From 36171bcda49dbd3215ea94773ff260419e8ac632 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 22 Mar 2026 22:10:10 +0200
Subject: [PATCH] add htpasswd auth to private docker registry + expose at
 registry.viktorbarzin.me
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add auth.htpasswd section to config-private.yml
- Mount htpasswd file in registry-private container, fix healthcheck for 401
- Rename registry UI from registry.viktorbarzin.me → docker.viktorbarzin.me
- Add Docker CLI ingress at registry.viktorbarzin.me (HTTPS backend, no rate-limit, unlimited body)
- Add docker to cloudflare_proxied_names (registry stays non-proxied)
- Add Kyverno ClusterPolicy to sync registry-credentials secret to all namespaces
- Update infra provisioning to install apache2-utils and generate htpasswd from Vault
---
 config.tfvars                                 | Bin 9875 -> 9885 bytes
 modules/docker-registry/config-private.yml    |   4 +
 modules/docker-registry/docker-compose.yml    |   4 +-
 stacks/infra/main.tf                          |  14 ++-
 .../modules/kyverno/registry-credentials.tf   |  83 ++++++++++++++++++
 .../modules/reverse_proxy/main.tf             |  23 ++++-
 6 files changed, 123 insertions(+), 5 deletions(-)
 create mode 100644 stacks/kyverno/modules/kyverno/registry-credentials.tf

diff --git a/config.tfvars b/config.tfvars
index 804ef7b8029985093982ff226602c906006f54cc..9ec90c1f01c7c683f53dbe3967b365f3bf4ac04a 100644
GIT binary patch
literal 9885
zcmV;OCSutDM@dveQdv+`0Qy-I`2^dPUrOhoX5t4slqbcKxPAq0i5K@9bb&yht4pXL
z<q0;Kr6GL)!fi)n9HhJ@bhD+`q8?M%qpo$qzscND5i;HVUw0~|G39Ji^)nyTcnfe_
zY{@$eQ9B6MGBs~S5h8XQW}>{tn>;Z8e*N&r|0kz7^Q3$s>{bp<v{arr@L0gRp%OWV
zR!l<7%E8{+>sxbYSSTQNKOl6B6$h2pijDSSPL!8s?7cX+7g(ykzwPEaCL&XRV+asv
zcf-A}Zk7A4tGi0?7o08>cQT^0q!YWjh9e`@>36z^O1^ruVg}h6fE?$sc|2t|u{}K+
zfe|X4kxR#HH_S`t#dFE`oFrEou|vg8>C~Z%;$MlqKk>om*C@X1tt>qq8Dw^V=hpwH
zKFfm+WTy}52_*?y=3q?a*vGWY*011{P3?`s`Qbz(v!2@SV~KBf_tIGPGH#QV8_U{4
zOgz`Fv+L_&j^eVbEB5H`s_+d|yK=XKxJ>{SoAV5l<-SKebWofCdi8=pP9c-macbg*
zA0cp7%E}3fcy@c{!3K<Hm<(8qeJwK}DHK7nXJ|gGn`Um)R_;Vrbnl1an4;#~SfZlR
zW=+yXhm<1->w7`N-OotC@N*szw9hY3y{=cG;cl9h#b15g5HY#lX)@!(n%A&3>R`~S
z!{s)SmI9pA?lc^FLAG^nM7+I3L#o&EAX}bML;v>PL!&Z9KFWE#hC2l>6yy*Ly8dx_
z78@ii$(X8+`^W*L=$}z;?>dQ6FyW(Hnh<ylDFXc9CuYRwAYIU3#S&iFzhfU!%?4ah
zrv*-vXzHf*(q<4scT}+rX`4B${aba24UK+ocQ~eHi74>%gpvXDP4X<VI2Q3jBQ%Vz
z5%mTUN6Fm+t*CHeo|eAzsUyjHN`dLapw;u0dVnUn=67y?9j>sqr&0y^t^Fq}BgYE@
zHn~YLj)C&w%`M_9oW<c+K0{2}S^2H0?jS<rHWV;zF0DacHe@=NB#Y;HhQa=rg{OSt
zJ^`K4Su~M$Ah0vb1?P}5ILH@0c%@ssSI26xmUNov-lM7>;uyacmdh`=%wYZdxQBxX
z+r01^km7EWD;t;s%*84(<1#|<kuhXa%KQx}P5H%1w)8MYJvB8o$^99srVVnryRGa;
z$_P^(n@&ko7ft{%Kok!XzvNFJ^~g;zIEu03Vm4d(1Hp^}0yG7IJhf&6?lS)-Eh2i<
zG@Uwb(*FNo1e~v%`JRg*W+vJDxV(t!Li&IBR!Q(J8d5p*C&y;?!R}B6mo+?(N1JDX
z4V9ll$J*#VQXTSTP56Gwc^JUfgB;1$+J=5xlJ~bt=nx7T$lPE{4<?b4>+b^vA{r3!
zxaMK0%_@Eu=ZK)6W5UW;=h~>-7ME^!(#;P;9iK+Bc#uC7v|$d9v3G0doKH`qR8`L-
z9@2dsV9af|+?p`g=t^{)t$JSL3Tk1=*Kc<M#L-5zPQC=uU*%2-kFqFUWdy@)_{tC{
zMnR~HQz-fY>GvIhOzyk2w=qzZt^}c8H?Q*Yx8SgDsb3QZ%lj=y6vDKP&Wmtq;_m#+
z;9Tlh!s~-7^90|>$F;X+@Qy|A&-6nnZ5BIl@<#EacLrAKS7jMpRio@Yk*4hxFi8lJ
z&_FRGI?7`~BYQe5J$PZkFXC65w2RMrmfx8dSi2Kvb=`GE;xwitlm14w10q>5OS$Yb
zjrhj96(b6W5HqvT>`gG!1F^Y;QT)ApOEn)*(*JsXU|aB|QZo&V=a+9nu3C4uk=O_9
zBZ<MP-MLD8KoUGFDTXAlN8U>WRp|HA+bT@wz4HF6W2Ft$%;=*8*{<4X9U->y_3xlL
zddR7%wF{Q!yt9{no&JDbBAj2@?)6W|Nx@Fv304DN<<8sNsji%)@Fg=4*z<Z0Eg+NF
zI>yS@qmiIro2<2$=zmi&w0hQKckC7fyVcer2e;X<10DxVj#Z4sAnA({LQkO$F|f!t
zZ_sJss{N)m?lghw5ipVmSv^%pi}z6cJtkRi>G-+!jIxLp{l?NW=PjZX*^6?y3@emR
znE4H6m6}P=C#lG$Ri;mv_p|D(l%*y)p_oj|7N*ZOuA3^%_ggEMIJnb=?S@Qmou&fc
zHz)qgibjj6;p5Vr2a;ml)a_(IR(A|JfJBL2F$v4)Ke+8?4oe?df5&gx2fQeEb%Wn6
zB(noUQA`$zaUal)ONS9FiLGpGOF50KVHQL-;pmK)`NC2rq(i(Ft2n>y_7q?`S|#`x
zoxcQ4LWJRtKyiE^j*i^yO(bZ#GqdrT4+i<1Sbr~j23y&<MsRBg=*JK}m7|t55wVL4
zmg`h|q05F)ShTfy0W;A__+9&4w&Bj$rI%$cNQKuw!>~YsKiG=xr|??mZ;22JFv-XH
zi8!1Vzp|^<3NiXs-!q_UD~3T8C(R>*I;h%_j>EgqOavvnFO-$5R)hPAZ;R4za{ydm
zHHLL_o^}OA{%bVr)-P~ADlzSwXGDsek#S`-PTB(Z09>0zJ*-YFn@${3<&d&n^ryjg
zflSa#^<xJn|BG7kqF{EtA#X^z2@y^X$cW)*35Az|^4nwYxPti7nLSD0Cg~=Lw8s_9
zBlW&KTIN*Qk7&VSh^n>lzgjt41L9GuJxe^bp6>rRWf|jz(5<WPMljnBPz(AQkeriR
z*b2vSG+QUbw+uvEUllq>q_fW+E;{X!HFfGG(7d`U*vzk{lox1yT?YUi$Z#Vh{moIc
z$XbT*IHv;6!-!*R9}nTV2EwdK;$iLQj#~QqZIb4yW$*F%_st)u=Kbd92$TX`@LmcB
z+m6!)aOIPy)?u^}rB>=iZoj{k!|+ndRD~WZh(~gqay_#pBPCsgz!vOi&QTLSL&kvz
z2qXQr!9>iOH?L1$){b^AVLeEFWTE2mhzx?e%ZdH4sKZHm|3|j6Uy{6Xy1ppSgzx}E
z*}7(#vNP!s#G_2X$Ux$|#5<sI1IcQzaR#o!QKE%`XQ+@#u4>kHp7{?6*3Ni7IZr?<
zq_M5Pt`OMG#?pl<b)S;i1<@x9o<c_2>T`jmmhakpHAp3OG}AJ!RC-TK$(n%&kw|Cu
za4PZRsT@C^(lQ8nuiUO-I>BmzT-;;(25VXg1(KvvO4gIeKV{-7pKG}Y$!nbt->T;A
zI6XekpDV27)QJQ5>ilN!idU3a1xWqhJoZ@YS8SsKa2&nQm@jbE5G+48lk@V<j+1iE
zl(C!o)nxkh1@?{HZ<2Kv3jR#Luv<**?x-YX5!&6KFW}6L<32gaP=V)>yq3GF@JWcJ
zWl6~$DC>yBr4m5F=z+HT&@(dnZQY48M15|!ggo#3c@X^m9&IoKUFk}HJ$v&0BVcIe
z*xWb}8Usn~s+Rs9<5y})0yCKYMV>2b*;?*Cv(g^W!A^diLBd}Az!^wq5G~o2GpXck
z2U4wYIA$id@Vi3x^mvPib1TKLFll&)jjg`d`GPe-kjTxN?}BUcj_-?&FqeK=pQvp=
z`~aeWTO0<?$+e<DTY|oCcbSIhC+f0;O?IF$#hofM5~(C37CydY`6TECCpb9SW8_>{
zcckfa?qs^Dejx#R!N5XwsikW<xHrTq7)A*=(ccr9X@gv28=BKM#&`%uBpUpHfdS(e
z(~8NrObfzxtjIw1@b_b#JlVVx=0B~-TQTjg#NmBR#Hj&eVypyhT6-Yu9#F<jY>3f!
zumTPi-=X&JX8se=;vh;LCCk*O7r=W-2(U(H9xWjn*9+L4)?v}?Uje#yeIUc(Acr9e
zHEYUIs_#5RmzYl{c*KY2*93T79wPa!mpNIg`mnv($dK8JA~(Dos0K)ZXuWw+di&$f
zHhO4uNexk##QHp>YnFqYSDQea$DI~$JZSy3x%`|4LQ}<W&5W;<W<ak2$WXLu+Lwj`
z=<gv=2==rWA%#Kys$x*<Ve04wjjs}B>w15_4o&eVpL$U<=dUT|2)K=URjSP~I2tfz
zEbH(gHwogi3DEQSNV>8vp(gqHX0v2WV@E^Ly~PB%NL7`6`m8V;@>=W6V3;w4sS3?c
zwfGHHQ`UdWVAWy6C6*EShB&L!6D&hi163zxR6ku|MzRq|86sBN(o4^e_z3?oR6gyw
zrg>033L?Y4hrS;>c$22n@Lz38066fwxB+$p`Hr5sx)D-WgK|ouj}J#`fGgq68W!rj
zd@73us-mRj^9p4=XuFmlXZ<^Q_W1A%)+(j~k!uqtwG)Yeeb{DI4kW>eJY=@<YzsVq
zDhgC_y1@%7wBI~$xXR&CSdmYF8AVbiVFx?k#aHX+SXgTlV?+v9BN-=Glcx88;OHvM
zB8@Z9MX1pkO$#gq(O?rMyorRg-x|z8?oOwR8Ao1oBZBXHyXZ*Zktpu&2V3`QZ%0+n
z-}Q)B)QP-})9QKOrw3a?_88c@DeJqi#ke<4RCcmL2%3@pi8ZVt@9L=nwg+56KnCij
z&lni?N#vWcJQO&wZF2ulKSP;Ar8dZ}iK1gqNUhlH%{$1_ItWBiy5;9GfsvLlFdLTm
z*ZY=49N4_AK(ZI%YeptcNL+GR$^=)FzCZwS&$1M*g7)f5c+}7&GmE2fm9Y|6Z<XmL
z1ire0iRbzNkR3huD?zYodzwUU0ji6Zte~=EnO)5!8%PfI_Jg$_S`E<8CHLJ4hADBk
z11cC0w09BbW{RVs<%C%f@bld`28b{WOH8FUu{H)RW7`SGE%5bGE1hKG>$>oO6P8FL
z6wdu!N^51CJ2301m`5csj`!M+ux0Nhg&g^sPo`C+;VOXtn<eGH75l+OhMmHZYnw`h
znOWhyG&yt_|4{e%v98!CXsSBCPtol?Om~w%Hu$#AZg|ndB7P6!2cv}H9jpv=(l*<p
z8f(TZqd}hC+&pXPe<rrko4Ou4C%PyeGR=hV7XIziaarU7EsxadbjuED(Tte|se3$>
zi%18qW31`u`S{BI<CnUwnatS@W%>p`iG8;Wp0a<ncg|?X{w3l-(7`Y@IS_0{8gTYZ
zR2}V{GgxU`j_O)sM>E<S@WM76$3Oh;`bS2?3KR2tOgy_jzQatcTKz?Lj`~$n9$$MN
zqJDRa#(Q$_r4aUH%LpF@kR!a|**$_h;Zya4h&8V91#{GWli+SXraNI?Th@*5z0P29
z^RaQ(tB~aoIN%ay2;Om1Wi{dStV{<@G!Zk^pP6!=nVc}#<_9CGPp6-FJKt;6&x{4i
zyWo6J*(G{#z*z-Cw8cS-15-xUgCY$(9u=gx!1_T{U}W<Q3l$*6XifR&0@Q&-j}TmD
zB=KrQ3R@mx+Eh}lke>)gt?Uu>ocRPM?F~bT3;#Az1lbgOA4(vZ@_c$gaLKJ0RK|k-
zP^cn9=N?y2LOq^wv&H)>IEEzFw(o`l=8O}y%)_zPFD++Q@)VroYAUe&DAZ(c?e&^f
zBrtzcp5vpF+TXwCe1LpQgW>XUtz}(o8XARrqWr5(qeMw$p(#PiOIOGRJt_vjLUHB^
zeApMImc8$|;?jdVD20}2Z8>6{7`!Ly6|{C=U6DD`6b~eE;agPb)PA`U{gX;^b?CUv
z*xryNh{JymU3DL{rq19E_X;Dp$;TUdXG-0ctvV6b+XncI-)B=C!YUX*fxs)q*5U`u
zzKJ{4_c<MA2X`XCF&pIgM@LoJBzBBCOF*0?Zo%vFg3-OQdB^HBbLs`9!QK5B53O}k
zg;yv0$J^{9cgHA;xrAynMU@iZp!Ll}cpMl(>jmvSC#j|cy$Mwu$4LE00a;uk!W7CI
zw@9Z8QGUueq#B^SIc)T&O9`9oX+H%16N?ff!vhqpP<v{v{E_KlyO9W4E?YocG!|(|
zpb5KMALPfVU#W#4f3`^{l1~q50DtU1Mm=aNZ=SFqMBO;aeHAnyLcJ`VWh$2$kc-oU
z?AZy{oX<x7sLS!R<0Z~*w}$`N!4F;{l?Pu`JyW^je(+(cQcVh}mIfj7@ySmf_ULV<
z?|j6yMj@lnfy+cKcP@(vRLmY4rd$yOv9c`vVA7^tm2&WF#nJ&G!%m|6PylT3TzUEh
zu5kO#ccczoZ=Q%UDgy}UM8}68uE%F_eaUM8UyivL0tmwofUHOI=f#0}LM~CMFI_ny
z`}@>^3A9Lrrij(eH5IkfEnq|^uo|;iohxCOw<Curk}8!)=%)Gm^kZWJeBuYOZ`mpM
zw8E+O)Cl($aRLj!lJN~ah`LuuW(l`AvKZu<)=ptE(IpPvpbKWL<A;2AYC+yd2|2qv
zQP)BPSHc2>WLkQ=jEA9%=?=Om;&w)Cyop4m#-z$cwF1>mmMn2?zaI4FtX<}nPqKMZ
zgOWkHB2jdz<-G8=Os~4*Vb1!IRv_uAT}7Df1ZFWx)y0+5Nb_tUGy}wQuXLGClUsPB
z22u@k<OI%54!(QTOeNOM{%b<ZZdFQUJXz|7*jQ!<rnwXx82`*Yhks|)9orU7@V}@M
zobN_f9IPkQDd3)=ujZ$2O&6}k8HTroeZ1jGKr)ve%9R{>@#Hql{l+=JhQ(H34PmM=
zn*#01_pa(6f>0S0I1l?ns&SgkIp*W?YPP!MpLl&CjBK-Hgtya^r}F<h0(e*l3~6{h
zic<30d(~qk#e#BAr841#GNoV%w{9|=(#e-hKP*~U5fFv4o8Fsy;J3FnV#3V`(np&p
z<s7oq1(4XhRokO4xBT?UtXm9$v`<7oB%7YC0~Dh7b=L`tu_4+mB%h7xbBv+aC?$jU
z4W?cD1LezL&rW@SAD1F7K$_1RDK?($rraRg@Y#Esk4^k&5(LvP@g7lU@%sLmV$Yq5
zO_W~lFCWU5HCyM@c<WEK<|q2HLB>lr%x(j2=wJ(`OM@Pm#Hu42^EJpa&RsbEK_QCz
z`lMV%Q>RV>4$E1B33BUwyLLMnSthn5;hhJs;&qeDB*)-$@EmSO)n?qJ=MDNUi;3vc
z7P^pO+_w%>u~QmPPG}lDX=9n1qDPF{R$5YkbJ>);Gk4;Um;CMxcq#iLp2>3|<uhUo
zMT-94T`fvm7)nXAl0ww&>M~+tZ09K|Uu)6THFhS=mHdv8<vjYl5w(#(#)f;$8SBwt
z70YH195oGZZ`H2}mhjn^;2fym^N@g86p2&1%lHgUT;f`<Z1R-o{m>Rj+_`|})i3iU
zT*pc+@8%4SMzyZpgBqtB%hzFz8kAv9Y;)c+3gG!%KJ_stg1!EbPi;yM$*Ay{crjEx
z1lTaIl814VCu*<D5W9Z;V9Dbz!rkHXsL3|g&9L|%v{7~=RU&w6<~kkd)3!d=Cynso
zuqXIKHzd~J58i@-G5fneNEZsC_NrCe{AEs`=5^x?Z1+=3AK!-7Al4=$CkZ2(k1*CC
zqS5b}$*{K3N0$%Xil(_&qJQFwR5b|hXmP7NA4(m=i;1Vg)l<vt8aB1vlewZm&JIC2
zdK{TL1MX1UDuOeNJwmqqlMaK(NIGd=c=Ch|Yabz2-CVIP&ncfeo@RqVLzONDpT;KI
zv7USB^EcZg6m!_1ns6fbHCL|WB*#JcFU`A2YAd9Sb&}YD`mU<&x2nlxM*KC%3%e1(
z?CAN#o)M*Mr!Kmb(?~4XXXe#NgUnxnq#RM+*HqVxb=~LDegFn3@R1U9w>>eo?5Uu)
z)<=6M3?BIHdaH!*_yt&l^9OD7a)W|SJL#)SvgT)#$v$B@JY<+Z4Im^2k3)0zv<W5!
zB0(dCBa`E2ABOOG-Fi7e<SDT%IYC#@{sYU8-`Nbf6UsnC2mf|;8oL=rjg%U+UwN#u
zxRRoKjr1$0y&8lS)xa5dp?1{^_Wj*+siZLlr2i*tLc6LsFFhC)9;BnqceB@#0^ovX
zRT#curz`yPuOi5wMB+BnZN{0*aov;v%?H4AS*V*hbnETd7{Ry)H|Lz1C;)EVjTlo8
z^bpdwsWZp1Z~%=8Y8bxcYqw~;w|hIw(W46EHAkPM<xE%NJt)zPr)geCq|tkv6E%@E
zkX(Ej&_$7i;X-rj+>@NkCs0L}NN)79;_0U=?ptEU2Hkt|DgscXX5md-vA*Ob^@?MT
zhWAjEPZ7srBZV6KSd*z{{yq-wyUz}Qvquo!!xe!+`P*bK#<MTwcuM=uGj9yWcD7LO
zkKtfiK;v6I=2@oT*(J}usyE2*GEcy>0i<ezS0HX6ao5$-q<;>l!fL{y0e~EBg1rbz
z0fw*YHr@o9GWr|BWKIFme_SJ<?i~k+JZ50Gr$2VeDQQnC<|0N$P3i}~5ex?{TV)cT
zK-ZoJQ2vD8GfwIProQ2mJNrPGN_7+PKbNltd5gYT*eaN5f9T}CIHm893!~2gko5Ha
zomTvUgOU>#2D7O?2kFGNOm_*r3JVs*Xuu)6Wy&oWg`-Q|1Fm+7KVL9jMT?UJ7}Y;C
z=vPdb%S>tC7xw{&T(T&}*Viz%Ny7xl9Tcymz@tV4ucc;)<}M2nmU_|0+z#{wGZDFh
zo;DakTDKl{4RfV5gf7FM^A*LxCc<h);=-)XL?_BB)4{cTnGabpEANt=O;zFY0*zF@
zsrG4AhZjL(h+mf)=5e&Lh<KAfjo=qSeV7+3v#Ws5BvV&>MX2J=ZFFGXqNzhy6mP*X
z5A1k#$mqIZXJu1#71UZBk>;T@?>UTQ^p8(^(s8cO(k`urIBxWlwucv!IiP(Na1(i;
zSgU18+x`AbRoepH#3T=dgem+jMdY9IqUjyQ^~mQ&)TNtF;rTBkrD4^g<xCpnO_(z#
zH{lF9M@IyRT23>p@qFHounmt)m{V+2nup5STtithUK-Q^0J_S&AAvoaoYqT7Pv<Ci
zV%g&wknQFqdduZs%YhOlP0IU=){&WKjY!Z3h@61Mznr6<GTI`QOFGqKD(g)P&Y!r}
zuBpF}bLe_ixRKM}U6K>Kh{N?=GP;s&-N=Tt-(U{t+48hwiFXL=bQdzk<0}=F&HBFo
zG!++U;Y^u;EnS+uxrTMCzk>)p&!g2r#Rmo=6IQ@=hPz|MAw!{kjnh#GgoYipp5*qJ
z@lx)b1eo0)WpVDaD#yRrtR19&Ax&S1ls_tD2ykWsaL`%od1emDG@|7FQnAnls*(Ly
zG|&5lWbFe8L~e3C7TemN$_FmrjUwpI;`YOUYQLaCW-aeZ|3A}TvO5BWhB<TcwT&8S
zxBWWD@3rD_OUjgOxss#CyzI5Xja1-PUm3|&i1TVdy~gdD-TIw$zRtcxD)lgxNC$^U
zgz*S7JvKaDC3_FZN`v$+S!TPi?+n<i;2l6Xu>*$@7B$ih9-a1e9OP)mpwzGH8Ir^_
zi>o&RWwx@?udpe3H8nH8qB2KYC(YFSZ^{<5upO)Q{p+LVe-<3#96N*O!KZr8V2H0X
zPZ7=&uM(_ZQz67+gCL_Kl#vBxz1vT?Cr2z>fE3L`7ZKag$*>0muIJ0D<zb}Fb*a$Y
zv5w4&!2nc0m8lO=39IC4qgSU8>9ABEgIHiqV?@zQ85!XPK;l#QaMuN4r<!kMMs_3?
zaK-V^$F3|B)a;&&-dmtjfz!IfB7ONie@txF57TIS{$PIm_{C)OoC$lh5Hp(%2?}ns
zxutOAMV_79V)Ou6Md>YOv?>rjzh`(}QIJYHnnDBIL01E)&L}sbOaAJ!UY2pObeJXw
zh~UK`vKgIH_F(BLoatIrYzSvQY^i8!*)Xf3v!q@nx-aWSWrbtFv^NRZZV5%^tQ(>W
zmX|2L_yL)55{8pOs^?8;Xd0!D%;{iiKw5b&vxCd{*&r49{P;~H3H^EE9-gX+)7YI-
zuiuUBcO0_EGKq=PZrywQS%>ZFBvVC3cx(Xd9x+g<>(ZP>!yYCU(h<z2bK+dm1}mm=
z;cGc+B+N9PEZklSbfYoyL@eo^s9W;Ag<jtdtduDz)J;ni_FcB|=Mu;p708odqvcz)
zEwGjZ#As=ciRZ7Y!EfDtDS(3vZnWA#pX+4J^`*mj!-GWX^t>DaoOlo#>W#cIrins^
z;dVhZ{FEUJ+aq~L*c5kzq3f`rMj-;XW(k}d!_DW`2`WK)W+8CZ(O(Rtd{cjeBpCEd
zI#4%D6X7|F1N0_+qS6Gn@-`bOd=44hRNNrQ>Tw<@ye2!Q>MP<g{XnkxzOwx1$W(qN
ze5W9ON2LMCEk6^Z`cq_xgrHjT6xiZlzn4Bo76rb9>45@d*jN2SW@NuSvcl{MxS|@B
zG9(TJ;)|;V?fj2()MM`Qe^%MI>NdMP&e<)|xOfD^=30$!MbOi7#*x>`WuAEAd^4w-
zVoblq{5YMsVLWOKzOIJD!J)Lrp8~zDuhYvAqD_rfS#sWYoJw6HZxiy6&@MDtWVUBm
z)~ra7_rOb5{}(LeaP6b*WS-^S@zWgfr<FTaybB3@fj>v(v80Ec;pwNVvr$%qn%xtB
zB&I6yOB-3j+&C*l)Vsc(_#jcv3duUIcdB5`N`{8s`;m0oP|rA-G0CDMICFc8-N(Ut
zp{iCPh*by}QJ%0&BVwH!_PGsj%}k<4YLUr?&uzk2no(Zd+cOtBzQoS=?87|q)I*y=
zz+?tH==JG>F)jq4LAXE1>12hvUR(`2dXzKW4V&wtc`sgnL>OA-*C6Hq*Cn3jBNUt~
zVg=0p{jdchFo+&xvp-K%Z>d+5H_{gzdeGNd;=rV;5AQL(M!saOioB+9H<n+b+~|Y`
z68379u*fMGl5sEl3>g^bF+q{HWTW(JPvW{-h{6RuJLZ<Ut<R<jl!*+U65>1ah$1p}
zZaG_GjESXx18whj+Uwr{C<6?@LZZucEOA~Mqh76<(&+-Ty$$QPORCl)%@ej+Zrtz9
z($cq6nyJaE8>DO<xbq2GOXN^P&=sHHeUg6?aExz-fmK`oKA&xh<&hg5X_H};B40`s
zZ()wSQftRn{t_9QvkH&_=L%8H9GVBmQJ0dHj!<XTDOO_T1z#w7+(3Kv(PUQ!OI5pk
zF_NSiMPnh28$7GTPX5umQGKGU>HQLNvXPZ&KKv`FKqdD$Uu)*9({M*>n~JE6fH`qK
z=PV%QzEmX@C4>i#bQV{WLy7q>7HNG&^&B&_#9k3bt&Of35QYG5{(7=N?jab`c^e}0
zjkc|V?4XyUxiUA-FqHBzwd$}#b$kFKW4!O`^UJRK))UCwSOIEDU&W_>h1&~sFIG5#
z=m3xdcF8Ff`P8E)*o|&B`CXIT_p*^hKA35DVN=WGQLOI8>0O|)epC+5T$j_Zqwbic
z@Wp}f`YknIpzs3ZA?-Tf)V{DsDwpdG!~5ccO5(b$(AaHHyo9sC1=9zQoPx1NA@Ph4
z=6ASUbu7MR6~9D|`ZXrKvL^cBb&aJrQCNMhfhvv3UTMfyjzO2Yy_FATKJ2|l+|lxj
zXJiBq2&Az{AXDstdMXdZ{y(Lh+-n2qaW^9f>0V#V136O*@|vA@l)q;X50~ULBeb%!
zHKpUA1cS?_(ZL1cXh>88yx1YU^2ykc#Iq^j7Q?fFk^xLD<miI-Qf|G5On)Bk?%`y;
z6S|IA3tRxL>JRp-!E5K>=5Z5X&b4jmZn5a$!$#$IoUk1`&D=Hmlep?D5ShQ)Bym@-
zYi6p*o$aDSaD;+!*#OV%Ue<t%#j229;2)j{scjFJ@P%wj-2rltJyq}ny|pZR`Av>^
zd+=z3qyMJo-pFe0g+8dRXB%P_adnR(K&Hn6$Sj<0m+%8x{u<gW>IW$MX1SNXX!PbH
zse`D{MH?EM68xLKT~1hA%LB2ofcZ;qe1?z(XnTj!L!6G`t^Ncb*uH5F2D6S4t2FLl
zUDd$>;xG8QxvOvZi9_#>)RwQr^S{9!+HsZqGBLhFLNoeM)KUsP^}Ik+H>3w8A@Ap|
zjuZlk$N(>d<_FL}Q=;DWnOJCVFKecewL*@v!0x}u^och}lx$;(aC#4JhHmIXMEhP}
z&o0Df<U*prhXW)k>j){Yt-C%*A7+5;_v*y!Tey{g&R)EyZ=>KVP(E5#&-OeR`|~Ys
z_iZuo-5`G$&IhnlE?SYnzD*tVh_TErryoNcL#RSXpweLssI6dWEP(wQ*e5mA57<B|
zD6{W_LcB|LMOZ9K-DYDFK29XceRe;8F)h>7?6V$$l4?$}v<8kO@UdkcjcA743wCy5
z)+|IXwtYRoLR}2<#IYJ2O9_2d)>dfdgx(qKZ7}t%%1^HuIj<yqrozctlW^9XU(n)V
zV8cgV{blU4e^+jLbrbkXtr)mQht{bi0n15U>hKm41u)osP}is_;urhSCwUC%VFQh%
zSLl#jzaSEPeD8cn<Mya2jqM^f<j2gw6Yh7;wRYzE9hu@_HAwQ>*2qTa8=7I&l+3{$
zONI8jzEJA@-VW0&FKT`ZR~n(csCkOk9>9L}4&13?>gC90cMAZ7)s)H*Roq_2(3xri
zh{W4Jzi75&I!^i5O{O(V9x@J9$yK}w<S{Cg2g2S8l&PbrTu+|M+54=5xDn*=y54;k
z%$vDH4wKU=sU>RP_?R8IwxzbxZ^vbZ8eRB4eG<l&bPW^%J*HyT2`E&qLT5DLTlSZ{
zH*6sxQy{0gR{uW2e7<_LzX(r{qzSzQz0Czu1`0~Q^~5ED*$h^fZtWmPUemMi0dq_Y
z86#btcf?cOU~`a+FWtnx4QRMk8-L#zE2tuPV#Zk;P1*YzIq4_rWL|q6TudiB`)`UV
z#WjN|D@1MLbG+YnJ>CC9{fVh6=}Sd;IY~36@a2ew#W&!FHZ<d5N#?V*ZL7ZgG6D@6
zY8n`OiLWG}{6Nyn1|qTdPHcznXoX=wo8Pm#DFydzxUlxKp@zg<jt}+QP{gyeH6>f6
zRB)K>heu?6hI+&5Jqw2Dsd+Yva1`p?^v$~eA%^Ftu1@j9CH&C-{6rqnv^OObOG>`k
zh2~!dyam0fy*7iV*lD3jUmZ_lIb~LZS@tf*g_w{;+^OOwDNFY#*8A%;wH*lifxFR;
zn_e+#!Fl{(!+@p>I}TI84s8wh!7Tas<UY*z=ZQ2fLqhyfS>F(x^@B+%c6m=1RVSP=
zv)K!tH^n;rLbQ)>F|ZMY<%A#7Y1v&4_Yo9InW(8SO{7?UN_~Op2Dvx!WErF;4CZeF
PBXJzlAImwsW~|rTOXFT0

literal 9875
zcmV;ECT!UNM@dveQdv+`08)07EJwH_&mV~XnwKB3*6W(L*cKqbT#-inqfczH4Az4A
z<wY-dbt@-*gBei8BLpw9APgK=E_F!MPe?8XuA91jBoVwW?~~lBYx)-(E8UeW%oaea
zCcf2yiYOG_^GPCZDxzMQahH!F@ou)xQTU@Yqx>C)mF$0MBat2ig47;m5+oZ=8W;R9
zwQx>y__tqf8E}^$aRe;_TEPMq+N336p|#7!ETkKAfB1$_v~GN**F#bMSJ3SIyl7h-
zjcaqfwb0M^%!YSnsiaa4D{+?!K>qsjEUK*x<6(4GTIjN*PXF{&p|wf>rGo2usXVH(
ztDFXJGO&nUr41YB=~W=SxQs+yLekumw)yn(1~dpt^(vLbzCh|_sQd%SYprTmLtU-i
zq`Ilj!}}Bnwgkq8D|Zz&iRrV03i;;pR}azkp^^=dL2BUAQqJ#4$|1)JaFbNt6VWp<
zrqDlqJeR^PHlvDAcpp583Y1U$d$K22kJjw`V?#WcOmDD@q%Idz0ryM<))Wb+B0`u#
z{+X$_l+Rzo&gR{Q8Bs#`8S-u^j({(ALV7+X+>s$H3r4S2oGmdW2?cvvhC&ch=z3X1
zRf}%KLHJY>rpt`At`n{4U52$tATZg7MonBvCsU7FjkY4L=h6|(?h=;k3M7-zKgk>k
zneb070T-y8q!F%T-6AuJUBm~|EGA-q<e&0w;b|J=&J+*-aIe8xosOr1aqv{-b5W0h
z3!Lg?oG<u9JSWf-w@47x1jOT^gODy5;u7n>8#V+%)7K&n=I51gfUaU-f9BrA@XJaz
zvr~JnTp?0a^XPpblR98xV-@&$#lufVEg=mtr|zM9#*qC|uq4kx=@?3H|7#3VT9Q}A
z`dAD%u+dKrgOPg%G0>sisd}q;6JmqL6&$21T<rM4Z_Sbxl6_bmC3xxBA^D5IoVk93
zwEvu)!Yq#heMkn+Ze?Zvk+=Roe(7nX%A#7o)zPy!L@xu7gTYq<4ovN6!>#e)LsE5)
za-OVJv{;YI%{_VA%>AD(gc?t(b<;F5%Q2jd_>ew9crb9W+%)sbW^-FZ9ZJxDACEdo
zVCnJUUFlNNs`I(<d~BQ@XtYf06(O|ow1bw(?@Ys0!u~?xyX<b=a--f2bzrm4A#n}k
zP@|%q%otGS<n|!eAJtRvAI3@=yn;HM4Ms2;CWXtlADn(RUVRw}UXpk5zaGssmeqrq
z#j+lMKy<}I5O9S2dPZ^RTu4)8JHtE+UU`lj4j$OL!V~odkKKId;Tw>~$_tU;Pf&qi
z;<@UFR!Jr=7QT<)p;_};DNDH4c`=KtkX@eR9PcObQz$S7z?p!{LnLm+!a@sKgZN(_
zbY-i1lv^R^kEZFL|K|U%LK*}{K_t9s@5YKuNPv}cMeuXA;D5k^C@UDBi7dw5XtqN1
zOp{JtaR&29q_IiTa}98Dv_uV%=Q*3sdXdBX*>Up|lEXTjlgmg)pRstLqvb4Ztek0-
z43TVv$>pvWu1>euO-_F^72%Lj0HN3eBlgJr&yR91ojnJvdeZXEVqtzmM{vq+x&j!T
zPo6*_C1%{l;&m$ds27$?Z<^MsNS?ojP8~qO)F&!KO$NMX;6o4#jfVr>m?+4T?+UwT
zLTE36@!Q)~MU7oLbu(YIz<}7Ho12lOeX%dxp!t_YHeV+7MW-z7kF;gTGG8;YNL5Ex
z3cERSN<7@AzSu~bUEV<sG(Z_-z3;D9YHjA{uq6FW;)X|lT8wWW;_ZX{z&<-<EO4{c
z<lG}#P6B2x#)Ia))a8AxnmHa&w16WZ&V%@pQ(G4}uQ|52x@cZ*wlh(mrG0YmdHZp3
z=^kljorHN=?uQTw>`@yN*ZSMi3=9Vt<JfjKn|`mv`w%ebT`Jrc>gRet?EhXG9l&81
zTuSZ?MM{2;X38E8|D$?ZG77-wQYkT`G$1l%F)u3>du0e!S;<iX8KScCZu%Mx5U5gB
z?hz<Ld><mr`5fB_5|b;+rkQWYZ?|GkUMO6n9(trw;{Hc$YPLXk04NQD>go#TEt)x}
z*EMT5lVU+P>}Z74K}TNv+`PLy;jnPg0%y;=uHfse44lZ9HLeyoADs2Fu78oS;NI}{
zMFt>ljL>{(2-E=;HQf4s85S;u5y{9Kd{PY{LzWa@q%aY;b_~JE)&dAv#SH>o7|=xY
zfeRsoch5%?d9wEXud=V@Lh(E6EtX3*V0<y3xguCt{(YA_&i*`}@bY?ZWA(&14oL|o
zfTp2&#Y1aJ&E!YbSpQbRS`2z&_;SyoN{#-ZaaebL@679qc86#RPp3dti)IzTjHfRT
zL(@5=Ru-ru_lS#L{-bwdwp$Yi8pum3CPqUpyfB6a?f)sXq|2zmr{7J~9IVK=K6h>n
z7i7R(iTJ5u=UxT2>qG|L3636$W^)436R032d~s)fPviNZ>$yLo;~svzy#|a~C+?b}
z?@-6$nbk(RfQhP-*8D9QU@^q;xCe^`>KTAhtVcvwBM|P$V`W(N9A1mMiP*bHn9TzH
z{*nG#C{KLC4<S0&J4x>?JrORMnZ2tvlV~ifc){U66%QkWA*{MYsMu2^?BE4Jc>6HC
zESeS%UqQbU2)+BvdRPMQF^6ht!iJrcI-igiqZ_|?cX51$Fe5gyfBX+fBma5Cfu^~t
zgDfOGkdF9Bge{|rlr;1An-Tr0;m6%eWfi-wa2YAAh*(@(6?OwIB->N(hqc3%gJ#qP
zk>k}>{iKEM6|j7;;o}U4pi~p1Gm!^muxMIBnR=J;V?s>KtN1t{ir@bd7|X6s0es+L
zOw_ulUDutwJzDvqis(2<L^*1`)eg>b(}o|yf19a7X{gJp6bPd1doI}&FZm@wJZzyg
z?WkbNqRzXzDRHZ3b9>+!Nuu(}NZC{j^C$A(%C$PzS_AmG?25SPIAK((h8%LQQo<fL
zEKah6oEmiHmiA0;?d)z0a~;{kY|3#8xha-S<d9?=SjlO%0X51zBF!{0fV-S$Ho^gY
zGI9Lwv}5>rdfz&$ES(ETVS0au8NkNlUF0Qf>ox=@rNNAtxtQk3-~*BKWHqc31Orr-
z_;oHn{9y1}KR@cY7H%rMG-xIE;83aAL~Am2>1+_fASfOjy{)|`NOE--3RXA|6n$$x
zv5SxRf{jtXrJytaS6>@!A`<pkbvOG7;LbG_7f^J_Pl=wX;x=9gGa@BzOx<MWHMvaG
zVJYsu-m1gZ`^z>kc|~ZYNQhwjh@F3qI&BoUn8V5hguk_46(uEGJ{%L#3g(Y8&zLch
z=lTKr{)kx*{1^{y=Drv5u1}KB)O66-G%HKozXTm(cppvRy3-`~xA~m=kDzr~Hhx$(
z0yt}iruduq9PN~pC@rw%y&orucvtXMgC)feYgmAvv0|=2t6wgVR1nfH{a86ksv_h9
zx@v!mFqyj2Ly~LxSIEec2L@rz%`&PmNgZvft>tJ7uh!FC)vS`lN6Ijh*KfCGKx%zp
zG}**XxGXW1Z9?SH6-Do*hExM<^U|uDcxB*$&#Vd%W>X?tSU^8yny}-Xb--wJ)A!tE
zB>`4B6m8?J+PqDo0s!g414M-NA{f#>%gQlD;{a*J+%BP_y4ZMzN!Rwm_Y(Kn+6i-n
zOw|{^MKN=2$f{`u3S<7YLM6>x0FGIVLJ&WfFe1^Rn<^$#MCY$4bq~ic!NQ=ov@6sb
zl*_0IhNGXZ*WbXIfd<F6ZqdFVsX9=cXG5Ew!V4w*fv*2desN8ZEZ`-w{-#`Oi8EJD
z+CAO~*Gi#_HKUq^s-UN$NQmQbd$U)lFG8C~QAuD?eQy-cw5S>A-hRvYF{Pk3Z&BK}
ze0695Z13epryqj{J(^^C=O^RXW}ratVBni%DcWKS<xb`K*8vVr5_ejrxfZ<R1Tt6F
z%b!&yF|;*pR=oJPHVA|3VL}U8LXL*R4(X$`1|?nf+oCI(GqAuu@ji@u>X>bGyllsK
zrQLiZ(^?o|vC5p5WOCJrBfF7b-=X26m%Q$@)UbupX>iLi{ho<26)uKk!;?*AurD_<
zUSIy<BZgXOySk|@OP4B)dUqlksZ387s_=O)C%Dfkdz&kMQoCri<&k5kHS$F+Y<3x0
zIt`-4IyVR<g=>(^2)BktSy*^PorHH=P1XXIKFo!Z%=`NLH{0v_htt_!tz&ByRf`Cb
zEhLR(5_iL88KE`<MT&hmdpAY*V7LTHdY2{Qa8dy4n;ldj6Bdb?VKeAP5Z_fWcPam>
zthCNd5zHurjfih^@Jd6ours59+xbPyrOk6NL`UcC9Fn~tisAclq$LcR%wn%Z^Zl~N
z3mIVICsj%~;qzX%Zd=%cH&8{wLmqPwXqCmb!XL)O<*Au!=<mra6M&czDIO5)#cNAh
zW@oZkZbMz4NBTIvw<(jSP>OOUSs5^YBFc>#&tR`6860YJa80Nj#IhybKNMp0@^34}
zQ2oC}keV>sdPf)A4Q}&iPf!3~YQbTm+*)lS>CiGUAOL5<$73cvKekwhJU*^0%Dtm{
zm`{NrntRTKo5_f@e~-)galcG)MZ}+DL(CF^A_H_1n`vC4a|}8$Z7vQWj=@PkyygEm
zeBa7-?=ET3xOOQX(2M9?ABbF-#bS6&8A(hh{vwcolvEA(TU}3q+-<o|5!wM{i=+M_
z59m#L&Fdoxox%5reM)uyaj$w$Bu!z)xFmC8@MitGaoRjB>JB%rS2(qj#B~hlu0ypi
z{YA%M(SSZx9hor2JqG0YsJJN$i`Xz_r1)x+e7NWFTEqdc*+D;4rN9HE&eC+>%Dk@?
zclD-k95~Z{(ytU_k=gPf_)pM1wl%rxTFojOY4Z!`uiL!Mo=raON8h|N>yJ=oOF5D<
zUa-+71;g(w)VOK6<)EtYapw=k$=Y_1wll=och`TPC7SDfGMwr<SMMrmme?1iX(L+F
zTUgk(Q@nE~1f1S!Z5y|CI;I@r*Mb=~_HdP)t+afe6ZJn!Wf(=t$Pe79>1p@ua_E^}
z8V92(zW_rokhL3JZ=@jG!Z89)wWDr@Nx^IZ(@>>rE>h9Y(pNezuamv9qF#nDA9vfA
zC4QtqvYn<uLMvYZa*B&GkqL_$G-5>s%5%d3jQC?J;8D>pTEB{xSmYWK@FUqc?o_L1
z$B1t#58KSx-mF+|1x$`ve-^AwtmW!9#}$KAJnoRvpJw&0bAAy_iN9&sBZa-7N^$L|
z90qG`8PbXGRR>ggk>blz-kSxHKls!zs$U4aJ%;146Bf6A%wLq|rwUvyqeZfkwja+K
z_qGarega_SlhsP`*iUQ5i{=kYuj-?7rL_6;{bQ=_O&3<t)8EobB`iE>I^5*E1Vk`r
zzD7Y|NK7Ml?<i$Xhc1(qA{3WW5&hj!7?~6eUlAf&`BG^=S+Sv^cV>4Xq%Bgjy4x;X
zhNszk7chA10imR^7*?;EqyF*ya8f~098~QmT!-gnOPUQ6_F#yIA44m@dE5!NLra9N
zRK}B@ZiVt}bhB)>M%Q;8Wr>0LcO^>lSt!?c4q&~QHqQ%r-_hNZI3wHa{5#SqvtzXI
z!6NCq5vLrU2HSn_ipi0uY<7p<^=`Gi+F-A##qOJyB(bD|XUNv-@gH^LLjYzh{R=t-
zd{lo$XGPMP#9HpGd}xfrK1x!s3(xl#%JMU^FppIy$R^wVzCBoOTmeedlX+wdP6#mg
zBEh|)(NT`-em<GhNxm3%`#DgOJ75!*380so;hIy}w1fy0t&R*JTHWCk9&)txsgDvc
zbXt0=*F;JuUg(*P*AD4Tw!RwQ_Ilt-$lA#eW9m&x`MZNfcCy(8ajYju`gjZy&6;DY
zHoXg!j17X!Gp2h1Rx#)UO_KZUh)*85Nxk@_wMwFf0{{kL(*BMc;0mWzUI=tS;7wuM
zwSa7|TlAe_b4`Zg8?Vt5ylG)G-rL}|nQ*140NzV6YwF#yGs2FJ&?H$Q#f*f~FW?|e
z!rzpxhZ@zgSZr*J6uYEMgB=VQgcxFTs-zUdFsaL9l!X;=$P^_KJ!S5O_IOe<0rIyX
z%@?e3!tbESbWtD-TEFOYEZ}nXdlM*L_o(vCY~6Si*@~u>PZvj1IKB!m&Q559;ch<o
zl(hmOK6aEGW7){jytOh|-1CLO2dJd^@^Xq$1RRD)wY;X{+{(e<mDhQ?Q<H$)lM9Z}
z8Zi7%Tu$!K>Z)en;A9<k=&0<D>%HtOgbpwfZk+RFK#IFw*?ehYjF3(NG|e{C=}%Dz
zMurD|SCWu^xPRr(;w-=AS%8+RqFYrK@EkoDiH?~;MNhFM9(I~7Zxg>@^7U-oRB_M}
z<=!Zq4kZ4<9-9&HT>NCFdZD%?r$JNUytd%i2c+0cG?n>o23u1HA^LK-w!`^|WbSyW
z{ms4X0XlC>JH&}It8wv`3R1ZqlUI?payJsoI1{^$V;%FiM>eEuh;2;n*;OP0nmAHN
z_X&|$Ab&GSZL#*ybd}8WSrb^-r$W-C_Ze<j!@^ly3P<@6G7ro$yH~^2nTnvu;W~-H
zK3&M?a3k-wZ9c*m?i9etVaTBw#B<o31HmqL54}?g(9Kh_PB)p`Fs!W@xjyL{dkR=a
zGw)YPJv!4Xw1^$&&Y<L=6`NK!SWt?J^2?p>jW8wGG(vw^i5fMLqN?%#j1=anR?ylU
zmO|UYQH>3B5Ohgj+W26xCoz~9;*K*)=*|R@B_9jx+iEhT!RFNQM<fu6N1uRL`#W_b
ztr^;bTaZoRR#gjv)3X#&TI4>LLqL_+FI{&I8|oMt<20Hi6F$B&ImOZ#z`KiMx_yc|
z1}5JtYrEtg4eVvC(n{<TgAjHpGyy7jKTu^pCLaP0`I#|`;sws20|SBN0`U2c<Sf)0
z;(Zu#Lu%)6(xifJJXn2vu+pVYHT6y67%zfMg-#bSzN*RI4pNPVfYOy5V*hY<!e2cQ
z$kHLu8;F03BvckrC)aUzO0#FF%?*;|#{OGA{W7t5T453w!wiZPsv6KskE<;u0Pjj%
z*x*BK^91rQTP=N(-(hwATMQhV^e#$VT`;_g{m<@XE!=J&^`NdODi^u_H6mIN0AHkl
zfhtK~U*2`j5CHeOS@$#hF$?Fmj8W*%FNJVG<=;eABaG-%GM4#2MZpw8@ws|YG5k;q
z$6{{WzMLJyKTmD#Y-%*tpdI^GQ$#VOnT87=S;$LjftR=ZI1dtGNLrb*jU$I{y1WtS
z*{N`t1i-wA2?jBbNXWxO`w)#Df5_BZ&wU@NiPo&@6DdXCA|yO)YjUvsI~H7tSS@Iy
zG9W>vXcqP$gcg-}NqgdMZ1_hU6s~P893a7+uA6*wVhrN>l;HThCF);U*RqWIVbgB3
z%Wn9{IV(b^e+|U*7c=sN0wsedn?r&9#_H@T&X-8E(bahG`NWeU4|GxHg4FH$+1HDU
zSejsC4)(De+pzOHcc+wu1!TxLG^_q@?we6txw$9YF&@g1F5#3tr^RTUk^k`=IN!lX
z=pSk7zxO~s#ZN?jB}PNK&e(k=&x)88=7ed|2}rm7Ct|n@3Vd4dD=hD!u~P%$xu5sa
z^+~#{iKY!HT*GO{DuO;VVUvsB{y+>@c>*x!k`Y7<@mj;X#7lBf_#_mTsFn4|zNKEl
zY;dfXLt@ZWWvhd(67b(j+^Pj~xyZ-_o9)5Hu$sT30f;3ML5fbVK;wmPxbqAkcxJ;R
zMO;(v?QGAqzi_G@QN-#l6*IzrTyg28FNVDY#-`(YVqJO$R0*0NyH;oOgFNx<WLp_Y
zn>kEL&VIpSkn>qO)INQDa`Ms%zLKd%3~hjpj1h#;JhHb>G~9^NqNgt#Hf7GE;6!@Y
ziz)StB^c<}qZp<d`7n&ad+W#YA|7}21@=e{$}K=WW#}cj08-)~#a)rBwPBZ|mXq};
z=p!oQ;-2BzAr?i4qgfzS5bYSP@zACayf%8*bTv7~W;JW~{jMA{ODT-98}Z;IGQzzM
zqU})ZG}F`~b37?f>^#WC6KViEUSo)KG>T|Jg7E`_M8ZkF`U9ISO-#AOWSA7%2u%||
zF(bN_?1gp;j|xY2@ksznCrBMV#@2y@Je@`GBuVOxoGLTgd3tmodqYLkMesXElDFpY
z-1viWE^7u^0s}!ea6qtsj-X-ia&A`nMO*O8Xmd`I&Jrq`uqs#cw4mrxxq9<**c0N4
zinmr`GrNe!_}e{)VU9k|ScRxlEAdW8JB%ec+?P3BS8`Q6>=<Q6&s=p15ycM=CqWQ{
z&*`j#SR6%9lelF^1$b%V?MJ*DeFH{UIWX~*PqQ^;Y5F)H8D(<*Q><PAu&nb$026#9
z45o(wQ?`jjeTD$jR@Lzf!}BymIe8e21-anlH%4I-JR&@qU5NP^$&JCEVf7)k1qYBp
z!dnMS2004!@)tfEM}rrj{ZYlER;RXk*vQM-NnX}x9k@}mTxOIsS!W7JL6}V<hfap8
zS2&&#S0Guf|8Q!79FSoXD#r?ua6G?X@<}e*;7VU`4wep6UDUawe0M_45V81=GoB#o
zdlhL#ip8d`q%S5-_K`m;;bX0niqV|WWvdm?d%>+5R|*Gok{C=hm$9H57`obNMe4_*
z5wFXMTAqR=DEI?$P36QqhpRY<k&~`m^LUDoFF0q{qkYqmY5)!Yxi(lC{)<2>;8^|}
zRO6(VX~g9eE{fZ+jI!7us&RuguCCVr2PREKAsANppn{^oLXz4|E}U$V9KJG>rC>pv
zb;zvvw^X5kfL+pi$UR@$yPljImZP7YhkSh2mLa7OR!$24sWE-&Ou44N-DH)8E;I9+
zOq_q}A(@T?LV`U*eykTsmr_Uf0YjC|iw&)qE22&S@}f#0uP}}M=`~{6&q<0AN@&y0
zq<NovcFau9qUVzd0QEB;n&k-y>@CK;IZMXt`TR`<1{ZSSFLx4d(@;=uR?AyV(8-UJ
z<FZ^N!p0rlq)c_jaPuP5jmx(CP`K4n7SdD-v?4=&P`-PZqu^MRQb7Xh-<+T)ytWh3
zN$h4PzAg@wtgNq~6T;%Oo$YGWd7WF-T-k2}mE#vIJ_#QiO}yJuMh*j_cht4ObLsoe
zz{)y;!|7L!cL=7!+rh$#&ZoPle3p<kAz5^A^Yjn3=!Mb<j;KnkaWiECEHPpleT7H<
z#7qrbxk&8&h36-XQo$(V>6}ooZMhsz{!qhq-`e8;Vf9+1z%!`ytr&DwTx9!d16>y{
z@uc8uRttS4a9$ds_IDA`5;nh~4H*HXB=W-0@QOzvzu}=rauu~*aQHb^02^HWyN#1y
zsZ_mm2)@N;K{d8}e#({LrnJ>@sb%Z-ypsoTlvYDnGN}J>3khubq$b9jP~`U9v;v^D
z#8=g<=>r`wP~AS*08HQnLpH=TAv(RN2Yfn};|`H|#aP0qmg}cnFs-hO@?^3@-XRZ?
z1JKf4+RpjK-~^s{QUyFjQ{zR;g#i%z#eOI2BsPZ1uxDA>A_r*j?+<qrNe2tAPUIVR
z&3Kc=7L||ncHVP3Ikan_k+u&_g^U)$PGc~lQq(6Jcx}70-E8k6uRmablwR033vN6)
z)M8Flm3&HgP}#OWGrv8KslqqaNWM~?>_bDz!#VTpdr}9*@Ptb&dysEMs)Vz&5Z>8$
ziZ{x8tbpWn6ruR$x0xCwYT>)D&yo@~)nWIQHn%gE_ov)0bU3!@@TbGu#zgKp$zuYA
z>}M<)@Me)X^9>Z2x66!T?u|s^D75rRQtn4NhkGbDD7K<R^#<`mumFk48N2jwF8y&t
z*wxZXpgerlZ6qU2Z7X?`B~)NS@9X{T>lLROi2Hd|2gQ~llCVJx+u5&+@B3B<2Q{{C
zn9}EL$R^#poDH_&)1H2LW6zMB8w?kkn)Y674V$Bm=aOk^S3;Y~SaZ~-X$QR?^j<9_
z@mc|3&4S5GCymZWgWb6`*TH5zez%h>=YJp36Z_5J26qBOF~S`giJ#JJ^Tc+AJj_~5
zFEq`;u~iTY{&RaXK&bHcNa5tzC-GiH>9BE7ZS0<T%Vm;>78D##We7FAPJyhsfzt~s
zcs~`5;gQpU(?^2kwsu6qv_4EsWxW3w5xa`bP?Uq&tq$^xoi%xj)2@RH?S)6Y9mn)7
zR~6gup?Fy}L$|odQ)tULAp!F=t_=vfYR%_qni|8xkO5`G_i6C)aGt_zSGWUVi0A|J
z;8^t%*qS|bp^3e)+;&z^+~M9Ix2>Dz9_TcT!~D(hA{9{XW=J>)khT`(F|e?Vf*oce
zXI93_0oIwekko)gF<T@g`^)a9R(Ud+4ySuWCgW`O6byIC9<Hf770IMND4%AZmy+=-
z2_=~9@Pg(A-+x9urazOBdl0B*YLiTnx#|>L;&S?aZ`ksf`@ZV7ItdLxG|-c_+};a<
z+ad09k|K3lTuP7JFIE6@B$VuKW44>otlG56i;U!8K{DTsk};b%z8{@9X3$Ohfccdr
zlL}mBXf;lPVY{IWTebmRmb<QqCqagN`WlMRO%u%X_OIW62(8TVjeoKdGk`g)O320D
zf(2FZy!loPm!f|SqPuL#RRBzV82}|L&CZ?8u1|8sm$xgzeuyneP}C^^JIxkO0hJJk
zAo}|{U|Dqpfw{rhXvqNV5v?P|^T`g(5>d_ofi0U?0>bhHFeQq4azcN+_g08==+TZ%
zGyfpTeu(t;6*|TdMY4+1?gaiIPX#FH&;h1|@IysN787-lg?q!4rvbGC-zJ;ZVPvGk
z>;w@eR@JAi$cFw~04~_=#k0klDuzp<vLJ^PP;dR13hLymI5X}AjUiniqs2%<8AyKT
z`bvtk+a;?RGBE1&hc&VR$UDz|B@)9VD#3`sl)08Y>^uXTYeNy12$t+J6+0WO=rXk_
zH4K)3Fjs(Kqy^<B&<vTL<wYLZ2xnJii0-!4UQOfqcKFEsX$s4$kyE^8Wu=?Y!PK)o
z9>HM+L?6N#G_!LvZY=>`RXpnlCESr5#>>{=;2>wh30C5rzVEM5hs_vDD`u($gM6AA
zo4m<tz>85v%7f@9K)ijut&5Z8@oK9*P5IFPD{ARCdYuFWb46iH7EAXY*2b}<8kM<s
z1EY1-Hutie?=w9B%txWA2`sMSi6yH+K6D6_db&9^^gTK^8s_v8Zc`&UEbKMhHjSQh
z`NbD*UDXSQR=n?|9|V>G5?~N`?HwUM447xz3CK8F<$vYQ?;@ke##P?wH-w0dBa;9+
zy)6xBa^ydMyx%?O0o0s8X=q0PN=Y~^<8N;31N$2?GWqR5IglT*^{JeeV_c9vmXBt*
zw!zzC+6?<k-<=)Et6g_&y#nt;3<5;hm|*fo?~V6=7wZ`j{2?wkETu@M{U9a1Xu0N=
z({Dgbsj3A8cUjVC9ODRAf?qnwbF)zF9{?(K1?b=Q4y9bvc7*@LnK;^V<o^##@(pML
zQ2B@rbY%5|kuiA*rHjkLH#!>cVQ=X-wsvOWNgR+8*R`G|?($~vs3yZ~6Lk7_tadkV
zb5^hV5a%h^gckYE7m#}E9`8xy#1UAzN5Kt}(-VxeZjsozLSC2HQo;RR8<96OFy7!-
z=~pVfq~1f9Nzg6%piJ_Exo(NAUxYy)gOtKVcwQ3Mo5#H3(&b_#79MaW5E=z_AL(~#
zL7U`}eEDK=WwgaXiKL5~7-DBud3#VE6Pgq}<%j~i7$L|w@4?ooUe&1)AsvD!{6Uv8
zLGia&;l$t8o$1yot>-0V#**rTV9qg>cBZxs`AV3`Wkl4qcDcaTKZ6gvqUDjKZtjK-
z4m^R*QcUfes#{r<U{$6-&PiB<6LK@K8$h(0m1;5#q6p@jXe4iU4&|2zck7DqDw^iV
zLl9vKZS-lF6*&;yU?~_}Xg#q}wu(L(8jS+Ig53TbS}I?`ewg&N?j!~CI0b;suK6#n
zyEMc^oMd?|T%X3Z8t_>Q(<szJbY-UcMf=Sy$%h0Qo0KRzY`cJ5Y9z7#KL1QTZch#D
zz)(|~k;~Xp|LtBfSK{MwNX9uosH?u|)*H&5c2YP?@K%l->OCti-kbFw$P2iZp0CI_
zrPik9d&xzMYgr<`wNlj)=(=-alO6sH5;|2(6<{DhI!3opPEysF$)*T2v*db?p$14`
z>vJEty%OjUws0_&M0|=3I31e#9F)b#to<Wu>A3rwKh<^)AsEkKt&2jzp!JOSltO$y
z*8#q3S_-0>CB0g4Av+tEzcU-ku483qe+5N`i}9jsQTqJeTd2CT6j+apqe;X5HdcQO
z8J{wN0*sa34BiSreC)G7hTTq(iR0iW>Qfrhs_*`&%%HKj43ONjT(|_rRfF6SgvA%n
zNY<c0>S;~hhA8$_B>H|X`gP%uM=A}`=nZ)4P?d+S$=o&<!_(78N12R(d~DF-sKXb#
zxv=e{;Z4sPyDmhAZh$6HUte*8Y+e|CzEE|~=TN#(dc=I>zMHy+r+K2hO?vLYERx?m
z_*CgF0$OjzUTrsNLUTgiF5>3E<Xn!{CZgkBe>_d2ib;~38Ges-d3xD*p)Du{SH~Yb
zLa7Ob`iT&?`6XO~3gL+cC8<A}pfdj(8InUPZL$GnWh9ZgGm8SYxuJMyD}WT;qt>}t
z^$yD&e;{#B+Mpyl1f3oz$8l-V4d)06ihy81b1)!TEs^BP35L6lsntZ#GD8A`SZqOK
zDBvTR3|th7d@9EKXJ2{BYYm+Z>m{mdTv4nXb>((fKjc5Qx*2~X!^ld|4G&sK!oZE2
zQ1+_4q9uMWR-Whx1Nh|{_Dgdw+Tq+NV`|Ft))OO3BqH&-IuIt2(TPacjovMV&#^|z
z6?ku(dCkFO3eSNlNpYAd**BB~0a4yUaZuExDx?c4@sd;yX?3M>JKm``epN&RuQV@!
zE%qI7*`C5C59pqoE%|te=4SD>Q$#MV?bpJr0<_wL|K`rWG2!MRjU1FOOQus3=Y7Jd
zCFZ}~bB+ZM9MO;Qb^9J3KzCqLU#(W~YR!T))V>i?vbkApies)%24z0wMlm1s_@(%;
z`Y9ny2ZfDlC83|{r^Ly5%S0GOt&P`2t^8bLFD~mkh9<a?p43rgaaEhLz=Biv$20}R
FG2xf3_tpRa

diff --git a/modules/docker-registry/config-private.yml b/modules/docker-registry/config-private.yml
index f8a188e3..29453355 100644
--- a/modules/docker-registry/config-private.yml
+++ b/modules/docker-registry/config-private.yml
@@ -16,6 +16,10 @@ storage:
       age: 168h
       interval: 4h
       dryrun: false
+auth:
+  htpasswd:
+    realm: "Registry Realm"
+    path: /auth/htpasswd
 http:
   addr: :5000
   headers:
diff --git a/modules/docker-registry/docker-compose.yml b/modules/docker-registry/docker-compose.yml
index d078639a..4b3d39a8 100644
--- a/modules/docker-registry/docker-compose.yml
+++ b/modules/docker-registry/docker-compose.yml
@@ -92,10 +92,12 @@ services:
     volumes:
       - /opt/registry/data/private:/var/lib/registry
       - /opt/registry/config-private.yml:/etc/docker/registry/config.yml:ro
+      - /opt/registry/htpasswd:/auth/htpasswd:ro
     networks:
       - registry
     healthcheck:
-      test: ["CMD", "sh", "-c", "wget -qO- http://localhost:5000/v2/ >/dev/null 2>&1"]
+      # 401 is expected (auth required) — any HTTP response means the registry is healthy
+      test: ["CMD", "sh", "-c", "wget -qS -O /dev/null http://localhost:5000/v2/ 2>&1 | grep -q 'HTTP/'"]
       interval: 30s
       timeout: 10s
       retries: 3
diff --git a/stacks/infra/main.tf b/stacks/infra/main.tf
index 8fd1d899..a27778c2 100644
--- a/stacks/infra/main.tf
+++ b/stacks/infra/main.tf
@@ -21,6 +21,11 @@ data "vault_kv_secret_v2" "secrets" {
   name  = "infra"
 }
 
+data "vault_kv_secret_v2" "viktor" {
+  mount = "secret"
+  name  = "viktor"
+}
+
 # ---------------------------------------------------------------------------
 # Locals
 # ---------------------------------------------------------------------------
@@ -176,8 +181,8 @@ module "docker-registry-template" {
 
   # Setup registry config and start container
   provision_cmds = [
-    # Install and enable QEMU guest agent for remote management
-    "apt-get install -y qemu-guest-agent",
+    # Install dependencies (QEMU guest agent + htpasswd for registry auth)
+    "apt-get install -y qemu-guest-agent apache2-utils",
     "systemctl enable qemu-guest-agent",
     "systemctl start qemu-guest-agent",
     # Stop host nginx — we run nginx inside Docker instead
@@ -185,6 +190,11 @@ module "docker-registry-template" {
     "systemctl disable nginx || true",
     # Create directory structure
     "mkdir -p /opt/registry/data/dockerhub /opt/registry/data/ghcr /opt/registry/data/quay /opt/registry/data/k8s /opt/registry/data/kyverno /opt/registry/data/private /opt/registry/tls",
+    # Generate htpasswd file for private registry authentication
+    format("htpasswd -Bbn %s %s > /opt/registry/htpasswd",
+      data.vault_kv_secret_v2.viktor.data["registry_user"],
+      data.vault_kv_secret_v2.viktor.data["registry_password"]
+    ),
     # Write Docker Compose file
     format("echo %s | base64 -d > /opt/registry/docker-compose.yml",
       base64encode(file("${path.root}/../../modules/docker-registry/docker-compose.yml"))
diff --git a/stacks/kyverno/modules/kyverno/registry-credentials.tf b/stacks/kyverno/modules/kyverno/registry-credentials.tf
new file mode 100644
index 00000000..feded5b3
--- /dev/null
+++ b/stacks/kyverno/modules/kyverno/registry-credentials.tf
@@ -0,0 +1,83 @@
+
+# =============================================================================
+# Private Docker Registry Credentials — Auto-sync to all namespaces
+# =============================================================================
+# Source secret in kyverno namespace, cloned by ClusterPolicy into every NS.
+# Pods use imagePullSecrets: [{name: registry-credentials}] to pull from
+# registry.viktorbarzin.me (or 10.0.20.10:5050 internally).
+
+data "vault_kv_secret_v2" "viktor" {
+  mount = "secret"
+  name  = "viktor"
+}
+
+resource "kubernetes_secret" "registry_credentials" {
+  metadata {
+    name      = "registry-credentials"
+    namespace = kubernetes_namespace.kyverno.metadata[0].name
+  }
+  type = "kubernetes.io/dockerconfigjson"
+  data = {
+    ".dockerconfigjson" = jsonencode({
+      auths = {
+        "registry.viktorbarzin.me" = {
+          auth = base64encode("${data.vault_kv_secret_v2.viktor.data["registry_user"]}:${data.vault_kv_secret_v2.viktor.data["registry_password"]}")
+        }
+        "10.0.20.10:5050" = {
+          auth = base64encode("${data.vault_kv_secret_v2.viktor.data["registry_user"]}:${data.vault_kv_secret_v2.viktor.data["registry_password"]}")
+        }
+      }
+    })
+  }
+}
+
+resource "kubernetes_manifest" "sync_registry_credentials" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "sync-registry-credentials"
+    }
+    spec = {
+      rules = [
+        {
+          name = "sync-registry-secret"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  namespaces = ["kube-system", "kube-public", "kube-node-lease"]
+                }
+              }
+            ]
+          }
+          generate = {
+            apiVersion  = "v1"
+            kind        = "Secret"
+            name        = "registry-credentials"
+            namespace   = "{{request.object.metadata.name}}"
+            synchronize = true
+            clone = {
+              namespace = "kyverno"
+              name      = "registry-credentials"
+            }
+          }
+        }
+      ]
+    }
+  }
+
+  depends_on = [
+    helm_release.kyverno,
+    kubernetes_secret.registry_credentials,
+  ]
+}
diff --git a/stacks/reverse-proxy/modules/reverse_proxy/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
index e6dcc34b..c30aa01c 100644
--- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
@@ -186,10 +186,10 @@ module "proxmox" {
   }
 }
 
-# https://registry.viktorbarzin.me/
+# https://docker.viktorbarzin.me/ (registry web UI)
 module "docker-registry-ui" {
   source          = "./factory"
-  name            = "registry"
+  name            = "docker"
   external_name   = "docker-registry.viktorbarzin.lan"
   port            = 8080
   tls_secret_name = var.tls_secret_name
@@ -206,6 +206,25 @@ module "docker-registry-ui" {
   }
 }
 
+# https://registry.viktorbarzin.me/ (Docker CLI push/pull endpoint)
+module "docker-registry-cli" {
+  source           = "./factory"
+  name             = "registry"
+  external_name    = "docker-registry.viktorbarzin.lan"
+  port             = 5050
+  backend_protocol = "HTTPS"
+  tls_secret_name  = var.tls_secret_name
+  protected        = false    # Docker CLI uses htpasswd, NOT Authentik
+  max_body_size    = "0"      # unlimited - Docker layers can be large
+  depends_on       = [kubernetes_namespace.reverse-proxy]
+  extra_annotations = {
+    # Skip rate-limit (Docker push/pull generates many rapid requests)
+    # Keep CrowdSec for L7 protection
+    "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
+    "gethomepage.dev/enabled"                          = "false"
+  }
+}
+
 # https://valchedrym.viktorbarzin.me/
 module "valchedrym" {
   source            = "./factory"