4c7Ho3=27ZUU zomSR?`?PeTyxXVtgKoEq6xu(En-85JZKy3lnz>jZs zl%dAnTsai@j5&ipK8DB^;3Rg`s`*Bkv+x>&ArhoL1QtRoh2##Fz^sW;hl!h9e+Kn} zuif9`>i+aZaIn*P!0*4nQ~qi`&B$e^CC6sGjy5F4>8@dY^sUz26us?SccoKPAzxSC zy1>eQ^t`^ZS8Qe`L82Hg=mRnp5d9vHA zjX^27`%NHUWAQ=;HJYy@0Fxh16;56Y3Je2lr00ecw)sR3%JGs__Sw(YKV%%%sXIN$ zcuX5AQG;5$>`86qz9Ni0O8i5yFDsImwkXea?e8np@ zw1JnSckaYSx_vFcADMPf%Z-c0rWa)B;+Wv*7tE{d%yCn|D+-_a8EfqqLuxSoy?Ri> z@oMk)2|&iqIHKL?q9iniw9we?`w_gd8c+qy_a6(i{i6w$j2ppRf(_hL1Q@0c%DQwnzkv~klf1gjECD3wM zN=m?djQ3=IPLsLSCC#rX6$DsQ#;5qM zhMB+PeUY%ZqyYpr(eR&Ae8j}$|VS%E7p5R@BgwG zeI|qJ4JygO)CBvU4x1sxsC_kX)@lY<f`P4$48e4HbhTj7%pjwqAE)8p?@+orA+s(xRNw(f+(O|r+JX75q?00I(n@J zRib7&2C2~0Q)qkFDRaa;x-h!G*e+90V_=kMkV2hx+!^Z=X>K`9R}6x5JG&Hk6A!Zz z0(i5+T?t_li*~lXpO85dcNZ7ksI+RN&JMvWkImn(^tfoswnav)dDK4!Ce{19Dt26T5iJbh;of$4hm9T&mW{in zsdl*Ok)w!xba8L;m%PnR*YP+Y%RcjwW%6{X58E#OMVAB?>)S_vbOG^s=G_l~(fR1# zKE129{79@!Pfr$rGZ^}K=BdzRt83R|0Dt<637k!jPBHr~Vdq~T zw52))lo)PN*Sl?ZVy39eq}(c6cpyNL`f>^^i9B!Gs%WQ?i6pLo7|dciS@YCzy}l$TCtle`rTjMwPiDR{bD{`ZI8+^C*`(?__fZXK7Gu$W~ruH76Cq7Tk%@nk9y zIL5wGiD1S=1&$SLUpW&gQ;BDrd$S{p`jOb@MGSm_o4rU?o^WHXTu)H{valj-9kMpe zzb%u(SC*oO43_dq z)NwTa*T(GH6a695=)7UzI!k3d7Zc!CKo?yuqVeDXY+W24$eN4nZRhHIbodE+_XL&! z`PPF+h?@h7)|65dKUlYsmx$08U!ca={PJPN;FxjK+?=Nue>-LL9q)E<4#d@!oDWNp z%Gc!nYdvDfO_-%;@;MPFR{S#HO3u^#(?S8mWkMe=23a(pcOwFe31 zf^s4T>exp9$rq1HXE58>nR9`9)#)^&!DJ^bKAyofY}jmN7JkT{aw?CVFtJ)5PVu$M zXrP|DGgnuJ)t7u+&u!w%VeHO8@hUg@a4{+JjGdxd!DB?SKVQIJW)T~BzAVwdo!RLO zX5uCuXNJdcpIC7{zYD4Q(Wy;yQZ1G+PmcG?K4MSujmffN5GNFo2z!t(U+#Ehb0qQg zXmjv5Xvp%WZ|+;Wc0X7EUd<#!o1kEt{eT}3sGAlPxv}3A=o0i7t^@o@nmWpfjFkUK z(M!iShzvIKE!`{7p2aerjf!7R%}*rkiAr%@ms^6Xh!NeYG=9glJNSgp1>C0Py~~O*HvN#H%$vwil1Q20QIcoTr&Fzb0qM_sc}M4hUP3 zQ;O#4S|N8T6`nFoQaY{Kg+RmhiQr4BLT=B4VmE26Y()~UjboUdTy2+{Qcg>q1h7^e z7F`Sp#Ro=(GSqUd%?eG(GCnHT#Vb;8qxz67%e?!( zdzcMi*ZI@Wu09Jt-PO8))YbYhV3;UgZ1(4(=L~Zj8ME&>wFz{d$CEoIf2)pe{m-h0 zuN=K8m=`yAIU90PgoHo)CWc-!b9H}{dCq-%Le|i%)hy^r1F(twvZmBF+7&gI-k|)H z9V&aS^=D?-17waYuT*_*l;2!#v9>LFQLi$V+^hEVZ@^$jy?h|OkMG~W7m}p1?p#$~ zO+|oQb!FUiXoj+8nPn)CsMy(|{B*>vM)1Yk@Nez%Caumc zjV{W6;~{jBn;q^*{p-?nNZjwc!9Y>+jJj%n>FlMYy}X!MWjeBpP_27e_p!(MB7W_l z4ofpAQv@6K>%4N0hhVs7!k8}O^CUte8MS9Sv_s$OwLYcBqX7+*b1Bl^t)5!$J10on zCY!aTB`#)uqRcRD@s0(nF+`(Z?2Lr5p*OdR-}-SG_4rN)e2RCjrVDtJ|FAv9o+BNF zzr>d=W##~!i50E0n~IelX~A7`+VDrsGXHAbTB)yUrk^s;6{4my^tNeKO=xzn)1a@&DV=+M=kw%Kq;P@>DAGMr@+kFF z^zsSh=!E-DnDAN;NVT+GO8ae?)WyJYWt5?CLcM+4k z@V9|5gHcLi z@M zuUU5}ZZ~~6zN?Ush*Wo?kv!vxizwBKQC(>*cGr;E$L8Rl9xAb7U03aQnGL$Aewa6% zxbedWz3;|qG?W-(t^x7;o@S5GczyOxvSWrSMYCduNWSe}{7RwzzLl5jq^YcG{rJZ$ zOMdZd@e?1T;&CPq3QFyV2C8{Zmny7b`@%14Fod4yHd2X@35MO_tt2cC&Ye6@gLvF! ztp(za@~x_*-4{AC?Qo^*_{H!@fqNlF8yA<3~!1zd8O7> zNGz?ynydT7f6n@^08H3)$KDvItNENTm-dyMA2&=%tan}G^)N8`j%UC2T4#pFf{?2eOpi$brNJ(;E=Hs5j51dfRT{k9)5%h)o&n&aHwkl3HW(oT-K=I-v?kqM zcykPU+U4l%rErK~<`6?eQ%~QlXr8nCE$wrLEJ-=lf84h}WoXV93EPTwFpV{vc;4ODLV=3l28b_BNZ&{%dpY(3); zsw%E0?35r1JP9dbc!2yv*gy4~siTxZXIKVkh}2Qp&-Ziz4LtQt5Mg!Y_1?!WO7~rO z9EwC-oweN#o0ycqN6ME9k|`_^PZmzBy2Ta#)Ox(nTAf{9Hy1rHk%`}r*R#b5^(vyB zyBFzwd}D6+(Z7Jezk+Drw8iU}A=oji$;$T1*YYf>o^OKaiEcsHV`VxdK(I<25ou}m zk&7~zf8cK%MnhU48Z9-I+%hUzO|>OfTZ?0&yb~_e`FELUZy<^^FC!u4p*eJ@!;wRq zLR0Wj8PDN!^FGkP_lR%rD&H$1f5{+InF&r5!C};Rv_#_0V$ylxIgF6ilOdC=1aw+f zOJtd)mT*GwG7J{+ulSBF*9>{%)nN1kbJyl>*lhsEx&&2z6~^H*G1h=U*7JZrWTgMRtcusv66FejwRtZ*H~Z~{m&0Pq zv79FjAJNzKoRy6f%Ev*}K<;f*TI~oe3vjfy>vXCqPyg!N<={u4p z0RC3nWNm_$MhJE6cVeX+V-Ip2yt3&uYc4W9qrBdKzdNh9&B_Yt>FF7@O$|0&%tBWT z8iqwE(gV&bZAZSn+W0vZ=mlKEATk}VRTEe`4qx*s&ArpU!3ZqU0$i_iuzdf81>1%z zC`>?!2eYgmJG2J)Zr&^(4z@%||49y+{0$}i7o0aslV#MVf7jr2%`7v@q&KZgoFH5= zC#wysoH`Uc2nTc7s__hf5m}n}#m%z!;R(V4BZqj$$o2jTuo#Borhw1pt9g$a+GR1! zdzD_N?7RumY1^{~epl)1{ZN)Cx>zpl!i`0lvANl0-Qo3*yk zL#PfW3J4c#{@gJ(ifF$(uWqR`=O6ibB)ivn4;0_>ThK^Hx$X4P?DYyL&@wPY_Ows! zy?a0-l7Z9}b#6j8tdc!))HS&=RM)A4!MVgN&5)G>eyv8#D66gvTHnCfn`VKdB5`-1 zA*C_LGV6af-}Oa|I=U92@xnEEb-PMvOsbw`(`fVQ<`a-mn#4-4D`t+@yaRNG4`VQV zEpg~0*Gl3lS}3O*BRn~*a)#wGWx;pE^xFm6>`O@K6s8!{AEoVMS#Ygv24E&%U$i=- zQ;_(0@_<5 z$r@P$!owR0&>fbf+b}T&{~3?aGuPLCa)6SR|d3#95k{BFn`WPx9l*>uDK z(>F(VC4GMTNho9MQ0=E4Lk_jeR8i;okmX+|4sCL`f#Mz!{DY8a1Q?M~@>BTt zA#7i||J1V!qO1M~DG@w(cn4evpp;anX6>pOrMoZ%xjcQ3Zjw;S`qsb=SPHJ68Rek; z%*r`>1$P>D+))gL{Vl=wBy)AMsQ#@yzlDKrZy+mqH~+7JgG{OR{}-)d4Ye5zP%!&P z`(^2#=oz_^PP2{2sqN{{w!y&r@*>&_VKt%BqyM~+sJ}ZI8aaj0S_QVi==+{MBWt~k zHej9N85#FO17kFJz;K=&vmhi7xqxcze)Dd!4QDPI@K0u=reJx3Xj!tkzqkmJatw)H67lPEy{JsvA%&!Yw0>&UAye!G$`wv+ezG)<$y} zev0RR(d+IUIazMoc(qY0;GZl30~@>WLD$o&HJ-kqGj^gUNvUS=Ext(=3P3;(^hVn- zFTT8lt3ltQ!JcT8lK5C`Y$he4)VTPm^1})LqW7xa_P3SZb;)Hnqf~4IFoqH)HV2OfBB)U{`g9?T_DR=@H={^)U>YtUUawwUML6Yi(R~m zp#P?kfu(NGxfYfX=%Ha*cSm0R@}hP7t?hRE4TYtk%aYVZ=3Y1fO|qvZD{)$e*WzzW zQCr`NGj#m|y;YwvZK)tpfZUDw$||)|4rT%09vbc|$>Up1NpefjjzvUPil)SXc+;y- z(`R9s#P)0IL8qbvB3~w`(K^nK|4*0=gn6TCiyF&k^E2<$duyywJi9J|r%_seB;d5f zDK}noP+;xF(#Dxq;N)ivW93-FC&3{fW>wI^HV}E{Ph5zArT)xakI`V1y zL5<^#R{hUfbSnqvASC#-cUM=JFeS9(v(|ofXzw~q$Tm}mNcs=0_kx?Pj}N38`qiG9 z+kQE&Izpym8voy3Qf1pvDuJE|23wq^&l0;cyCdVqwTCZ-#Da=dS`gW@7dAqzGWRCwe^a&ZS1A)dJ&ViU z)nZVl=?ifYJ)EM&idfW1j6TG<6<}>kFMhj{b1eMs$7tYVe&`-6w@=%%`!6YqHiBcr zeF{WSoAGC(v@aES*2E51yuU&^OPPeMPgS!&hf>Z)ReXZ!K7YFD(FS?ue|nt=p!hz( z5BM%k>KJ+`3RriTC(Gafw2lKo>q!T;k~!=LG>@dVzp?=^wPaP5;Zc-JSEH&-FNw)p zsf7OGU>1g4q^+I{USf@Ib8{=c2licLS@8oD>T$vz&60v_XJxw(f`TwO;-0~7aU@d) zJ$M+>RN0FD2Bus0pD}a9VX37i3SdOf|JL^TFOsi*Ti1%TMQ`1@-g;qbl3oxz%Jb;f zGr^{(?n^O!6!heY04BsiD+K#!=8RRPsM^oO4FB1Z_QEzj>5_!pKVC`(v*ORTXs%6x z;Rb}+^6k%lk2)K}+Fwif>^0&JjMyi-n9RCx*-Cst9wP)Dq0xvne*xm(D_bTeg1-{V zK*g8h@@lgy8JD+?kqF$)&bgzL(%??TZXMGJqSHB5*XZ@wqAc~KbCpaA`H~29%@-%Ge>+nG04A0>T z_?_#dYy0t@Ja82^Vjml?Bdow@b3e#k-VMHR?4DDQ$_yLA;PQ)ha!!E87-b5C-6$&= zI%hk6lM%}BVeiU$)iTH)p%yR51!!1cp(~#SMnb7B`-_Xny}(8(mYdg=~F3@C58l?j;dYr*|F76<&13}XxP_|)3lFPau%-ZS5u(EF%zu!Wk@|tc(t_NG8EDbj~EWgCywg{3ECo;47 zwH#r*C4bPLKtm_j`|~cDIvxrJ-1?^C?-2b+r!z0(%*3Qc@@U~)=wl6Ui>{u>Z|U!x zPQoo)XPy;?*hujn77yzDI5P!yy9Bz+l7!e(=p;}w9}d&RsF&Ufc2Fkv2~oyJtK)U- zR7a|O5ub4GEdjmCkJXC8-#^`MI&y1C7Ddht7rt251}1ltt=!ps2fu@J56tjE74P$Q zUMqBC%3mV$Z&d{eCKUCLRxp;DWBp!pb1w>EAV_GNq(7|NTQL!9&WhW2m^^>RPWBec z#zUw=kI^1K-=>LZ(?sb; z+RL8nO@rmE6$ZU&J z8rbYDv->k#TFOG4zI;EI|L!Xysj*`*O07(kEVSY*xGL~96iULMdrbZI)i2$!s+uxV zs0QCKqprg|&iN4%GM3+5AcixQlvDG?tnK>m??S&g zD)aw&8XMj5Uo~Gws{L{e14hNC4ve|)zWf871&n?88YU-mJ7N6;SmOOJV4R$BG;0D4 zcXxMHo*u8(>(i;-{O56_)TdnC#fxoN_o*`7tL^qL;?(~_yb}K48g$1hzt&Slj-z)f ztJv(2%bZBrTXo2{ae$rAOlI|F78%zv@Ybv(KWtgMrf{$F^cDRp#Z6N!62 zNpIHOYru3&u@;6;*<98;U1hRsDpMhf;)th@Qun!H2|A=$U4q%Ht^bckt~?s*ca4{= zpIz4GT1Ug6%vgSx#@--VenYawFv3{MHblr)6Ja{2hEWWSERmnBZX`y2jqFXvRY);| zu_UtZy5Hg4&OPUzbI<+v`#s<1ectE1@B4f|&-;8nH{LW^P(7;n_dPNE`9xfHoGrX1 zPkSG4x^Gf9^To%KS~iLKI%G;rP}-p=tt39rOW%Lnwb{oVwK_+}LQb3R5L&})Uf+q? zjd>>oRfwTLXuj+7!ziQiW+jEqT^*YFPX;xq6S(^-LMW7ECDxsZdpJQO2nH_~K??Kq zrEc6Li-cKL|HgZx%Wt;C=lG)$fNL~^_SoCsj&}0OMjZY9&*!eJTXf}#8@pnn%?k>w zy7;XKsKPd~tIOQJl|pZ2vg)8;dgt`#I*<)4B>agT)%X?EP7z0G*k%kyE#+bs&RqS< z{%o88gZ<$J>l%wM2(c2YNDmEoONv;xK@%&^hP6^!#TVzrYf2h26H>1I=zrb9a-EdX zm4CAwg9G{3bkkeh70v#6>xn%zb*$qe!g06Qbs_Tg+fy6bvc;Qor*_K^5|07xa$>uJ z91Kx4bA{R&w$eB(Oc0C;Z=0LT*(v_&A914%i02jML{XQ^O)3*9 zy2a@ark`7Ql?RqL9~ln`w5A~<2fOQUxc(N#b@q3I~KAyPCI!+{Pw0>t?dnKwb_;TSmWXl zil#Hux`9l{uqbmbgBwee934iJg^?17NU)NTJYtcE&n#$Gkxt8Fq}IYK2R@M`WYsP1 zIUsguy}|Aof|2J&!8+wd(eX(1eU^9D9kH@&@kSTNce(0WxmhyDVni1l#GD~ z7qiGF!!p6)v)|fFM;7uL(YBU%ky|3U)r_$=Re!6};F|&jMtUK^mf896BK!U4y?1tJ z#prz9dy`f91lzoH$PcWu<>S*mg7$xhU(L@T;N`$SQ3=7*24plOHVQ4!wG=0zu%_XxI?vW&yW-GhJN8@grbmOGAx4PZigfk`h}UDd)hd zX6Sjdl#>COdeU6X+hqLuXQ?)CWWN)-p7rK77;9gr$wMnG4Ur;=FLX8z_!Pe-`{}ck zCr-Ieke5Adz&}vUYIwwl3|*3P8zp+!fKczZci9lm00?k^s%gs;;fF z5mb=b=(-I8f#cVUkkvr8Z>M~+|E{*|*i>B2V8@tter~sf9J8;n!^A;g4`iXLc8!wQ z4ly1js7Z@5_(}#tQv;S8GkcdFSQ(U~(LPwi(3tTsO#pueKuigWs3Ab#W=!j>1@t^U_b z=qcF5PH!Ej!a$zwKY;YaS-UJMrG`_B2v{xrKX@z$X@&n|4F+gR*}JyFq4&>nt%9~; zgXI%vfx(IDM++ta`HH@onWqfi8QoRSO8X9g(hkTeaG_Jm3(6Uw|9m7xsykrO+z0qd z^9O|rKcFT2QV`Wh%bQPt8thWPnbR?n&{6F-3q8geTMZNkgKhL_<6Rv1=w6t4kEC^P zh?WLS<O;`}qEsWjVDk%r7EKZEdcv_@nTIJTKoGTi|)nSSLz8g0;=-S_~BX(#{ zsuu^OX56Qgvsk$_zP^GTaok-1Z6yq6aBDu?0-+>3EV#Eare3Oz(Rx!4Vy&~9-{@p< zlaRVYF66gFa-+X2;kiQ&X91XDtkt{4!{34ZArP(GaKqm4p+x(D%d(xny1b}D-#P4iPyULncz0BPRm*f045Y;7P8K~;+ zIb#Onr5JdtF%q8Vfa}LwgBnPzn4N=%{=Mo5>Phy#%LHM1^0C-x923aY_NIx*SH74HOXYA@K@I zAC{cHE45G6_rP>ry<$s2d4|_RIp#BpuK|KJ%oG^|9Dvo+4_e-J63?ThVdxWtp4e$J z>6c7TZ@xbLwEK%rbVQd5d$|X$@9G(q1A2pTDbqO|ZSol=SJQ*t&a3a^2m+SBWT`|& zM>YwL3FXrwTVowKI|F5AzPTrz){~XA>#LhQYp3yVAO2cw826`2$QYUAb{`4@J#GzS zZg{v0D;R=q!jbobBmDdO8OJ}mpaB^aogUt-*IUoL*x z5il`}DH&5u5*ZUw6vc=ZiH?a1Crg`2JQn_tR#1yhSQ`xe81eldpC0`bop9lGHrVDe R1_Zi}SX-hjs*&Ee{sobDm(~CP literal 18911 zcmd42Wn9x=_&*HNB3%m7C@SC-=}Ai{r6Mie!ZxXq8{HC;(y6GFqeh3sq#FjKq+@h5 z2LJi}-LL!c{p5eYeh>CJpE&32T-UkIb*^}y$k*CxG&k9A5)l#6yi|YjmWb#Ekcfzw zoRXaICV2W?HK8DOd#k2IR5oyTgYZCVuc)O+M1+W=zO*DGJX3vCH*zB)qHX{8BSt~K z+Yk}Gbbt9m@tv31b{17Fr(W_d6C*i8w%F{hY)4+_#H3X);1!b7fr2uael`9Hm6gJ( zqDrtkX>y2SWFL(fsd~XjZ$2gJ+s>4EEbUs6kPQPYkzpRPnq%%VrRC3PM&+?rX+u&aO zP3;AEs_o#xNa@Wd-qgt1PyDlFNcn6mr@Z?$cwAym45QPPQ@yj=;;&KpiCb=8`xIw0 z=(X3!uQ8jTA-_dC<>-X8Sy8VLU!BwNj9gs0bs7k&*}J^ydwO(dr$A8H6-g(zWTq8M z_Y7Mm4_8LcC1uTcavhFNUY=5G%<^ujZNP01zK^F^7d!K)XU(;nx0L@ zxSF{R_I9USBnm;z;I6IP&pRQl@mkr9$w2GwK@IjQxe}x5G1&Q;>}(9(if12UG5c_d zwqeR-wL$H}neBP<8n=g}xlaOcC;z1LJs>g*JSIp7YYGcOb5ct|J9F;XWQRdQ1 zKH!4N^wP+K*nSMfcbl+j^B^iE4rb@Yd&^4MZgjq21dd<4x_kNc(`ej-9fN}2%AEvh z-E>=om72M(N=^T#^Bpzm#2ftl$~%dWs5snMg5Un-(d;2R%6YGzX(pJA_WZm*Ts&6j z6BU2)tapPJ_^xNigHI|=uTWM+mcx=+7eXEOvwChw=ZPukC4!u-du=Y`;<^X7xpJ)r zk(Ie(<(z7!HV`l|DKhBLMs6meydtvxQUDwVE>g~+v%BQ8Yxd2vpo6X~A1l?uN0g!? z;Ax4Ov$5>6pr>y-w1r?Rbj1)43UEUxZq##Uw^>>&d&$_dgVs4iw*8r?Q%>D@zh)VR zuVn_olf9kZI49;g`WlX{!_6SOyj7p_0#r8;R*m)pT?su_YQUY-cBdI-jX@V~xOKgJ z`O__B7ZkTswh{cBB<1eMF_G%cDj)jtVDyGQ?BF&X;_&xEUB4J=6j>1N-_I>|t$k`9 z+3LM<{x>_jeZ$i77GJ$~KW*fBf7#eD$gkPKP)mqu}5W1vR*tz~xLX6T(GXb?!_3J93 zCgt9m>nX!@<#W|_+$YIEGxd|gKQecv?aBcmsJKZpvz=H&dD+K}5(6z-QXY8xtZZ?j zsdy1Tq5$|L6S}M0P1{}>XPMP2jGP57;zA4;8c~@{v&WvYT$wTP)Oze&ga!AJLTCQb zfRNGMGdko|qsvZlyN=j|VxQ&-|28b{{rZln-gEpz+k{SAL*Ju3f(l5zRq_!~qCxv= z==heA*(_*^-FDtFCBuIsYe$mv{kE9}#wvRCmd-hT((-ilYpNvckDjChOikKfxw-{% z&+d8D7NZ1gly@h#byT#pChtu11$uAOt8^4t6LC0u$%&CXz=tvz$h0mS3ANQb45h+c z{c)0Xw6*7My7SJ}+kL7gviP^IL6+O;E7>|Da_*2ym`N$!g!qihto>|W!+^uZtBd}% zftJqFfep#5$gJv}`Q7G;tmmHg5X8L;a#o|c!-)Pdx*NPqiuNc5L$hDFrFt(dRNiJ@ zMD4BAIvh83*5?%K^7Gyqf3+WQc^UIKmeJE#oP$v16I)PC_ly4kr=(h(YikyCwtoD{SmY=Gy zSTNZ^+eB5aKTP!il)9Q{;n?~Q51flRS?hCr4M4u2?=T6coi{tOn|xz-_$ORe6nN~f zy71MB;S-8I=XWiQGHuHo#>K~m;DiydA_8TP6362o~ck4f=+;_xd^%Y1^`4 zkQaq^M3x86Klk$9K?^}IljY-LvCZhV^lWRWkM*h{s3FIvXwu;5#(Dg<`bm ze?m_cIz5T6{s5I11_pmQHlH(1LP2zPt0J;$(SuBKHTWuX)`!S@(21rb)5>6o{*^+~ zHFIz^-CdX9$>F2W>B!Ka>vocG7TQ->T{*wBnjEu)$h68 z=4EZB&6Vt}P<7$W`dDf|Z*?|Rr~%eu|KJCPjbb271&=$F+-PfPysH&GKr_onIs6mt zXs=0ZJE<?pRecHo zZLsk>+AN**i*A#`nfI9`eKk$O?h_M$=p>=&EI!}%44seHc3`!IpdsB46ay_^&$Y8Z zd$jL_BeVa0>m75nx#0N37Lwm}-QnGv5E|$-3rNZSYwB=21kfM^PbD5{+WjED_hM~x z0pH`MF`H-dZLJxS6S~t@v^Y$<2KQeO0D!LFv@XU18cz;#aaA`%OtzoQ&o(^T20Q7` zZfd`se`RcHSdv`lZd1Chyx|SnI3KNJ%Xz=4{Vq^drvN$<23?rmP3qi1^-R`em8g%x zc#gKq9wm2bw*x#Sw!$A?aU_`dK9Mza^tW25TWqeH^UCS3)=06P&P~23VZV&U#fdv6 z`GQ2gVMpQI>{$1-X$D}6KbH8kNzZ9Us2?M8`xn01vW0k4Vu0p5mCE)n>~A`;)4x7u zQhUFAA3j7y>xg(Bo@nO;9gzk2Ygwi2^?Z%{wwB&JyQ$19H`d8u(+?WU^qa7Jf=>@qj6 z#Ge8G>O>c~g_EZ>Qon`dxJ1cwQi0_UkNfdyoyKnpdV!=C^}6fs^Ow!%b4cO8ZN-OX zaD6ST!{0z+Q8BjyScYUo*uHt~J(8mASlX{e6zN0Gsg3Pz^Yca=o6nI~e{6R)Y<#0y z{!9~$19y}XHsm5LtL?KdW=^ugfj%86)u7rs5_7Q*vDN?O{s?-Y05o@AM3O*z~wn`dGA#59;1z%&A*-Jrq}82hIOJZ@^n# zu6Ji%scOXFpd%Kn5%H@SK2+BdRh}`>Njt%iyE^R zub6hoIIN4y+XnKQpQA!3pdJl^6^*#0dS%Vo1$xixbQ?7lL_w(Gm5Fc;2r7owlcy}Q z^CT%2 zj^Grbo%SB@j@F^6cN&!M-d++3n6E!?k)I15=%7s@d+(JX=s}*ij=~_jMzir3>u(%#%4sY5d;_12UgJ6y25TcB%e?}2V*VGd#%xBLJP?zx z<95Ck3DyVYG0c|rDZEu?MOg~c7terMG@5$k`o5Za#bT9AWQBmiK7adQ{S(UCEB4zh z{jOSCUp=S8^vIF<(6UFgJrCHAikBI7G@h2zmb)4ZU@Fi1Ut`n?j*gIXkG%EFzH_8$ z6~GX>Fb0`U?TUhz_SUb2uAGwd;dIkm|Iw0MzZ$b^y9DRbV~e-P)YkfM9IVSUT`rf- z@of(IaLQ^V4t)7mDXYHA!FH*&bbZw8RA1Fv_I0FEtirwE4pY7h{s7Z5jt#D;c{|UF z4Oi&_MP!{RNt>10esKg(u19m|y0Xpql{a{LBVgBU;{9ShHv@irI1AUeqYegG^s$;@VJTb5;znwtdjl`@pj=XGt{OOJRaE)Z_Iana zFRauUrtD4-Z_J!taAh`4;9teayzvc8`EZwOL$iq$g~N4dcE`xoP|Ni_NLTomGzpO_ z*J3tdr{SD3HNBNjWq((dr8lV$e2bcp`vw5R32Q%j;kRH7ED=8AXC33vEfzFx7>cs%|4C*;#4Ot9+lPcJP4oE2)I!@8xprt0=c{+sgAz^OZTVGXZX zA3C+!wLDq>O7}#Bal5pt9`F`yf<^l#dWCl^eF#$m-ib?u@7J^JNVabfw{XMxE+qUC zfcN)soVJP&{)ZP$t!y>(550mR@9#esJujbx{cgDT7jSfJ51R8_uB`Dx?9j08f6zLGD5JJD0x3 z$sW8|c{oW}=p{LUjm;s@Y}f)HVNZ6%G@mVNnO%=eY9?Q-|8QtTt{e0#R7}XqdDTgZ zgL^S$=sWNyu-_!Ru!}MuUkO(CY&S2T7>xV&=u@^C-ihl5vK{h2y3G5^R!c&=$2L?$*i5=SfwYT= zQ>T=x8Q-J3)>{Z*5$wg_d#hU}e)H7*TgU&r`N*JztMBmeJJESp?a~-7+ z-4`Wkp;u8Omb1BK{qyQ=9bC6s?}BR;^J01*A1z@MlM`dO-on?MD1m*4MMu9g5em$6 z7y@kB^OOTNh&V;J5+5BSEmKkSZE-l{I6_cVo0C!w2sV zZ;;>iN03Z&>UQa3-A5*m*ovN4F1-_ieRc3drG`CP0T0lpKSd1XU#*<-w)l5KLbQih zZXwORV8z*Q_H%y5D7M7QOdGhi#)&fBtCYHkes@B(P(_<(09a3}*9U88zaVI31@raS z1NFfz2Q#j_CPqW~w9wDq@~TGkkLqtLm<2@LfqG^)X#6Fs?Ekb!XT>VAd3d-FxwDc6 z`|3^ahDechb%X%Aw%_0-(AO8e=W}E34IuOnv|`#J>p%_T?Wq4&mJ;kGojz~7M?9<_ z9(wTt1pDFBomMTo$~Dfc`K4sAll1EZoiZt6Ezil^k0L&r_mxtSN?%cE1 z9}W*++O-Y>kt_(3UlI?_+)b=%XMMU7a@J^ko_5cQo;!2)x3gJw^bv`dKMdUR88+RJGJg!MP~w7E`74$tQ&G_$0cWOZ zsCcU~gaPsUrsYeBMM`yZ%BGtt^Xw%!f+yEWOMW$)O!SA``h5T8HEMMZIeN?Uw_|j$ z{GI`8hzt|(>ELr$r={?}qVjy6P8TN=^yL!St|H086CnLgfbC57jX4U7$Ps zIJ$x$L4)!wfKtt$wpk(!v_+;rZ%n?vt@(9LPWVu3bA%Xo>;Is4Wr2TNh{%`mg2 z(s8fy!AXOQpjRhre4-x=sX>5R+miBnu; zu)SnuDEmA_r@I*Lld%$W>wMRH$ZA(5L1mj~A^hHcdy4I8Oqz-`M4o=pz$2_b=Nr>Qhl|% zkVT3oQkrFZxE94ZBEQgSH81U-x=NNP*-B4{;W9BqWx?~Fg78q}_0v=`I7zp8gz>2_ zGK5~~f;uXzIrk!Z=_4J^S48ueiBP?Xwo{vXZ+d!sCtW8M@TIFDbN+76+~hq%_4}gC zKv>8n{oLGUIG634c@`3(8EP`>N-Exv_{f``w7i5mA87uUm;JR7S*ba9KQ=g5wKSam zuxbBtP|{#C!0dUUH7JmS3I-?TH5}i*bH}~NS=0yQiVD)2`4=e6QDrkp9WKK-1UcDG zN(#Hj-OEuczmA>t*e68ez)M;lSzTPFBQ_R*88)jwio`>!Zwz3!QZi)$w)|dHy#mzG1-6J6B_||#k_0-K(NrBiWtLUbA{K?znt@Yq^?j$Rkk8R9=`8>oTIR;^?&OM|DG`dBpLR z_rbyBHcg_K^Ik=cNDWuLJWt#xxDl~oj^RpgbPc=6)J9DxBT0I`l?%=81j(8AWE&JU zHop}&oighb^!9$)V&*l$k&aW^rV|oE>R|25X{iVGQJpxz_1c*+q1)?Ua>!+*TVuI8 z7Jc!u$t6>6*Pdj}3qSsifB9S}BuT3W;JtO>(84#k#pRW|aVm9P1;BZq!`^Sceb?OR zr<^OCCw2t=!r6XsDFS+aw5%0_e*k%71d>ajy{K@eHbu(7G|bYyZEMz-+~-b=5%~Md z8qTAr?%OdiZ;x)FqPz2rHTf0mGVA#C3a94)dHSDBdjl_P$RdCc>(?6OH>BSfys~qs zV2K!{6HhAS9|*Mu3C2W@(yuKp{^EQ+(t7O}elU0#dAbocz7}>6Kd6E$9Myo?D$tp? z*5BH{cC4R*z18=BeR67x-$l|5!D~<$;`w|SO(Bgkj5p-O<#V~SoYEYW7{u?0u1^}* z;%CcT4)yZ@Zu&6i!9bXs>&-T!V^@D_igQwqqiGUaCmv?p|MSfWSD(aiZE*bZ0RVGV zzb!W2vmIPjDD2w2Q{dWsg4pKPJ7Bnko*Yut!{Whn;=%5}trcqgybb-0Ue`Ff+0|)` z!)NIN!JaKy1)`i%y&~^FLJRITLzWJ{9iQ~>PKtbcU>-diK3EU<;J*bOze%TW_@7_{-8CDa#sSToL`k>y%`dcDi75L5Nz3cGSrL&KM z=kuJZzM#V6-p|QtuIkgh*?lQ*)|?KhlOL+2@|tkLh_|%YJQ=T_{|GKC*A~1li-JmR zW9X-7ljqr#&@wCMH#fqj`&S{u$4HNd#ThDVwy-ayp10)(OCau9Ag&m<#O4&xq?kyS z>YaM+DKW+LvH|lU&_tAul6SRhX;LaijXT(H&vyGLxNSE z&>pB+)Gg;$ap_&$9XdC1zRH76fGjanIt{hln~l!ry$9nVvEv~7-tTcpoN*IW>3DqQ zK~KZ0i#)ODiwH8*G(yxDZak1LdhT(I5q39AgB%|(`43D;(~YSd{8?qw)fa?m=b;gt zTK1145}nDSAK6kn90nF}jA}=2bR}N88^v?INRy+m11f3O9IAW27(%<}8b+Vwab4UP za|~l|11Q%#um8;697*10t5f>)>S(a{LS7q{!WQP{tQPP0dqoTXnE5!AUZzFVoEMbz zY;1>pL-H-ak=i7+qMo>0SF`5>K4b}Nk-&(I)D{GnJ9BJ_PCZ}t%FH0Jt@L$<)4?XQ z96(EQ835B3lA~JDtHu{6V-n85PwLHRGn3Cw1I{j9%8{6oo6H~hEk1X@vr_+Jsv6?n zQjH6k16(fwM%wq!gmMo59Hw@z&VTo8`x54NxcPR1?yva<(}n-*l=5%m&1mQA4u}Mu zp;?+@Gho!6Y@VA(_S@IypCiIs{Hzbl&n8pMZ#l9icdzFCd+@o1vx@_BBF zwoGYCXY5YZ+sKNW#vh%t(Fiv3ntUmiJM)ikPCnj(Vh3!5VjlLses zrhKUPy+`KX6uDnWZE={cS(pe+D%Y5fR{e%YKm19M`}l9ghivW{dZ#a?%JWYkO*2OE z8JXdi*yDm;3!IvZoJ-p8ZRg(IQ%p(D+Z>W4s+AO1K2Q=aF=K7A?vFXENlnGp z@0!Z8=*JCUdBsVV_U2Fti4u9q&Y<}-tH8LtnHN|@>!h(SJrK1ST9L!Zg0FuTq*U)?|@Cu$JfuLRdGO* zF#Fkso-;3#IaQ9NTYhGx_D>T%-ZU=YxhOTz_d56j!K9#y$>B+l=+&F~V^==%2h#eU5&^ON zI18EbMp(^LC7SGf4)tqpYk!AV^#k7L zb`N)=WoUf29sJvu-&aM`EZ8(Eq1MiXkJrk)wdLaM{^{)7D+-g90{ z(q`PWyLQd)Rs z$;1pagk@a|ym|UXzb~U~muq8l3#@4geLD~RMO`g(eCHcgv_aiJvl`zU!VILRzFKn6 z8vcRq_7wxfX?JL^8~z8c5Xhl=2<_sF)4vV*pN{=pJ7eJw8T!Z#NlmAU?2Rhgq?%Sp z6L}!^{P9Is;$~R7{yF9qj_Jq0Z}=ky%P3P*AASWWMD_aqGsn1>SAyNQd#ehyC&KeY zsV3}Y=)NQoB7R|R0^C~~S;)+|ZF*bDIVqGzFu_0g@hsU6Dv+x&^x}zju!k`1awT^y z9(HgCw~cwo@Tc_qAL zlhUV78$uXM)GpZ>#=czito2~!Q_!DP^z7MZEBl#xeh_1AZq2c>w_ zO?YjFy$yNE-M!u6-e)VCoiPEIuRVo~Ni)r%92%*0EC}mST27Pq=H?|ECzR*0|HjK9 z63IzAT$Iz;-JrskA_y&^96}Z?U!%Aq{Ha(_OQ}%^(`e%80e*o`?#=p!A$waH0B8Uu z>6p=Ac1Q>9!Gv6bSWidn0EwNyjw&~G2^w*n>~`t%7E9=RgKj!~>S224P@5EhlL5&0 zZf~nXE6?TiKA_-6mf8c0R5Jf)^8qUa|N3(!x&6bK(WJo|&9sXL`(b{@EWpgEe-6;w zM^RZ)7O!4cwfPfNU%$fc?qO&!sezDy`^SkuARWh^viB-gH2ro2Cye%La?2(_j>01- zchq*oV*)i@@xEz+s9fY@3Ba!6w+454XTq#~CvA_d|Bn>H@Y2?oqc};|hL~iZB6uig z?LM~x+DvZzyj!e7s_d9e!rS{R$g zSQXKUj4}LctXf?B278njDs$ssJqHi*s4Tgv*J`={dM+(fMT~~CZc_fMS1>;Q0D3W` z#2NUnUR6Ci!TmM<&Oh|u2n_x&|Jn5S$SmDKpJ3ol*E3NJ0a-B)+lpfoL&6Rxx!raR zcgtszTg=ALEt5uqK5OqP0d>K4koay07CQ>Y9pA5enP_G5Yw@!6skw)SK6Yii<$Loq zAP=8q_?`b95;bFRlCfCUc-q-l<5DbRcEd;bp4}jety(NSk4M!JI>E;8QBqszI z6W+pMDbD{&Q*z1wOof;OOs_XyyYoS#2=dtiVxGjl zAoh7B(;jFdMTzC}S-g{DSg1}v*~Wdn>pij4k5Nt(ge>)^@MN`oxx1Sof#V13@IyZ~ zYvR8J{RZeNfB$ZDTjag_#jodipR?L}(#OuZgOLbY$1@`Db(rH+GkV7SU97(F7=!WC zTfb#)ThO;H2;@^>*xRm;MPF|b3tw>uTB8a<+mi3kS!pn`GTPCc3@jDqH73M%6cTqn z?aK#+W}18K2{D=SA`X8zl{u#9tp!))56JuM&#hjW)yckLrZ1dv5IX0cU+zqG4Co;j zW{6q`I(YgzXGh$1a-xiM+I38N2-^Do3Aeihu17`1)necJW8%J+)xe_tN={$qjKHy4 z(Rd>NP*QfkN0W$SGELmZ^^SiSZVaxQ;n7tmsvlu~aGAdC>4;mXeYU!rvE^xu2fbr^ z!2czhsO{P%cOqzM6dZos{*3d?ocgYxwo0gcA_;FOtw;`xm~k*_-F1EG2_|12b&liH zjOOv1xWC3@nnY|zMs;Fo;?N%}XEyni1&GM;akNvT1IJt!CrIi;g#>9q7v zb2H9ggXL;29PRORe&2#E0AG%r#?(4wdZH@Ws*{g&e^egFNo-MrY}bzS2QQsu%Yt{5 z^J-G@MmZNSRJIeo02MyumD{T~hIBke5~!p^*TUSE%Hv)m%iajip)I(US1mEQ@ zN@gLymgoFtoeyy<}mRwT^t zW%9P@o@IPRn>>Vmgv1!C5EZ9pJf*Nu6zb-YcF+?sI8yfO=Wjt~tbmAoj5DW88SDGE zars0tT>8xP?sdo4=(Wj$+89gyyGK!ZnGbXe{L1Gsv(1~S{a5ywSEu}x@vxKG)~#r7 zxU*-@?H)sDpJ7^6!I@&ld#0Lg4^EJL!cu3P%G#nEA&HDcq4>(p_BlXU(7R6BATiR8 z&JR$M`+V!@%5UPKL?u7b`=LZ99D&1^^1fx1@$RY=-db)&^G`-8=|BkdkYki$E5Vov zq3ZcDiI3>+iz_WCGboSdymfiD8a>6t`Rhq8cK_UI#=vfaSd*e`jG%zRS zF;gt6?#tgg_pAGJxkWU=MV!uueJM0K?ei6t9%E~p*OeaZ=0Z1XyggdwTDUqv!a2xU zNKW=oU>~`0lVM$L?3Mi%H|QL+QxsS;B*!H5p#UK<_Us+&>>Po}^UCHun8jcHNti%En0s*50qiO%bnR|Vh8;eg=SFX#i_iDxV<0Of0LyUG`YFpW~?go z_$@KNW8o?{N4f_ibw75wRD&>gqqjBr6oXa#eTKRg4ma?pZ?-%Vtf|R)Wple1?%|%+ zew}B;yCHOJmPwN1k z-;%Wov0|#pbsVgQYcH#iAH@FCznqLG33DPlyQ)t>PyRKOo}~M2be%gl?f+yM1dEdU zR?gxJ`-F7#cN_&_&DCo9+b5F?9SOu9<8K$;TMIimersM3QyNo`4vhb$^R}(z3j%|M zo42-F5eE>H-&nM^2c{9>R z{ZQD2yBYEeHb~o346zpZ^D%?$f%rBpav(O?2w~Z4GnxW&h3{X4*Os`Ja6Nb$-vb5J z$J**xZz$eIg@lfxjm?@~OPGRNXs0a7F!U%>xBjabDE*uG3GuQPP{F?F5zR)1ZIH_5 z4dwIb3xxR^_B5+nPbm9UYNHr!AHpRwhVCNE%0{h=(Ful zgE=n|qbP|@tMCcm{|#o;|81MiwUhQgD^kpuQ`q32sZ0RK6aOy)#{V17|5u=X`r~K< znv~BOPot%ALTlc=*;n}dmYFyB2W}lGSl2%2i*8DH-m--sF06oaKs6r| z??e8|xer;Lx>wBpmlY{|nfToIRE@P^EguG;HC=~3UkK~EmK&_sSk-jlXxt$^UHDk> z(8|W<4{WC?apvA>W2SRtopqbZ%<}QKx{NSYc9frE7wb;2+RWnEk5U4(ABL|gmcESey9x(T30)&d0KT8pz$>EZt$2r?W!ZuD)RZ!hh)--2lOqZ0wwv zZGFR);`|`N0oznG=!_*@Q!zG?zN+oRtPqR>}2_j4y*v8A{0F3vmM`i?6 zyy)r3Ven3Zw^|)P>q`r*JO8D9D*X9dVU{dU68j!E9_F9~@dUk&VYpjTN&bEg2ZJH@xQvlqs&T`9pB z=s&q<`3P#o@bGG|Ju1uK<}|^h`_oZSY_-;6Zn#Nn|97cm0Y0awCJ*<+MawVs&q?)e?O8#{i!3jtQ8OUqi^~iSDoeBtQ`M zX6#x&n*hq28fQ2esCb++U}kr7k2ND{ANapVcHs}d3fA4JHD%t$e84ErOzy;yC1gGW zP4J!4QJ=V)sNxt%??vD*uBd0)Mv)&fk>|h~&z#8S#s;pv`lLFok6lQa2m7L$6`FJ2dqv~M zHTD_!Y%KSFWOW8_{J$LiY;+4#jc1*EJ4N}b}pwFKA_xACY?Y*;R!s9%m|8u{Aphur8;}9mn{7NwSu;6v9e`WTxL?Qr*atleU)`Ebo4++5 z>%CXs#O|nw{&Q|r$&1o z?rL|P^ut#Stk!%m1L}9}T)dy%Hrm`N@;tM0uZE4i68`1uup>*q_DkREsfHR)ZuN;* zu(P31aOVf}2UmY1iII~j2%esSKOI(TYY$HX`4_8onSmknZ~f~ZKo>i^btR=bvb;v1 z{o?n&M56!Udvvm@5J)qXpeWM&eK&c|z{o+qQ*}n+ob!!pu#2c04{9mns=C{mF8&U^ zv$>ynBR+X8r9rnqK_t)!OfePOtT#Z$NPqlEGZ|ypoBio}u2LrZYwNjuqtE2(tyD5( z#azxzk1>1loo9?B%1$$SZj+Ecf=5b%AY%MX@nXgh5o{tk?;}7v+|qn~_cVL`d4xb! z6tmBNak-GGBMv_8 z#4CawUuEx3Nt%_IhAl&AU>kznC4KetG^(KLriRPx+U-=FJgJP(vz{9kG-Y5t-chb*0m?AHX^wx9{&PBxbow@{Ie1q8Z?Ajn&$Y+x#@; z69YUC3p2a)9K3e`L;Hr8_?F`SvuAVY+AOyt$LLvnT&J48G+Wgp=(L@UN4q(_^ys(J zN#;+CXP$E&VQhtp+2~|Fr z%K@HfH9x@(_p3>Q?|~!_Nj*DTZ=U|Hw^1Y7KOYdB8IhtzO0~#A8oFw_N-Hzd6cDwh zzn!2qT`#lQ3((#jV7|r( z*Z0Y#>I=h6dPZ~ISY zb>Hgyg==F$aNEeT)~;Qiv0B#a3pO`}f<&LOC{4UEdMcoP$Ax2iO5hrj{lgA=!$#%R znZ(3zXJsthIv%BIkdE3pnx2P@25u?D3Zk$C4+IxE?ugmyO zVV+jU+iWzke2X*;Ye)c6R`K2{6!w`fE1H=yJbMp)Oc}{3i@8BfRSc!yzkkeXBf;0O z^W6i%1h@~^t;9|*e`!4V6&Dx{Io^K6K<%@t9?kQ#B>7^3-x85%(3L-x`YVZyh1cGg^&kEKy#Byn{*44Kuo}Q)3|1G;dl=m=?I`OwXlx*;yI#xg3 zWNTTUX`=ulmtuELcdv4GnjPlTPq)!$!Y3m&5Ete0j4||SaLoKVydk(n-k~UG=kCY^ zbX03#*3;a%y*-9(oR5(#qI2nL#=l+EK?mCrw?rp=_TA^MznwKhrQGWHUtZ6@`+wC2 zGtf}-JkaO8T9t$7%g~ypO>j#r>+_2%ou7nbc4DTDTzooMtnb0p4!RJ()Qspe0WdRG z5)eVzn0-zJ8drJkR%lXpe@c-sPrrw&)3UN{jyDYz6f_my`EBa{SdR!Y)WK9a{*aQ{ zZG3ktPn%$CQ2x+l)~nRKjo`mQWJP3kKP}P);%lP+JmePY?-~B&(B8PJc1S|%i_Odp zDZ!+aBqPjD18QZ;D*B_h^8NhvCGNP<+Vy-Xym)3551~5+W|7KI4QRz&)z;>%vUijU z@jTykaR#68bCiN=7RdF)ATRfP@v8XtEduz z((@ps^eKQdjBO>v!N%8t;tB^Zvij~i{w<(!in7_J=gtrep&wDne~|dq77?6l2hrvA z`g=kKF{O`g#4_+v;_r(wg`ifS;z;)YrF`5KnDr{E1fcZ41Qfbu?)L4`kKCkJsBNMO zB*`lXr3-nM!^}_U@BSNs?zcu*i+-{o2C&{=|L5Dv>XHFxZGE|L8?N8!1Qs}cKIx?8 zVp1de9i$82x?e!`BJTP9IF;Q-@mGYvJJ~cF@F2{rQ8GM!m>j9Pa>5EuRU-OF7Yjk~ zEruTi(Q=93w<&4;6l+EqXY&3%w<@7k$Vo?R-{#&4%N@Fp)Or&Ke|(-2S_p(sbP`@K za7gejQN5t;puOO?yHl4!i14ci5WY0Br0vS{HW7iXyLH}MbbSsYe2B;sM+B?&?rX7k zq558y69w`k^&ff>$iHpO1oS$%NlaD=3^`&n-dnJL_@Ijb`x2NUm1f*nzce#r}rt2r%#gO_zo#btC1j&%({tcy>51gmm z%*UOvG-Ub zml$C7V#zYR_~8GI;T;?BY~og4aAz(tyVV+`Wnl-Wb1cm$U%)zciy4?#agv87K7-X{ zr_H|1Ll3`DyyB5ZpC+IcjkM*x#DYEH`05CSwCPjSx@G6UIxaeX;QM3f@@Kc1o|_h( zvHRdM*AH;7z zktJbC&$~%x=bM?N(lL+<&_0~7;vb}7h0T~;f13%f*M7@t>MvdMvm7Kh;jgZIApA&~ za@l2}(|{bqusqIy8SawTI?<5D?$0-G57(A2YW3bz4`?^{OH{Q$DCIGPNKCab#M{h| z+k>X1%m%0e0|M}rHyQsdXU0g

?0;Y83vaaOpWPo4NX|WrFIR1pQ1^7g%+UO~U|FnEPvPX>)Gss19vC_v{+K z8uR49s-6S7H3O_rrrUIkqy(n>M0Q)FVeo?PcnH;Awa!~;@Z&M`m$u+0+FQQsHY3o- zPVq(pTP-6mX<$70=-FKc9vM^8mz=jf7E%@Uu^;HSrmI0yF`PXU+lO>TD%-Y{+IYrd?1@wa4-E z(cv`zyHq|NzLM|phsyY$UluEZFE0;ZWFIrZ5EJc;Z+KjC&9?sIuEHe@fN26TU& zuUk0xLOR39&!-Pq&*^P?*>@-5-#4A2SL%~Sn%?^Fgx zt%|-kGyc-8fd5+OnTiYoV{PU7b_Sz3dDbEzF4@Q8@t2(fpp3YxN;y`2F{iJCYCgtTw7bOv z$e(#{l=;X0p4t|xH!$KnBKuG!{-IB4=*YogB-Nrt68F%-4ND;_wM+U({3ja+5s~xp zTyk4tUp3L$Y^@@2*(j3Q6I~z8#{N~pkvT_qVQ3#VLAyM;O5r<=c<8yu185b*g3m0P zRBKpH$>;N?l^QE-^*NM_@wUv~Rsd@v+?qm)6{#wB(*3S6)4e-+XKcgqqtML+8Tt>O z?}_z_E>aU^3L?X*o-jCDOojwO($L*Z66b~RM~9X*C6)-?&Plkji_F2)D$@rXUr&d2 zcAV1HgSNS1a4Qtugp?VWjfL#`b*{4>R^2#HRG(%>;(O3*Gw-wG2eb=8 zyZ-b3tpMLfb2&_X4d3enzsDY+dm_B=PWQ5rZeNGzo*HWMWB` zgp;Yu8Kkm8L<$dva-1>+5)$Kl8c=n5Hs zR`{2sdjik^QY&dQ3XQ4zK|@@{z3*S>A@~U@qaIH{zM@y{#WMoMzRtKh8`10R!^(O; zPnP%m@=%^ixz&TqKR6KD;eg9`-@J=W6|<~2pKj*Exl12j{-3EH-}0EgusSF!l|@&z&7jtn*vG@Tlq^dK0cu23%s}mYu}@UdQpnf%Wr+FTI|! zhhs9Zty6zt){Vv!jvsCm9#3IbwDmc;dm*qv^M!paa8rHu^?dj;$$O)O5S2ef++tTcYH|i>9qf zpWO2Ac>%QsIRFo(I54a8@3-z|eph};-3#*#W_Ls{e~}(B`|x~y;DVJPhwn%F8uD)_ zUUc@@y}}G{Xm4*#+9ZV~}A6Wb_ z!}`pVmt}|7@VNpvGE4|m>#~Rht_o^7&=hL(u+?>~fMwK=j)xb^btbei?0T)owO}Jt zZgX@{*<7(Bd@lTH??HiOsL*8>sn&CYGtiac;0AvCd`7{R1v=Z$?~q$z`$1zzhjgWQ zpM>4v>obl%T+I%0xnZEnDWio){W!E6atzKH+c5P$PP7m|#G!U*MSObahiy3=;yag0 ze3IREIJ`z4nECELY94c_hE-g427W!-tYOoH<lK6&>OmvwD61IDwOLSV~jr;Wy5C)OHE9BJ-Q((PIE@Y_VYb)u7_GZhyX p0HffNI=z<_5wP!=#rOY=dEO1?dcU=Wfrm0Nc)I$ztaD0e0sx#Q(Wn3b diff --git a/docs/docs/install_docker.md b/docs/docs/install_docker.md index 9f707461..8523cc18 100644 --- a/docs/docs/install_docker.md +++ b/docs/docs/install_docker.md @@ -4,20 +4,34 @@ Install docker -## 2. Acquire Lets Encrypt Wildcard certs with certbot +### 2. Create the A records + +We'll be using `example.com` as our domain for this example. + +!!!info + The RMM uses 3 different sites. The Vue frontend e.g. `rmm.example.com` which is where you'll be accesing your RMM from the browser, the REST backend e.g. `api.example.com` and Meshcentral e.g. `mesh.example.com` + +1. Get the public IP of your server with `curl https://icanhazip.tacticalrmm.io` +2. Open the DNS manager of wherever the domain you purchased is hosted. +3. Create 3 A records: `rmm`, `api` and `mesh` and point them to the public IP of your server: + +![arecords](images/arecords.png) + +## 3. Acquire Let's Encrypt Wildcard certs with certbot !!!warning - If the Lets Encrypt wildcard certificates are not provided, a self-signed certificate will be generated and most agent functions won't work. + If the Let's Encrypt wildcard certificates are not provided, a self-signed certificate will be generated and most agent functions won't work. -### 2a. Install Certbot +### A. Install Certbot ```bash sudo apt-get install certbot ``` -### 2b. Generate the wildcard Lets Encrypt certificates +### B. Generate the wildcard Let's Encrypt certificates -#### Deploy the TXT record in your DNS manager +We're using the [DNS-01 challenge method](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) +#### a. Deploy the TXT record in your DNS manager !!!warning TXT records can take anywhere from 1 minute to a few hours to propogate depending on your DNS provider.
@@ -29,7 +43,7 @@ sudo apt-get install certbot ![dnstxt](images/dnstxt.png) -#### Request Lets Encrypt Wildcard cert +#### b. Request Let's Encrypt Wildcard cert ```bash sudo certbot certonly --manual -d *.example.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns @@ -38,11 +52,11 @@ sudo certbot certonly --manual -d *.example.com --agree-tos --no-bootstrap --man !!!note Replace `example.com` with your root domain -## 3. Configure DNS and firewall +## 4. Configure DNS and firewall You will need to add DNS entries so that the three subdomains resolve to the IP of the docker host. There is a reverse proxy running that will route the hostnames to the correct container. On the host, you will need to ensure the firewall is open on tcp ports 80, 443 and 4222. -## 4. Setting up the environment +## 5. Setting up the environment Get the docker-compose and .env.example file on the host you which to install on @@ -54,9 +68,9 @@ mv .env.example .env Change the values in .env to match your environment. -If you are supplying certificates through Let's Encrypt or another source, see the section below about base64 encoding the certificate files. +When supplying certificates through Let's Encrypt, see the section below about base64 encoding the certificate files. -### 4a. Base64 encoding certificates to pass as env variables +### A. Base64 encoding certificates to pass as env variables Use the below command to add the the correct values to the .env. @@ -75,7 +89,7 @@ echo "CERT_PUB_KEY=$(sudo base64 -w 0 /path/to/pub/key)" >> .env echo "CERT_PRIV_KEY=$(sudo base64 -w 0 /path/to/priv/key)" >> .env ``` -## 5. Starting the environment +## 6. Starting the environment Run the below command to start the environment. @@ -85,7 +99,7 @@ sudo docker-compose up -d Removing the -d will start the containers in the foreground and is useful for debugging. -## 6. Get MeshCentral EXE download link +## 7. Get MeshCentral EXE download link Run the below command to get the download link for the mesh central exe. This needs to be uploaded on first successful signin. @@ -93,6 +107,16 @@ Run the below command to get the download link for the mesh central exe. This ne sudo docker-compose exec tactical-backend python manage.py get_mesh_exe_url ``` +Download the mesh agent: + +![meshagentdl](images/meshagentdl.png) + +Navigate to `https://rmm.example.com` and login with the username/password you created during install. + +Once logged in, you will be redirected to the initial setup page. + +Create your first client/site, choose the default timezone and then upload the mesh agent you just downloaded. + ## Note about Backups The backup script **does not** work with docker. To backup your install use [standard docker backup/restore](https://docs.docker.com/desktop/backup-and-restore/) processes. diff --git a/docs/docs/install_server.md b/docs/docs/install_server.md index 6d147861..2d172ce8 100644 --- a/docs/docs/install_server.md +++ b/docs/docs/install_server.md @@ -149,6 +149,8 @@ Create a login for the RMM web UI: A bunch of URLS / usernames / passwords will be printed out at the end of the install script. **Save these somewhere safe.** [Recover them if you didn't](faq.md#how-do-i-recover-my-meshcentral-login-credentials) +### Upload mesh agents + Copy the url for the meshagent exe (`https://mesh.example.com/agentinvite?c=......`), paste it in your browser and download the mesh agent: ![meshagentdl](images/meshagentdl.png) @@ -181,6 +183,9 @@ Login to your router/NAT device. 1. Set your TRMM server as a static IP (Use a DHCP reservation is usually safer) 2. Create 2 port forwarding rules. `TCP Port 443` and `TCP Port 4222` to your TRMM servers private IP address. + +!!!note + can help with Port Forwarding setup ### You're Done