From 18cfc2fe02c35f930cbcb2cb0f2b56108b8828d7 Mon Sep 17 00:00:00 2001 From: JigSawFr Date: Wed, 9 Aug 2023 12:38:42 +0200 Subject: [PATCH 1/2] feat(store): add sftpgo app --- apps/sftpgo/config.json | 55 ++++++++++++++++++ apps/sftpgo/docker-compose.yml | 85 ++++++++++++++++++++++++++++ apps/sftpgo/metadata/description.md | 68 ++++++++++++++++++++++ apps/sftpgo/metadata/logo.jpg | Bin 0 -> 3155 bytes 4 files changed, 208 insertions(+) create mode 100644 apps/sftpgo/config.json create mode 100644 apps/sftpgo/docker-compose.yml create mode 100644 apps/sftpgo/metadata/description.md create mode 100644 apps/sftpgo/metadata/logo.jpg diff --git a/apps/sftpgo/config.json b/apps/sftpgo/config.json new file mode 100644 index 00000000..4e51a857 --- /dev/null +++ b/apps/sftpgo/config.json @@ -0,0 +1,55 @@ +{ + "$schema": "../schema.json", + "name": "SFTPGo", + "port": 8002, + "available": true, + "exposable": true, + "id": "sftpgo", + "tipi_version": 1, + "version": "2.5.4", + "categories": ["utilities"], + "description": "Fully featured and highly configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support - S3, Google Cloud Storage, Azure Blob", + "short_desc": "Fully featured and highly configurable SFTP server", + "author": "drakkan", + "source": "https://github.com/drakkan/sftpgo", + "website": "https://sftpgo.com", + "form_fields": [ + { + "type": "random", + "label": "Database password", + "min": 20, + "env_variable": "SFTPGO_DATABASE_PASSWORD" + }, + { + "type": "text", + "label": "Web Admin User", + "hint": "Username for the web admin user", + "placeholder": "admin", + "required": true, + "env_variable": "SFTPGO_ADMIN_USERNAME" + }, + { + "type": "password", + "label": "Web Admin Password", + "min": 20, + "hint": "Password for the web admin user", + "placeholder": "password", + "required": true, + "env_variable": "SFTPGO_ADMIN_PASSWORD" + }, + { + "type": "number", + "label": "Binding Port", + "hint": "Port used to run application in container", + "placeholder": "8080", + "env_variable": "SFTPGO_BINDING_PORT" + }, + { + "type": "number", + "label": "Grace Time on stop", + "hint": "Waiting time before killing app after requesting a stop", + "placeholder": "5", + "env_variable": "SFTPGO_GRACE_TIME" + } + ] +} diff --git a/apps/sftpgo/docker-compose.yml b/apps/sftpgo/docker-compose.yml new file mode 100644 index 00000000..453b2895 --- /dev/null +++ b/apps/sftpgo/docker-compose.yml @@ -0,0 +1,85 @@ +version: "3.8" + +services: + sftpgo: + container_name: sftpgo + user: root + image: drakkan/sftpgo:v2.5.4-alpine + restart: unless-stopped + depends_on: + sftpgo-db: + condition: service_healthy + ports: + - ${APP_PORT}:${SFTPGO_BINDING_PORT-8080} # Admin Web UI + - 2022:2022 # SFTP + healthcheck: + test: + ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:${SFTPGO_BINDING_PORT-8080}/healthz"] + interval: 30s + timeout: 5s + retries: 5 + start_period: 30s + volumes: + - ${APP_DATA_DIR}/data/config:/var/lib/sftpgo + - ${APP_DATA_DIR}/data/files:/srv/sftpgo/data + - ${APP_DATA_DIR}/data/backups:/srv/sftpgo/backups + environment: + - SFTPGO_HTTPD__BINDINGS__0__PORT=${SFTPGO_BINDING_PORT-8080} + - SFTPGO_GRACE_TIME=${SFTPGO_GRACE_TIME-5} + - SFTPGO_MINIO_SHA256_SIMD=1 + - SFTPGO_DATA_PROVIDER__CREATE_DEFAULT_ADMIN=${SFTPGO_CREATE_DEFAULT_ADMIN-1} + - SFTPGO_DEFAULT_ADMIN_USERNAME=${SFTPGO_ADMIN_USERNAME} + - SFTPGO_DEFAULT_ADMIN_PASSWORD=${SFTPGO_ADMIN_PASSWORD} + - SFTPGO_DATA_PROVIDER__DRIVER=postgresql + - SFTPGO_DATA_PROVIDER__NAME=sftpgo + - SFTPGO_DATA_PROVIDER__HOST=sftpgo-db + - SFTPGO_DATA_PROVIDER__PORT=5432 + - SFTPGO_DATA_PROVIDER__USERNAME=sftpgo + - SFTPGO_DATA_PROVIDER__PASSWORD=${SFTPGO_DATABASE_PASSWORD-sftpgo} + networks: + - tipi_main_network + labels: + # Main + traefik.enable: true + traefik.http.middlewares.sftpgo-web-redirect.redirectscheme.scheme: https + traefik.http.services.sftpgo.loadbalancer.server.port: ${SFTPGO_BINDING_PORT-8080} + # Web + traefik.http.routers.sftpgo-insecure.rule: Host(`${APP_DOMAIN}`) + traefik.http.routers.sftpgo-insecure.entrypoints: web + traefik.http.routers.sftpgo-insecure.service: sftpgo + traefik.http.routers.sftpgo-insecure.middlewares: sftpgo-web-redirect + # Websecure + traefik.http.routers.sftpgo.rule: Host(`${APP_DOMAIN}`) + traefik.http.routers.sftpgo.entrypoints: websecure + traefik.http.routers.sftpgo.service: sftpgo + traefik.http.routers.sftpgo.tls.certresolver: myresolver + # Local domain + traefik.http.routers.sftpgo-local-insecure.rule: Host(`sftpgo.${LOCAL_DOMAIN}`) + traefik.http.routers.sftpgo-local-insecure.entrypoints: web + traefik.http.routers.sftpgo-local-insecure.service: sftpgo + traefik.http.routers.sftpgo-local-insecure.middlewares: sftpgo-web-redirect + # Local domain secure + traefik.http.routers.sftpgo-local.rule: Host(`sftpgo.${LOCAL_DOMAIN}`) + traefik.http.routers.sftpgo-local.entrypoints: websecure + traefik.http.routers.sftpgo-local.service: sftpgo + traefik.http.routers.sftpgo-local.tls: true + + # Postgres SQL + sftpgo-db: + container_name: sftpgo-db + image: docker.io/library/postgres:15.3-alpine + restart: unless-stopped + networks: + - tipi_main_network + volumes: + - ${APP_DATA_DIR}/db:/var/lib/postgresql/data + healthcheck: + test: ["CMD", "pg_isready", "-d", "sftpgo"] + interval: 10s + timeout: 5s + retries: 5 + environment: + - POSTGRES_PASSWORD=${SFTPGO_DATABASE_PASSWORD-sftpgo} + - POSTGRES_USER=sftpgo + - POSTGRES_DB=sftpgo + - PGUSER=sftpgo \ No newline at end of file diff --git a/apps/sftpgo/metadata/description.md b/apps/sftpgo/metadata/description.md new file mode 100644 index 00000000..d1c710f7 --- /dev/null +++ b/apps/sftpgo/metadata/description.md @@ -0,0 +1,68 @@ +# SFTPGo + +Fully featured and highly configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. +Several storage backends are supported: local filesystem, encrypted local filesystem, S3 (compatible) Object Storage, Google Cloud Storage, Azure Blob Storage, SFTP. + +## Support policy + +SFTPGo is an Open Source project and you can of course use it for free but please don't ask for free support as well. + +We will check the reported issues to see if you are experiencing a bug and if so, it may or may not be fixed, we only provide support to project [sponsors/donors](#sponsors). + +If you report an invalid issue or ask for step-by-step support, your issue will remain open with no answer or will be closed as invalid without further explanation. Thanks for understanding. + +## Features + +- Support for serving local filesystem, encrypted local filesystem, S3 Compatible Object Storage, Google Cloud Storage, Azure Blob Storage or other SFTP accounts over SFTP/SCP/FTP/WebDAV. +- Virtual folders are supported: a virtual folder can use any of the supported storage backends. So you can have, for example, a user with the S3 backend mapping a GCS bucket (or part of it) on a specified path and an encrypted local filesystem on another one. Virtual folders can be private or shared among multiple users, for shared virtual folders you can define different quota limits for each user. +- Configurable [custom commands and/or HTTP hooks](https://github.com/drakkan/sftpgo/tree/main/docs/custom-actions.md) on upload, pre-upload, download, pre-download, delete, pre-delete, rename, mkdir, rmdir on SSH commands and on user add, update and delete. +- Virtual accounts stored within a "data provider". +- SQLite, MySQL, PostgreSQL, CockroachDB, Bolt (key/value store in pure Go) and in-memory data providers are supported. +- Chroot isolation for local accounts. Cloud-based accounts can be restricted to a certain base path. +- Per-user and per-directory virtual permissions, for each path you can allow or deny: directory listing, upload, overwrite, download, delete, rename, create directories, create symlinks, change owner/group/file mode and modification time. +- [REST API](https://github.com/drakkan/sftpgo/tree/main/docs/rest-api.md) for users and folders management, data retention, backup, restore and real time reports of the active connections with possibility of forcibly closing a connection. +- The [Event Manager](https://github.com/drakkan/sftpgo/tree/main/docs/eventmanager.md) allows to define custom workflows based on server events or schedules. +- [Web based administration interface](https://github.com/drakkan/sftpgo/tree/main/docs/web-admin.md) to easily manage users, folders and connections. +- [Web client interface](https://github.com/drakkan/sftpgo/tree/main/docs/web-client.md) so that end users can change their credentials, manage and share their files in the browser. +- Public key and password authentication. Multiple public keys per-user are supported. +- SSH user [certificate authentication](https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.8). +- Keyboard interactive authentication. You can easily setup a customizable multi-factor authentication. +- Partial authentication. You can configure multi-step authentication requiring, for example, the user password after successful public key authentication. +- Per-user authentication methods. +- [Two-factor authentication](https://github.com/drakkan/sftpgo/tree/main/docs/howto/two-factor-authentication.md) based on time-based one time passwords (RFC 6238) which works with Authy, Google Authenticator, Microsoft Authenticator and other compatible apps. +- LDAP/Active Directory authentication using a [plugin](https://github.com/sftpgo/sftpgo-plugin-auth). +- Simplified user administrations using [groups](https://github.com/drakkan/sftpgo/tree/main/docs/groups.md). +- [Roles](https://github.com/drakkan/sftpgo/tree/main/docs/roles.md) allow to create limited administrators who can only create and manage users with their role. +- Custom authentication via [external programs/HTTP API](https://github.com/drakkan/sftpgo/tree/main/docs/external-auth.md). +- Web Client and Web Admin user interfaces support [OpenID Connect](https://openid.net/connect/) authentication and so they can be integrated with identity providers such as [Keycloak](https://www.keycloak.org/). You can find more details [here](https://github.com/drakkan/sftpgo/tree/main/docs/oidc.md). +- [Data At Rest Encryption](https://github.com/drakkan/sftpgo/tree/main/docs/dare.md). +- Dynamic user modification before login via [external programs/HTTP API](https://github.com/drakkan/sftpgo/tree/main/docs/dynamic-user-mod.md). +- Quota support: accounts can have individual disk quota expressed as max total size and/or max number of files. +- Bandwidth throttling, with separate settings for upload and download and overrides based on the client's IP address. +- Data transfer bandwidth limits, with total limit or separate settings for uploads and downloads and overrides based on the client's IP address. Limits can be reset using the REST API. +- Per-protocol [rate limiting](https://github.com/drakkan/sftpgo/tree/main/docs/rate-limiting.md) is supported and can be optionally connected to the built-in defender to automatically block hosts that repeatedly exceed the configured limit. +- Per-user maximum concurrent sessions. +- Per-user and global IP filters: login can be restricted to specific ranges of IP addresses or to a specific IP address. +- Per-user and per-directory shell like patterns filters: files can be allowed, denied and optionally hidden based on shell like patterns. +- Automatically terminating idle connections. +- Automatic blocklist management using the built-in [defender](https://github.com/drakkan/sftpgo/tree/main/docs/defender.md). +- Geo-IP filtering using a [plugin](https://github.com/sftpgo/sftpgo-plugin-geoipfilter). +- Atomic uploads are configurable. +- Per-user files/folders ownership mapping: you can map all the users to the system account that runs SFTPGo (all platforms are supported) or you can run SFTPGo as root user and map each user or group of users to a different system account (\*NIX only). +- Support for Git repositories over SSH. +- SCP and rsync are supported. +- FTP/S is supported. You can configure the FTP service to require TLS for both control and data connections. +- [WebDAV](https://github.com/drakkan/sftpgo/tree/main/docs/webdav.md) is supported. +- ACME protocol is supported. SFTPGo can obtain and automatically renew TLS certificates for HTTPS, WebDAV and FTPS from `Let's Encrypt` or other ACME compliant certificate authorities, using the `HTTP-01` or `TLS-ALPN-01` [challenge types](https://letsencrypt.org/docs/challenge-types/). +- Two-Way TLS authentication, aka TLS with client certificate authentication, is supported for REST API/Web Admin, FTPS and WebDAV over HTTPS. +- Per-user protocols restrictions. You can configure the allowed protocols (SSH/HTTP/FTP/WebDAV) for each user. +- [Prometheus metrics](https://github.com/drakkan/sftpgo/tree/main/docs/metrics.md) are supported. +- Support for HAProxy PROXY protocol: you can proxy and/or load balance the SFTP/SCP/FTP service without losing the information about the client's address. +- Easy [migration](https://github.com/drakkan/sftpgo/tree/main/examples/convertusers) from Linux system user accounts. +- [Portable mode](https://github.com/drakkan/sftpgo/tree/main/docs/portable-mode.md): a convenient way to share a single directory on demand. +- [SFTP subsystem mode](https://github.com/drakkan/sftpgo/tree/main/docs/sftp-subsystem.md): you can use SFTPGo as OpenSSH's SFTP subsystem. +- Performance analysis using built-in [profiler](https://github.com/drakkan/sftpgo/tree/main/docs/profiling.md). +- Configuration format is at your choice: JSON, TOML, YAML, HCL, envfile are supported. +- Log files are accurate and they are saved in the easily parsable JSON format ([more information](https://github.com/drakkan/sftpgo/tree/main/docs/logs.md)). +- SFTPGo supports a [plugin system](https://github.com/drakkan/sftpgo/tree/main/docs/plugins.md) and therefore can be extended using external plugins. +- Infrastructure as Code (IaC) support using the [Terraform provider](https://registry.terraform.io/providers/drakkan/sftpgo/latest). \ No newline at end of file diff --git a/apps/sftpgo/metadata/logo.jpg b/apps/sftpgo/metadata/logo.jpg new file mode 100644 index 0000000000000000000000000000000000000000..a7da90a6486c8b903e4d5763e2b6c27f5cea1f79 GIT binary patch literal 3155 zcmai$c{J1w7stmovS-U!i!#E{Bs-Cv#~6$$)ZkZUhR}#CMY253= z5Uz2${IED27LPk<^XD*e2VFS4AAXVGyGXc(^}};M{->BY3>J65#A|DxIb7NMfW`UY z4+a7@7}rjz!47)-*bP1!n%dJe&)#C!A2pak3VOW!Qi!*yqor<5rc-IMgQ?-!P(ol< zgiR~i8E`d>54f;?(^psL%x;)}O%U#3VGjXT|$s z=v}A^2qa|XU~PfEJ-%8f6#3lrXmZ2S$mOY;a#Y>4h4yF8LF`uV_f{tt>v|0z{HL)f zd;6cKvcLC!&3vVHwe?Q{NhpFuGokHZ2L_?*dnNfjU%W?_sKnA`V(r*>Gy0cN)`jq? zZuH90#owX>_$8{ETM9v~mwkf}gULv$nP~j9mKJzEt+Zh)nmhVG`}#D?VGQK4hLu^WV}`M%oL(3;~RsW5X9N!0hSA^ zA=BfGj$v#L@cO~D%({4j@;G~LHb$QoZuXg@014@0h@@9fA*;;=!EO4tmN!k%kTrhMBD(8|0L}&dpC%#_K#h%4BkA*3#+S23K8qz->{P;J9(|pb zVaF#KFh$TP*>VgyYLS@TkT{T!9fQZ<=@w1%Hq=1d7uWL!uI0l<2VqVc8`7mcDR*#` zaM{a#@Ct{)YQqhk!Yd2;fw`x;@H2X3+1pyjx-UzOP*n*)seKKCz$6*uo()k^Z1w{s$XYw9sbLmMGoemw~Fq(@@N<)v1MOxEt}QdRLd zBczZ=KQ~xCd5RZIm8qcX3 z&LIf*;tus((^S8f%9;Llk*&K)7gyJk`LaXM{%gzLa^jAX`q=!d1yZoEzkbo6T&d{(CF%f3+JAkX#2DaWor5kc@@&nLDK$65E;m3aaG+IO!KNhIKV_HY7vBV ztEys)5z=;9)?+D;v2Vw~#|&W^vU@K#QUi_j9R>|D3*GZj1}Vei;CmvF+bT7@3}9q- zlP8xEblKQ0_^PUDeyAzbafD5l{1!&o3fOb#=GImK_?aI- zG$gUJulPen@s##e?lLt`9Hk)XD#;@W?XsOJXKNSukq>}+nPMJdGE0T4(_7MY-^1Kn zTuR+rhE&`{ZSz#8{Hjv2$^F@RlP9FZNW1~D@S3&Tu0er1x%_z}qIu;APtBH>QFnsK zFUVy;fk!SYt<}4|BWI6(!FL8 z4p_dv{Opv28Gpdq+*3rQh`Uh1QT!YAH;w?DB&}InC!Mx?r6flJ67fW_bN?6jGlhq% zuW7Zj$Y)U5Ddb$!N1jVHsrRh(l9O?Sc>w!zGWE+Zt*?@p_{2?y=+7@78D&2{AOV|uUlfsCwi<5|2fPT9U6@whF+CuRS&|?<2@RFZ zP{ce}s91_Vsy;ng zEk!z6>S8)vth%IVfGb%wQ*}oW-V%yJzvn8k3P0XyVNZO8nUX2il@cgynLJ`}Qs=Zq z5S-Cnts){NJ}36JE-`W7Xl_cSeI9Na*w8xi#0Cy1+J~sQ`bJ6txW%D9J5f<#muLCrcs!@ksa}r!Xn9vJmigg9C|5` z645x+cy*$k2RO)4tx>QEyND1HpA18q^IuZL<`=Amly`W?Z(;5*w_>=da`(g@9gY2N_N@-01OAGpro zDlQmW@`K0l3Z2gV&yT?+a$!2O&nltJicaFT12MTR~Crw;9(&AN)vN^92L_brG0EEZ$SJlH?E!%rst>6x3GxgsY$IsX1 zSh7yltE}5UvB3sQlEQM7o7LPuc49Ai6WxYXhvl*iW?$zBDGmRjGr9@m^wrajD8G$& z*bqh;tqk4eH&@No@Rj!}QMNg^8ygsBW<6S_L$uQ+-}Jw0_SmmW{iFNkUCXl3i(wXT zlzWpf+u=t_E#^?V4usgB1CQgqjsJ!$ysNCKp4Xvnb348ve`fxRr0~Nq`V-$YLEOhk z;{Uv6S`*+LEVloUq!xRe^E*DaEsT@l6Z|tHXe;#Rt3tK50~V*5+hm<*DZ`kF-ssVU zfMXm-n-yqPXNXZf$|hCNEKdsC*04=!NOpM2j<{9Z6VYHd8@0UYou9Ppk{H1V)KUv> zu(N1$m-PCHtnZj83f_0s)c0qesS@&m>X93p8-;P99bnDPRo{^{MbGu(m2jULCNTG9 z-zhBC+;MY%@4D`03)X>%@NE_uhXMXIJ>9*!d6Pw`ou1wsi0ggT%@aSaGI_Nj zKP@q^e*YS}r%BZJLP14Et>zk$2t$M&GbvGDQFZi1_M6LfaY1|UG`oKB z%D~dQcM?N;iT76>Di;rl>&f3w@2_k<^U>Pe8YOe_R1QzqG#pHNME<_RnXF~~*fP?F zRK}FYG<}g+b>A^W)vf~*t0{Y12Bv)bMjdZ`B0vw3(tkx&?QHDdDf9Y4uerbGrh1oC zHyjtkfw6j%S6-^!V~e?Gu-3g2Y}^x9pV=*?KC2Dwm^MG(NqBqPwDBp1U3*`XL8#6A zeUHNw*~OQi&uV0ExyLCY<5r&qcO}VfZ`Ac}Dw@(a=70DYWSDUXZ-?uAyCXhFt;N`x z_HECM2Baxx+!u{PAgS9K3Y2^$(UW1;a+`)}+P2~OD+B*TAC>}ppEs5fxOIHVW8!`+ z%W{S?IOooY09DXUcX+CYCF1%;C+5On9yvF33aOXM7sGU7B@WRS{tpAolYjFsL;MZy TJs$pY2-_eB8>BVW5=i(r6`Si} literal 0 HcmV?d00001 From 6f389fc56ac667a378f82938790a26dad77e6816 Mon Sep 17 00:00:00 2001 From: Nicolas Meienberger Date: Thu, 10 Aug 2023 00:12:58 +0200 Subject: [PATCH 2/2] chore(sftpgo): fix logo backgroud --- apps/sftpgo/metadata/logo.jpg | Bin 3155 -> 15053 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/apps/sftpgo/metadata/logo.jpg b/apps/sftpgo/metadata/logo.jpg index a7da90a6486c8b903e4d5763e2b6c27f5cea1f79..8c3381de86a0bc46a5ced01a564aa05ec9e383e3 100644 GIT binary patch literal 15053 zcmeHt2UJtp+IG~jj0Fb)Q3Q0t2%-XpPy-1wN>M2hA%@OCfY1_JAausDAT@(XZ&y%S zAV>`%6qOQz00S|!1dvYXRXY4}%DuyU-tx^_|N8%Lt?!%#+3((O+wa-WF6TYF-MfQ; zGaB9wb^ySwTbBVx0ROmlrvbd`o+u|Dz&^ki+-g+-V0ZAqeR~|v6(S>p^^mr*aj~|Q zM!8^QyscbiK+@M_0IF)YBfq<5E!IZ~emK@zQv(w2M1h2BfU4EOSj(Mpjme%OU0AgT+~S zOJP04e%GLG>w$82aK$;eU@v^qXl3oU&i>j9jH|Bh-xYs0U>MA&uKmL8fxBz_ z4>vx`?P2KSYAbWs*2Bfq9c9a97yDh98@_*S=o2H?8wlLpf%{ynoYh@Wo)}v!?v^?f z$Ze6faj=2N%gLdXm8`iDQ<9aFl2b-0NhvAY$Vyo&$jU1z$jd6&+Q|K`=X3J1>KfPN zl&;CiYRW2rKpGm?6_u2~yCHu=NkjQNO|Yiy@3ObB9ylv3%Jz5L4qV&6$%6l-EaZl} ztrgD2-O$Cw`S*cv$KD0!;$iRNdO=oB`r3s{x>hI$?57&ZPfzLBPOICxJ9ydJXu7*# zF8mT^h{I=G_|LlktGvx$4WA6xDVa}WDV#u8fmfcwZ z&o2-F*u3U~a^Efs@DOn5i!Z)7_{E`v2M>LDi2HZ!$e}|=jvYUG^w`m($GWq*8uYl0s8~)S6?rQ+=k^O-E zfCKw@0sDFP9pK%!TL;MC&K&#qAK3SgIR$X=(7wY5zBsafAGhTI_uoG*Zp(o$_8vmo2zO~$L zFW@-Wzx})icmZmFm7D)?=YLE8qavU*Ytu~@>N2}wUepO`?sEXQFRV_(jYV%ctsAZS zZYy+e?nvYjzDc_xI?gGh4J<%ye7@nfsOgr$b^#$%VvQ0_G|C31aCPgG5bPebje#N5 z4EerWytP<38<^xAunXYp)Ore!A$TmaP;+akMXFEz^Ze2>S?7c5R-#6tM^Wtm+|1eT zXpoLs1Ug-*3K?~ab5-w(^H^xQuf)CX__&C(wmy zN3=tSKz?oDyDEgCN$P0z6GkS2gv3{ENe+JLta`bt!QWQU132pMn2@k)%jX=MS~MN1 z4hxWK?MktoVjO-+>2;FGJgMzb(h1iQjU9K$OO1z0wK9yM*L+P=GK+k_UnZ;Q+AP1} zV7(F>IS)G6GxE`&7Xyx(Oo1DYl+4mHMUn&Bq+8q&g5q+6FBU>PKaAVbV5gYT1XHc> zt4S7fF4FPoW6uVrB6Ezrp$(KuiMQ`kwS*joMNZw4xbW}7un)}32YxH|G9=}QA-Sr- zU8Y5@Z5`+OWF5gXPERIxKwl*feZSmgDQ5!e{(~;%tNkRVn>pW$x~WsE+AV0K$tBvuy_KK19HJN<6lFrGPa0$n2a-zD2qm&5I+t;Yvw6oGcb zy7iPZ%ElnQ(%8IsC;N_j5d~i41h`iqrkfMVBtBqYNtEN*sEI`=jcyS=0{jhrzkUXCNx)>|igA0oYXq+3r`84x+Q)06f>bT9uW>NLz~f-=7qb{@sKL>e4PHRAnY z57T~`_?q9*_u%vB+r$5fI7o@wj{ zcx5PqXlb(xa1#uWnBT;0z;Y69cNMyz`Bz1r({=&Y;F>s}{_0S*9ztPC%1ps#Xdz<5 zp6z-$o!)jX3VOm=g`cz5%=8QQsdbz-qm{Un^N-EMajLMWa4j9b`A023uFbs6P=Bl% zW#1_hmH^UOh%G1f=R43vm8_jNOJ^$bAS8qxZcaV(npc?33sWSI9`0VRJz*E{YR$5F zaL66sSD8m1AM z@Ec{aQ*Z;zT|l=#Y(-xsz=Q#Y!>tV_@^@Ng3L_GJH~+cbG@>^{SbhtFu9rjoJgxl% zDqp4*lA6hvy%U2hzI`CQ2zh`P0of4FiNe zFI*_oTm1$b5fWQ7W+~)@x398*DNqvl=ToQWLvFim>ghz~t=%BVD8$SY1nvfvhqs`0 zD{zxTGaHw70cgeU*18}!<@Q~`Qo^SS)HK>QIL<$?d#S*HP+^n|$xQ){EJWBgrWK9k zIToCQ~eLBly`$GVEE#)w)wz9&wiW^lME-g_E!U;>OFnmoIPIKlJmWt5V z3kXTSJVDgs2{-0Mv!swT#}(~0d`l0TOjlYlrGOqq8R`eVZ)+LuY;POtl2+aY*gFr~ zC7NzQ&n3la;Pib5ex||$(|i#}yBd{cmyj^Tz*uEdCdARqTdnCUGlG9cSqlNzcR4rt z7%b6#_+He{ebMp`vvHxQBpklxLuJ>xQv;+G{JmjblFgfb&+&++E#>u44ma(HLSrJ30y zkq#6M`SxJ2u3J7h%aDRj3RPtVLO;6iqQlx^n#Ti1kp5m(#GWiSk@C&A0#CaQrc#m5jrfH;rte4L4Tv}M1r!+<$#|j7_v6AySYePD zA22-6WUN&qr!z5U5K>MN(omOlGNHH$}m`dZgX_T^F#z7dL&|i^LBfM@uM1f!1p8m=v2gm$1k>eN|@j zPlgSf0?{|S8qa=Jh+6Y&iOa8lS3g^~tUg72%HGl+8xVGCi=M6F@hM8Q3!D>%#77Q> zc?C-Se0I~zLSUUnFIFJY3>y+RTXSu~G)rT{?pfnv8|E$37QOO^BBCK9UH4<4EU@8J zU#>os^++&_R6XG}zs|?UNhPSarkJ5}5$f*&4X=(*eL~G&0u$scli3&VM?A%ZNwX6v z*a~z;W#WwfE`azTVcLG{W@cWvqvM7=QU@MmS941pnFqBkp1Fs?oWXUcUm`1T;%8|* zj|8P}CFv1GuDrN0C*eY*LR35HbV>GHGhPuB`B94M=5bl6cd&k-b|jEmx2{|~w1U*k zE*(@RSUw-?iC@NKwtj+TtjbO`LQmP^3^Th(Y026oz9aEuK^Ys)| zrU2dM>~m&C2&Ceo!{LLX^Oh?Tj0|*DMW^h?I0j9ln)^BOJj?qgrxd&Tifz%t9ZG_VgeJe(crQ+{HmA0zgft{ z^vWBvihPXUBk=O2_4Xs!1#=8C=upsEr%3x&N)la}Jd4}76&f%?6N)l(;}P!cWJm>n zz)KFJ*)^3TtgtAjNAanU+Y*(Fb`^I;DvyKIo{@EC7+LpHLg(@&Gcw}tBS3k$6=-K0 z_=Lj{S(??@gNB3!)uYB07gs?8or2)c%6;NXN!1uNGBW|Kc6ytN1XA&m@$s2{ z_k>X4sg5fZdzo*}WL{A{uz5}VDP4N|PF z&Vn*X7nfxL$If5HnXLtC5DJ%{Azc^YSC72jv-W)U>@;D=fHuZe6iRsviMM;Wjcz5K zUSp?=SD;9^$=j~7^|I>CglIUzcDy??SAt@Q$C{>yLx!v{*9*3ahqb`Y@g-LM>0nU) zJh`9qM8jQ0Q#CrzTf10Lff*rDk9)oI;bT}|ug9w~c3VfTQbs}doM?|Hvb?L6Z!;() zIjX!%gk5mMYz6VAF`7J<6&>JXG&5E{)Md9LXHj3HJ7plWnw=6TaU$Is7mrh)Y8Rw< zmg$eRDgKHYX<;sEq`9bpAMgpb?yJc@zVkoM`leb#QSCPx#)Bb5>9V^kcL7aj1t$v8kiFNw1^q;%*70ha;^9FTzHn6&3E6B4luwc<)0dw*X+6VF zD{`&z(5m~J%_sIEwqs!_fdYLG{Aeb&tWS--SmUE6}Z7S=F}F7Scc;K)q zw4oq@yQ^srh!R|ILG>jeXIhfpFV{6h^Mv+_%M;ExCUThNTgS)Q6-8NbipQeeLn7R; z2uNFH!D=MGdSKHoU`66h8+fhR`*wNEUpoN0T9OAITi^N)dxj4zuO-^K(L=Jz_bGlG z4sD$=HbMljE|cUL!jcI(Zhk2_LZ%JE%H>fmXC|N9ty#4gG3f?a>2~!oBpHW zn|P^#+}Y!FjcMO3quI?!nB}1aB4g2|_FWlw*LLzdy5dgnC7b`vg$6t&~|gm<=FalzNoopCk$6J($W20Bc78T>&upFh;ez8rZt_; zIX#uI1~-6Q^toH#PFZu94P;>ahLC;c)` zF)e-v&BxD!28B64qhv|R7`h|tm$h^6HVzF=HzK~z5gyoSPury67Xs$TT4v%B?c|f9 zScW8ffvLDHi!l*`Gr4ToG@YnWZUF8GZ|f}_A?Mn55fU6Vf12wWu8~6u=_dKgYuVDM z1Ks9=mEMJPYOIv^LSLc4d~U8U4qM;5(BV1R6=*vnBpIXIG}R$bnrZA1%e1o6Kx#w8=BwdI9lBO4F%vRg@>ujic;d{OAJ&hNXY{12;JLx_)Vp24q>JTNY9Iv+ zc1LA8rm7w7IfBeky*f%a(=#Xx>?>bhKM$cMx}_jQM^iDes3tyt9XEa>@T*yUp@yiQ zx5A#q{_o>PaeLKuhY@pCLl`{q&b!z0`V*81Tu`zs+4DD1E=!e?mFIYizV)occmV zsnXProGAph3)L*jwpwd%R_=){%n-_TtTHsvHE8FP-u##x6XEHBOuChFj>l_uo1Y19 z&jn_$>BGp_$k=;b>g^yzg(JaB-Z{VDE*Gh|Slu31W}{1Yw5MPba{F+a(R^R>NQkeL zcvFh4^Jtons^DH%va+aP(OV|ZPsn`djrYR3-;=K5&AXn}76HEP6tOj!r98foCG#;> zRB-X3rP#m~{EtcZM8|^^!jt&>LnS*?mz^>mRN9mR<>KInqA;Eq_?lhI`njNuwdV{;Ko6+{{rWh4fKX2O?Fd7E#>q-#;wkrDxF2 z+dYo?4KnmnWauuSV|5qc$OkRnsO4^79fVKPtOFO*BJ3Jxp6UA5cC)lL^#o__*Pb0u zJDst*eGmP-|^G*p8 z7As8-j;V75bipG$l<>v+<54%A5d&TDj+7|65=9V4J-~ET-L8INK5Lo&SR+_i%OA;o9S zKRmeI(QnDx(G~Qu6cZH}r+U&`p#BKbs<~|4ORE2lkW2#0-y*Z(a)doeE?31$&~#!t zF}FuJxVfYS5zrKY4xbOU@o>kstNJ<XTIOB2%w49IgI46#8viymLHw9CZ1Vi*3L#je zi2`=nezNuqi~m?uPy2XX3zwccUD96EqBtz)P=@;GtIjPl8>3adNw2C=Xen-@RYbH_i%%~-z@KwYgL^IO zLT9r>Zq9FdZkw=bwWI^haUDYLW5qgC4Y^ruvajAsPE_A~O$l!7#+gOVAQ%G-cD$i7 zdByJ8*ip_+2R)yioaXJ9(T}#C3%pxxMg?J?)eW#cH?mVVcL7K=b_u%+xS?fD%{9I8 zb9=X=Jzf8+*BghmTz3I_Srw|y2=9VznV^r)!7Q~rCFRtHsMlLw5_6JkozAH}>Roxz zh?1a^!N4&>$hVENY3s(4?a8en)&+N8cm!=~2F;ER)UVbiDVAB-|9)uM$0;~kC`oNJ zLM;3D$0$-vbvjaqXgjWD4FftW=WZQR6wVys%2KOx#Ksm3?S!_Y|%@zxqa^rE*z?BgOWl$Si0Ds@JxN0@qc z)g$&R76VCk5-|j?7YirTq~@Z}s05Y_8bG=X=M!J5y#BCL(A1~TPSq-S3%R^SEw#b2 z`o#}H!3YFWWE+xULB@++MZM@X>&{UqQHOq6Ipgb$SJ*&J7|(KM>nlz{Jm~?B-h=Et!!j)tYnO*^MMVpyI<-Oj&`Z)W| za0I4P-#>4`rvoCkrPy15H5+|^?E}m8606K;_mWMik8ft4bs9Ecdi&PqiWLD>L$AL9 zy!%VXnW+(0A}2mL`za!yu|IK$h?ktxH`77DDbk^qnnXkfg;5*Od_a24t_SNfWR{Ri z#4UFeyKX+h2${asS6(aT%fsE3L0P8bYOE_9BXdG-)u;PvM_T){14E(a7Prv%$*ImWE<3O7rgOnb|F78|#Zp+6KG9&F_w_gr457{bbMvqLd7Dln#56l@=~S2FS)k|=pAIGMsa2CGKXbNl5z8Qg+6~RZo;No>Vah0{eI-VRt{0A&G$dh*%}rrA10klIUKG#l)g9OI zmh<72EIg)9tb^7k4Hv4AjA@WHsI5OBSJnn!)5VSo6CP>wiidKtBII3Tz!V)lhjwWF z$LoVHl+3R_5YT*eguZ3WO}BQijJ@OaDK*dBR_R9zU1(l2su=UBkehBk2BE#RNeX8w z9i+sn7P*r}aer=D`HFcd-x8J~EPmQdmF^?lsH1YrjntZDZq29wJygCDJUWLqLQi#3qpz| z0tCH7^w@kjmLk?0KkSAQc7oo6)}G4l%$M(aS+A|wE96pllEZ1H~9Pv_u$WBe#=0UzEp`8$oqpvs2{apS8H~b(rxPN4^?b4q8Ku#N}Jy@E==( zeb@yI!h;a=rre1XiJOj%sm~%XQqO2k-s;f9gId9Iiwz>i3DE+xKD@amYj4J`!ZuD3z4?j!Jv^b5--X z08Z!Z#fmI4^+aK6dxwRDFg$uF72Z=*|Hx$*V1ynS@L2A$i99KTDPQ7qI^72r3FvmL zc7hxGl9UMFRGqd?#7#uDW~P{mm?g{HTrmY*o9yi=Oed{)NihxEbQpXx9#8Q;%h%z8 zr|Z*}^YyX5n}xhYM853mSJRb60DzK=$y^=H>Am);u&PphcO2;nDS?xj-FXhUp{i@P z#QAV4{qEN16WP=9 zXG5*-FCW(hU8vK)34ZadEH?xH;wH@QNy7e1PY(YKSWg6g8~XkEZ@KT8>gu@lec%p9 z(a^{S&y!kktL%*@?e~A$w8gf^y#hl<_cbZ}?h$r=8Nu?wc*A$!jZ!-7$A>Y}L=J}-8TBe?G&a4Ci@jH8wQiJV!w0pAk3jGu%* z?K%>_m>RMJGb%Ng;QQO3RO}@^tWoS5uS@Cjxu&nIlH)>aEzF{fI+12NzHSQ>rSLTr zp}Nwlob}Ykyg8beQe|h?Z-l+Ng95(Tlyh@DMp)7aO z>-V#WZlRPW>Vf}+g?h&kZ-X|Vex1`te1-Z?B>qFY(?gh^vjPs-kX#kt=Zps-(N}k_ zF`}VPOb3<%)d=UL2AN)F?gHL+z5ReZ9<*^|d_?coE`VpLivFh<0gfYd|3L};;jI)(`~cD^cS=SSezjIeuI1Bv!E3iR=4fFsKZuU{02#FBTZ3!iuN#Rhf}?Da9X!@ z?q%U=yIhBf4o?{I@H5_)cWl^OR+VK+8u3jbSCQW_>`I`=q27xoayUQyc>wLDg&xq_mgk|9)v|Df=rj9@Di7}vt2RT{-c0cB`J!&G z)PJG&Wvlw{0^kSwiNoJ4Ie>mRcja}^Bz2%XEnM{ezxjx1uP&}XEq+P<>N@m#6Lr67 zZ4e*$0|Pg+UaGEROuRMmVM+N4)!EIxZQCY=svzIVG=ny%Vesf7yIp{>v)X=pQmS*6 zfPq}w-x4|kR?AaN?27qbG!VX(eZAMrzof3HGFsP6<>igZFWD_h`XchHbk|**3lQL4eBn)5*|Ig96RBBgo6ZZAt)%{RVUG)+Cywwq zkDDjO76wRTT331^>JcQf1OLe{oRHuT zyq2Ai@G~<-eqLjaO-raA$dVBUCNRdh53O$H>*4{XPs|kAEraI_L3uLF5&y}bS&Yh~ zz8crUI7eJA(|krHpwX_Z!_%oHRQ9eD%wcm!Wwf`-oKl-H)|w*O#4-x;-&9c37^7+r zugqOp#Q7LA^S1q(wo*h5?)>Rje?^Oc-&`1|&7kZ^NrYrqEe402J1NVYa7HM|ZseJ9 zhL4w<*JAPuGd>U=f+A$3Lk*&R`t4mg9nB=nYy#b;J&B z@>@*ZB>A+r<1&5#07UxIa7`@yv9s}A;(g8X8v2G_P7P;7Nu%2hc&WIPFkg2m1GCM= zX35WZ`iH9Xf-@Q{`QC(%E13>m0}=a1^>DqiA6ur3=lLo`lR`6R^}lqgZ?oI*MeJ2nFhie z%~=LtDh?-dICoBJF4s&;(4o_@Ox=-&lEof#GG8zxAAmil1M=twvh5bgXvdW0-dS z*+h@<%Ry!(gwxF4Bx7mkyh_#!=Qc@Os&JJn=Czf&!wkY(!SW|hI+WB^{yQrtV2x_s z(%mt`-^JVB|0Gr%XhC#{d>Yv}8t_0oC- znUv1(qd;G8rrDM!Xn|AAq(=HoIovj?YbX>lF4ZmH1vCK9UAY+rD^< literal 3155 zcmai$c{J1w7stmovS-U!i!#E{Bs-Cv#~6$$)ZkZUhR}#CMY253= z5Uz2${IED27LPk<^XD*e2VFS4AAXVGyGXc(^}};M{->BY3>J65#A|DxIb7NMfW`UY z4+a7@7}rjz!47)-*bP1!n%dJe&)#C!A2pak3VOW!Qi!*yqor<5rc-IMgQ?-!P(ol< zgiR~i8E`d>54f;?(^psL%x;)}O%U#3VGjXT|$s z=v}A^2qa|XU~PfEJ-%8f6#3lrXmZ2S$mOY;a#Y>4h4yF8LF`uV_f{tt>v|0z{HL)f zd;6cKvcLC!&3vVHwe?Q{NhpFuGokHZ2L_?*dnNfjU%W?_sKnA`V(r*>Gy0cN)`jq? zZuH90#owX>_$8{ETM9v~mwkf}gULv$nP~j9mKJzEt+Zh)nmhVG`}#D?VGQK4hLu^WV}`M%oL(3;~RsW5X9N!0hSA^ zA=BfGj$v#L@cO~D%({4j@;G~LHb$QoZuXg@014@0h@@9fA*;;=!EO4tmN!k%kTrhMBD(8|0L}&dpC%#_K#h%4BkA*3#+S23K8qz->{P;J9(|pb zVaF#KFh$TP*>VgyYLS@TkT{T!9fQZ<=@w1%Hq=1d7uWL!uI0l<2VqVc8`7mcDR*#` zaM{a#@Ct{)YQqhk!Yd2;fw`x;@H2X3+1pyjx-UzOP*n*)seKKCz$6*uo()k^Z1w{s$XYw9sbLmMGoemw~Fq(@@N<)v1MOxEt}QdRLd zBczZ=KQ~xCd5RZIm8qcX3 z&LIf*;tus((^S8f%9;Llk*&K)7gyJk`LaXM{%gzLa^jAX`q=!d1yZoEzkbo6T&d{(CF%f3+JAkX#2DaWor5kc@@&nLDK$65E;m3aaG+IO!KNhIKV_HY7vBV ztEys)5z=;9)?+D;v2Vw~#|&W^vU@K#QUi_j9R>|D3*GZj1}Vei;CmvF+bT7@3}9q- zlP8xEblKQ0_^PUDeyAzbafD5l{1!&o3fOb#=GImK_?aI- zG$gUJulPen@s##e?lLt`9Hk)XD#;@W?XsOJXKNSukq>}+nPMJdGE0T4(_7MY-^1Kn zTuR+rhE&`{ZSz#8{Hjv2$^F@RlP9FZNW1~D@S3&Tu0er1x%_z}qIu;APtBH>QFnsK zFUVy;fk!SYt<}4|BWI6(!FL8 z4p_dv{Opv28Gpdq+*3rQh`Uh1QT!YAH;w?DB&}InC!Mx?r6flJ67fW_bN?6jGlhq% zuW7Zj$Y)U5Ddb$!N1jVHsrRh(l9O?Sc>w!zGWE+Zt*?@p_{2?y=+7@78D&2{AOV|uUlfsCwi<5|2fPT9U6@whF+CuRS&|?<2@RFZ zP{ce}s91_Vsy;ng zEk!z6>S8)vth%IVfGb%wQ*}oW-V%yJzvn8k3P0XyVNZO8nUX2il@cgynLJ`}Qs=Zq z5S-Cnts){NJ}36JE-`W7Xl_cSeI9Na*w8xi#0Cy1+J~sQ`bJ6txW%D9J5f<#muLCrcs!@ksa}r!Xn9vJmigg9C|5` z645x+cy*$k2RO)4tx>QEyND1HpA18q^IuZL<`=Amly`W?Z(;5*w_>=da`(g@9gY2N_N@-01OAGpro zDlQmW@`K0l3Z2gV&yT?+a$!2O&nltJicaFT12MTR~Crw;9(&AN)vN^92L_brG0EEZ$SJlH?E!%rst>6x3GxgsY$IsX1 zSh7yltE}5UvB3sQlEQM7o7LPuc49Ai6WxYXhvl*iW?$zBDGmRjGr9@m^wrajD8G$& z*bqh;tqk4eH&@No@Rj!}QMNg^8ygsBW<6S_L$uQ+-}Jw0_SmmW{iFNkUCXl3i(wXT zlzWpf+u=t_E#^?V4usgB1CQgqjsJ!$ysNCKp4Xvnb348ve`fxRr0~Nq`V-$YLEOhk z;{Uv6S`*+LEVloUq!xRe^E*DaEsT@l6Z|tHXe;#Rt3tK50~V*5+hm<*DZ`kF-ssVU zfMXm-n-yqPXNXZf$|hCNEKdsC*04=!NOpM2j<{9Z6VYHd8@0UYou9Ppk{H1V)KUv> zu(N1$m-PCHtnZj83f_0s)c0qesS@&m>X93p8-;P99bnDPRo{^{MbGu(m2jULCNTG9 z-zhBC+;MY%@4D`03)X>%@NE_uhXMXIJ>9*!d6Pw`ou1wsi0ggT%@aSaGI_Nj zKP@q^e*YS}r%BZJLP14Et>zk$2t$M&GbvGDQFZi1_M6LfaY1|UG`oKB z%D~dQcM?N;iT76>Di;rl>&f3w@2_k<^U>Pe8YOe_R1QzqG#pHNME<_RnXF~~*fP?F zRK}FYG<}g+b>A^W)vf~*t0{Y12Bv)bMjdZ`B0vw3(tkx&?QHDdDf9Y4uerbGrh1oC zHyjtkfw6j%S6-^!V~e?Gu-3g2Y}^x9pV=*?KC2Dwm^MG(NqBqPwDBp1U3*`XL8#6A zeUHNw*~OQi&uV0ExyLCY<5r&qcO}VfZ`Ac}Dw@(a=70DYWSDUXZ-?uAyCXhFt;N`x z_HECM2Baxx+!u{PAgS9K3Y2^$(UW1;a+`)}+P2~OD+B*TAC>}ppEs5fxOIHVW8!`+ z%W{S?IOooY09DXUcX+CYCF1%;C+5On9yvF33aOXM7sGU7B@WRS{tpAolYjFsL;MZy TJs$pY2-_eB8>BVW5=i(r6`Si}