From 644562454c6cea1fe7ea30ff3c8ef9de93122da3 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Mon, 23 Mar 2026 02:22:00 +0200
Subject: [PATCH] add IPv6 connectivity via Hurricane Electric 6in4 tunnel
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add public_ipv6 variable and AAAA records for all 34 non-proxied services
- Fix stale DNS records (85.130.108.6 → 176.12.22.76, old IPv6 → HE tunnel)
- Update SPF record with current IPv4/IPv6 addresses
- Add AAAA update support to Technitium DNS updater CLI
- Pin mailserver MetalLB IP to 10.0.20.201 for stable pfSense NAT
- pfSense: HE_IPv6 interface, strict firewall (80,443,25,465,587,993 + ICMPv6),
  socat IPv6→IPv4 proxy, removed dangerous "Allow all DEBUG" rules
---
 cli/update_viktorbarzin_me_technitium.go      |  35 ++++++++++++++++--
 config.tfvars                                 | Bin 9902 -> 10021 bytes
 stacks/cloudflared/main.tf                    |   2 +
 .../modules/cloudflared/cloudflare.tf         |  14 +++++++
 stacks/mailserver/modules/mailserver/main.tf  |   3 +-
 .../modules/cloudflared/cloudflare.tf         |  14 +++++++
 6 files changed, 63 insertions(+), 5 deletions(-)

diff --git a/cli/update_viktorbarzin_me_technitium.go b/cli/update_viktorbarzin_me_technitium.go
index 5131579e..a624829b 100644
--- a/cli/update_viktorbarzin_me_technitium.go
+++ b/cli/update_viktorbarzin_me_technitium.go
@@ -69,8 +69,8 @@ func UpdatePublicIPViaTechnitiumAPI(newIp net.IP, username string, password stri
 			return errors.Wrap(err, "failed to get A record for ns server")
 		}
 		currIp := net.ParseIP(currIpStr)
-		fmt.Printf("updating record %s to %s\n", nsRecordName, newIp.String())
-		err = UpdateTechnitiumNSARecord(token, nsRecordName, currIp, newIp)
+		fmt.Printf("updating A record %s to %s\n", nsRecordName, newIp.String())
+		err = UpdateTechnitiumNSRecord(token, nsRecordName, "A", currIp, newIp)
 		if err != nil {
 			return errors.Wrap(err, "failed to update NS A record")
 		}
@@ -78,12 +78,39 @@ func UpdatePublicIPViaTechnitiumAPI(newIp net.IP, username string, password stri
 	return nil
 }
 
-func UpdateTechnitiumNSARecord(token, domain string, currIp, newIp net.IP) error {
+func UpdatePublicIPv6ViaTechnitiumAPI(newIp net.IP, username string, password string) error {
+	token, err := createTechnitiumToken(username, password)
+	if err != nil {
+		return errors.Wrap(err, "failed to get technitium token")
+	}
+	for _, ns := range []string{"ns1", "ns2", "@"} {
+		nsRecordName := ""
+		if ns == "@" {
+			nsRecordName = "viktorbarzin.me."
+		} else {
+			nsRecordName = ns + ".viktorbarzin.me"
+		}
+		currIpStr, err := getRecordValue(token, nsRecordName, "AAAA")
+		if err != nil {
+			fmt.Printf("no existing AAAA record for %s, skipping\n", nsRecordName)
+			continue
+		}
+		currIp := net.ParseIP(currIpStr)
+		fmt.Printf("updating AAAA record %s to %s\n", nsRecordName, newIp.String())
+		err = UpdateTechnitiumNSRecord(token, nsRecordName, "AAAA", currIp, newIp)
+		if err != nil {
+			return errors.Wrap(err, "failed to update NS AAAA record")
+		}
+	}
+	return nil
+}
+
+func UpdateTechnitiumNSRecord(token, domain, recordType string, currIp, newIp net.IP) error {
 	baseURL := fmt.Sprintf("http://%s:5380/api/zones/records/update", TECHNITIUM_HOST)
 	params := map[string]string{
 		"token":        token,
 		"domain":       domain,
-		"type":         "A",
+		"type":         recordType,
 		"newIpAddress": newIp.String(),
 		"ipAddress":    currIp.String(),
 	}
diff --git a/config.tfvars b/config.tfvars
index d0725a2f9f2179371a959144e74b3b2c13f45ff6..a6e00fb227731ad094bbffd6bf63acf4aa9879c0 100644
GIT binary patch
literal 10021
zcmV+=C)(HmM@dveQdv+`0PE9}_tcb3dD+e*oo5tBojL`nOFlZCXNngU0R1fO=U&sa
z2%4gr;@~{$t`MuaZj4A9x$B{%haSiVqlMPbDWZk4%auRE^<KZ<*V!&LtW#RWRJE82
z7pZen;wl^{P4oeb-HE7!)AK>Ht~VP~xLG4QlSB1hcu>p)kU5t}EkZ~6=a$?roz}_Q
zy~t^C5IXg;3s~Dkl(3EDBbIrhTw?5*S)ZiN!!FK>f0|0qOWPOpr~Oao7F_mGzZRqq
z%le;8IM*#m3h7)^d1KlFcUY3Y=r|o7e}R3E-0%ZBy`EijPrdZx-PX7b<<l7k4l|I>
zb(44_ZX|5^dD!eGGY;JYFt05!hgOD})h`GW1vgByN#qi>s_f&_$kjLpTeFGU_rqWC
z0%`=qQZHjBZZ<Xf=ZjAD#Ike)WMDU_sNdyHFacE<+N9ecPk1(gwgeC&4rl2rN1S2!
zPbQ;j`Ra}CoD6$z$_kSPfpAe&X<yB|yQZ&__)W~P!(D+u#1sLZKEigwgHk<7U4Fgs
zBI`HBaRB0e^srGrF?~Tp6`^^adLmrU^R!)9yZ7<LY`<644NV6mWb=FUA!yJ2=c_K;
zEmLKStCNEMf}N4g$?WcgG%ZNMRQ7U)PM<_Y?~VP4ft*Q#Z&3YA(9s9z^+$|j+f!u9
z4}b+VD<yB|9%42@kCOR>^(YWMWT)n=LI|5lX(K)&tU4I(`(EVPrE+{qBj;PGD!RjT
zx~%v#fVi5|Mf559ILM|LPt~t%m}mna;8@{EgeZ4pstT#cL#*EfzEAfVgQpy&Wmpd{
zRcmTa_p+jLwvU+>a0#?WdTHNf?s)Y?L&T4l)?ZG#D30kgy{QVL3;?akIC!?m9X2z8
z?9XEr;IuztI2o-GUsu;dUiJcP(|MdG?cqa%J<dm;fEIPP_9v9(Fk5E3lm+TY5g9*O
z6VEi;g{&Pc2@=W(Fz}eWa{sB6T^{U+=6j9A?)<3Qd-ROs2ZKi$sMAjA)4@8C%H#R%
zLRy=G^_Ur}KOf6;1dywb%F)<FX!#49LDjz?YeMO`I%hc*(+FZ};(vE3ZIGMJZ$`K2
zz&nwDLS2>KTF_rjKvyVNN&4_D2no((MNtlfb{L2o_UZ{`Q>P;AflpE*{Gw?I3B%m@
zXe|hq8jC=sdIZ`av0gEk0%$EWI756}D?$eeXvC}$pU;4dLlqY?1DgLO3$tzLD|^it
z{7XfDAT=zgYF~xBClx>F$i!7p+kxMfO2U`ED0PgKlWA6bmgpi~B&;XSL~gHcwkw2d
zCCQ2^ED3yzxehAfcU85iz?A%URmp>o-6RdGJwQc4+bJ2SPflvBc3IU}$Vdo-5M4HH
z0k>g`!S^9CAa|PqiLZy+|0K57x;`~$iwAc*65m?&RaKrTAZb#Kr5WH!VhCWkSrYiX
z6KMc{>1EC#>X|$*5JyKh@jv+sEodkjRu<uA7jo=b;#y}6b{;y%Xw6Bgce|`PnKA4S
z!VvorOSYOOsP1Xo(Up|Iw!7N{Yl{v%DXzLbuk-6$Le0n!N;0<5GkjgeJwUov<L_hu
zjCvo90;ie_U>MSI+;S!L(0V9{b^^5HR4j6G2~)3U+T`sG#{8IsL~aIdIUq6LdlPE4
zb~)CGGr$Au|5@I`m!{2Zoflbc)d6VZ+hyCE;rNgzYAVoo905M+PO&vV2M~smU}pxs
z1DG2}t(=-Ix>ntI#A=y(xoE7*T5x_WeK*GsE0rhGkgB^olW=M#xkpiOr3uux(HC7f
zXBL1ewt$o-|IRvGOB2HrN>KUR1u#o+C2`%q{{Un)X+;k-iP~gn4JgG*KpNm87kvto
zzcJqls1!jBG`qK=WzV32zZ@S7gIw68x=J#N6$5=+q8Bi%OQ}H%*qx)zNr20yXl~8I
z_ovVti0xSBH@eC~)E77M4Y_<VGzP@86R?I5=!{tOADP|{+>t<I+*L0_ZHuv}Q`76V
z&kRCrp6ulM+hQcc<%?2t7zGfYz~KwtA9}}5OaW5m&2ezc4iqh;9YaEij#-8nPavap
z@xOV#stJozDHA&v{s$!vWML`mN=Cw!6~XvbK9T3MTFk`A2G*D0%#SN1#4H>Ax;g*_
zqtl>aP_lwfK4)bf8^x!pCd+Z4rl8Lz+)=a??4NyS2uuH_*Tdkd!=BMtTJx|nv^qIe
z5{kkM<_vny7Pf~;?4KWw66U3{*8!i_z!DXusR$~UE=$g*sRlo&WU|cdw;#5BlmE9Y
zpd45JjV_&3QlN}<v!Ph*dlT^BwY)h_XMCG{Fv_ubp}x<1^24VN{0~#ntHRxlcEi-(
zn9J{VOMC_P#h`?FNb+5Oa75z_T1{nm5sIa6S5Kte+ZI!ZoPa6;03E^~h1ur&SJHbb
z`I^_VIZiW^X&E@7<0*=EiQou|<nSzLHNLdLy%T*~ne2>>mG_o~S(O15Y`a(g2FVB`
z3pO!M0fKqa@#jKJxuiOvak`XxarVuMa|tq`yk3t+)J&6K;&DO<BLPVktv|x^uL;-b
z*^ZMGScY|EzOYzw=LymNh&_8B|K^keu`Fjb6k3MC_KvCh@99_Z3TP<tBp+m)q3bq+
zPrOVRgl$cV)VkHOKUb+=xt6yb;h7eIqVIt}Y4HNuYyQ`PCNVCm8Fp;nK^0sLxm{NO
z!LJ-iN{}x3I{o8G6JrS>d;0}KbB44`CvSem0DcFPRgBH-&f}Dvt~EUv<dd<@te>)q
zJ@-Yjh)M}UdMb)MqzFwh^dH#}Q|W{OsMUjZh<S@GKi6WSV#dompWHsHBw9Vr^p4M6
z#76D~`5N6?D5tpzSEecBjZ*HEpjHVvC4%3e?%1i}Jtu}>0B;|wPnEL=kU07&gxym)
z1Gg3Hb-{@(J7JPiu3tt!uOx!j*X2!3$dB4IYri6~<dHCwP`|qgdqnSx9{FxdjNr*2
zs1CkMzh)MD5dQDr{Ne8=ckweh^K*;ng+MJzx(~Ayxw-=@gW^85-0W2puq0`<!GboT
zqc*P%o_!y$HDcb;-TN^RlD}>zI_v1qTvMDs$XX;Y6ml9MxYBqs2Jm7k6KYy1ink_g
zF8PJ!LD~cnZ<a>_aLk}e=3t}qP3>!B@=aCynyL~ViY4Qx6_%&Stf3vQrVTA2Ee?$g
z?ac*BgXX#H_Pl5ykLovY;Z75ESN8lc+Y-{d)cVE<oupD!pj3}X=ZMD$wTkeIThM)F
zQIZwqt*6n1;u60R?Gz0W)BLEsYSG@mo)=vF7%4S!@Mb!%Tne7A%Z{CFEfYo`W02;2
z=(_B>?iDJNOSocu!?KHyqt%O)8t6a9JiA;|9#kp%LiS76tdr1y3fPjazZ&be69~yM
ze92lpRtvY~xlF6z@s6!zQf`1dD8RU5YakAR-2*wDgB$l$l~L`+jO=YJ`|(erO`x*(
zB!Up)Z#(@8S?)o6sT!wH-ls|v`u7*ic;#O1I^S#%^{IpAwV{TRLMn)!PzoY)>Yz$)
z$7Fr!O)azEI|y(}k;vIG)v0XClbXqb8q^)GGbt`;Y$l37AO_32YNQ~h%t2zsHcAP<
zL(w+T$8T-xK+HVy=s>`DRSHoM<RRP<m79^|2U)2j=RIPVMTl8k#nqbJ1vYI0Dz6d*
zT~nF|6YcLLagI{G!v<MmWa}zH!30#}pS8J;C@4zUg$%p4UOevZBlHfwWpNQ9`<Va6
z+Io>f?6>kxOGn)U$gBVGrGh`l7Den9QkQ(Y3Qyuqm1PZJb9P3A1?1zf#32=#!h*Xn
zbLc+D-&mHNLZWg$M9(w7>9cwu5ZPE9@pdj6E89d~t}p;3u!z)@1{n*ZD9S_6Nr$rW
zi?3@yv0;*(H2!hzMrC)76?74pzuN!JxuBUs#(>G?{bUav#F_uIXNHo1uFXmoROtvj
z6x)^ANDCb2V1h4`HbDVm!t&N4I2X8ptdB`+NtqkTzgTvtJE29jt_~$W4@~%ZsE-zp
zK2G?e0C>@PrwDE!f>a}hZ0hb=K=e`aVD5;F5%5L+AyhZ;EnncHNgZUTCkR*Vg|JQA
zylh;<AHZh+O^@PbQv6UDewa3`fLg4Dbaov}@$O1vWh4wMyEZF19KT<8l831eO_%D^
z184y-Pp2$KtRA7sA9K|PaT~WvqCC~9NwG46);u~Hyh;P-3j*MM9$<9_7s^JyL3I&H
zYoIFYRjthDlX6*uOa!&^oSq`5``53(pD6qlviYr&|9PkMy=?#-)r!1;FCx%iV-+zL
zCI`t!_l=Jc{R0Ac(dg=m7EIWy&^&dcRO`+D6pc@Su9fgoy5Y52{$hYqqo?d+!9jqj
zkE;%qm;ob_5N=e8ziEWUWmjwVk+}J}yW&x9Lk@^{cVjeJ=bZ>w7vd8593Z)zcy7~y
zDpXIe1&OCs7j;bN#S7bW@3|6SjWCxoy*@i*ce_!AXJ+;z&5x$=<i0z8q`X(m8?AX=
zQtheg)ah5fdo*h5xXk@`tKx!@iUywKybb0SIt$W6BZDfwU#;pX+9F&E^lq*Y+ZCTk
zxLkW?%NfHX5n-0HtFUTGzgL#d9JHzKmI`tNDUPSx)H4f{eWp+}*tekp+zN-S2_FgR
z7r#7J2^|zb)sj)q=J6^$A`AvQgc~1fOQdbdytu(#A!%EbJwt??>&6)c(+O<Th0LPa
zdwGN6L^){fD0HnpCA9Gp0jb5ZT}6#uM_(!OtJ=b-Wlw`ia;rSuJxuiJp9wrqMMo*Z
zWm}nBN0BV4b{C)?UJK{fuC#It)|XVBmI{0jo;iQou;;d$h42Zv*)}jm-$$J#Lnb7h
zp->6Dce(M#S_xJ$jo0>V3%^@o#>WX1ANF*KM+eSY>3V%0k{CD0IqTc#YgikRH=QP6
zgo1QFQ4NBC1}l=xJA@Q+E2jtQj{_gryw1NU>JV4E{HE5+ZHf+`n?PrX2kDa5a$bDQ
z`d-H)JZztyBYm`JB&s5SUI}%3WN-Hg2CX89n7MyEQSQp}&0~auBh%^PRT+Tk6+2!S
zt20;NoxqN(S4Kl3z~Q6!w55u?&Q5)tWU-R4>_CvGElN;#Q&BnTR{6(K%w*o&M{Ii9
zSNFjkH5Koy<0SwV9lNszq;FuX`mt|@HqzSo8A9$}N?MQQx_vCsixvLLbPaCZ%nrhS
z75OibG*f3Xc2@w{;IM9?rga;ou2r&TEr^4U*2OfZ#du**CL-RHI(1h2XX1`jmEi~Y
z$k1%_?6GA<?f&@b4EOSQa~CGCd!y7$Ud+W^MR$|Ff2(G7yD?zqzuy9pYRR1eJ&|_8
zRX)an(~j5#N8@=ri`?PS6Qs4V`!>S|Z7uYDAgMfvvrx`U4S*|qt=?#^GDN^`Tp+t^
zz2Hz&o!IeV$pMRMp3<caNeLnPl9VAKJt7mkOU)y|#0uI!A^Ta-F}Q{Z@90(OyJRl@
zNy2@c-Q=%2;G|~4DYbIGj`z#W?(FEy5jY4Vb!TIAq*jJ3SxB~`$cyqJLc6NgRR_X}
zKs;k&XtXZtb#}u>Sc;Y9^5cPi5C^D8QAeX5HjJNG>b;%1n+@OB9rH`7*Z+Aw3C)HY
zoQ*Uj6|YI;d*~}7x|rUX1K=nV_kcqXrxnF$7AyG3C3Tgs4Bw%ld<$wP>Htn@gJabc
zT0x!OL0KILfm7fN+h9vG;|A-t#!mjg@h|zCy_!d1T_ANzOl_?6Q<GHfpjsM28Zcgz
z3ak3mQNvie15{s<(uxr4s71A@lMX<rT6|)QYxS4#7IY&c+e;&Vd0EU*PP4eE*Tha`
zY&*QejG#4f4mqA^nLl0q;TjIBERLA^4-zz8vm3qVyAQNH(b`ZW>K-3m;I_Eq2v@gR
zKqor4L_@vP^L`*H()D7ktU6X@QL4{21>G*=5mJa&Ul6E;FNWZJY4J*>37a1EG?g0v
z^)dHugLGOTuo6)t0h_9eYjmjkXwxkAD!~`2?G!VMCdBIQl|m!7yGTcAfo}JJI!d65
zsVnY%{Y8f7!+YIDN*}^&aX2b%qw4I2J{c~x2pm=kS@Gwy^UtIIv9m<R(T_Wq{vgFP
zG}zrC>@{l;rSNPAm!X>Cm+ATg6SbYbqG>H)WH8Dct8HK`Cv48GY<l0BT}cIOm`?D>
zo;bP)(vi+_Q?VkVld=fkh>r$xilUv$-hW4-kd_hvqcP{O7J~^SYjGSFm?!nJa?$}~
zEtX^A3C`RTcr_Zso|wsP%Vk5P0>NlDY2}V>hm8V`c=U}a^bT0lQQD7EOtwbIT7UE@
zD)esXM(op$d`PMiC%at#BMm0m+~Rq0*E;;X_91ap{M6I6GEA&J_P7)IrH~$)^b1om
zGNbMp5j&OD{wGmbH9N1`H-K^L^{fE8`C)PyW+(-0>8Wdl(S2m-N$4xl#M?z#SMqY+
zMObm6HMEWwc?DWqD{TJpxCEd8HdtKOqv$23yp~QO3q7`{T~wCn*`ra#66(rTk@5!l
zWDdBAL`G^{{?H0PLO}S*0dsnVl34%pV%9`lr}c6KhX!&XWg8fGuxmps(*&R)ia(8>
z6Y1G4XfbAvdrGR-la5sIgB^VWPsq`;ySdVU2)o3Z3vLjJ4<^oATb5k>Q$E+oEr=1l
z&zUtm2qk<Oq2Uk8K??pqsbdjxmY#T<BrS#whkj!I1V}@~J<d`Ov;<?%syrvm8~IG(
z?F9&<0aqNKA=ot+K%c*Z=8KPXzM)xz`dTjgFiG24e;ZnkFg4VVIX74|&S>Tnpea;+
zl`-@%7J_+PVYw3&6g{A?9PBs7CpH)9dA}wRSaIG`y(FiBO>0ZYF9qUTg-mEvpZnGi
zRpnRBL7w2fKWRxjVAA}%K?4^P+4;?b$-yAgCS9q8zLNRFCs35vZH=*~^;|LPqC8g}
zWW_07V{lQ2khg;8kq=x_p0NhxL87JXP^%NIx-Ik!WmImkCXUGc6Nwuml?J7#_^Jwi
z;Hq)~W9IN*LnIEGiMrj7)c;wE-T2qO6X)t1iCwPHfV}K8oxntPTV-A6=n^2P!un-|
zQ#IO|Daq|m3WZu_L*v)NKKu_Ji#=z|;zsl<QzsW`qyQ?9n>*!%{|sful3$;ASc(N;
zI6nn^IiZZ62yFvvo^(aIA&>ov+>+2cza|xS$C=mo>)<v1(8UuTL712X5(}eoO;523
zVV#g3TDu-)P}Cbf7n>Sf)LLgm5w={JK39_!%gducrgNdoHND$NsuN>|lkP~txGP|Q
z+24md{J`s{vKIs|gKD9!r<ap^0lQeuOG*Ko{N4s?^ot0b*Nb!??jW?p#VfeJUfjTc
z-@OelOe2FA6Wb<p$JoscHdxepg!sL_6HdOZ=+5YfasL-d_ci(5D|gcg-)@emeeBW{
zBj4R~!eM1jvuanf5F~#imwTrJbWK;RqN{ahs0R*JU|3VxvJ}<PG~4Sp>%N`mP;Vjg
zJ_4Utx-@0o$sCT5YwgYI85cZ$JOGX(o;c^O>_e<7NVHfA5@AM@F=#DWd^`FZz(qTQ
zTBMsEzh=k!_(A6~EhQ_g0Y6=55A|xTN{`a!FToCrw9H-{B~3@`Fe+oDuYU=iW<$$H
zRaqZ!RObn5{5o^cmFN_<j!z~qIUZDneqa66?`3*NsnFBhq8m!ZNDPTOBX$gy*X*c8
zfRj9ep+hj;ywWYsn#g<}{$_N(&tic^NoAjf$aXpln@;iJMU=_DPiwbO#Z4&6K+uW7
z+Z>e+>~m1B9IVwzr1WcLYy#btM8|ecIb&<q6-78Ak_8&TJmaTR1=0?muRdV}w3%>Z
z+Um;h%qfKC^dZvslUDu=FwwKku$aC!jJ-~8gy>5%=ay-vu+@oID!a3K+mrPr0}~2u
zj`0Y(96OK2ae~fPDyni|S}9O!nYWhaDo)z<_mvT8?Xr#Cp(u!?MlV8bj*7^ZzV1oE
z1B{rK#BCc*h}0z;3fFO1BMVGxpv{<Z-_xSSssEOab%v6P)Kv0QrAR{ZM(Uc>oq>28
zp~Q2890Ed__vJpm)125aY=^9-SPSu0@J%n`yIiH(_8nLA-lP`A>rsQBI6RUjL+Nv2
zE0ilh)dBum+OJ2hxx)>(m}B(%aR%WSn_6B3m}(Lve39$vY1533RbDs=&M7;GRn*~a
zM?O?+9&%~w&VDSr-O9Uqp3=O-YTr$$m7SJca%Q7CKI2;<KXA>RT(_cK5du(`$ltSX
zeMS63j?H<eXdbM?wLp<Sq5LmC^jSRW=NI8?HnDOi-;ppvVxafLB){9+>vtm7(B)Oq
z>EQKq4O*&3WQa5|;P7nV?j^%JE5kcKTOrekvYwjlUXjf;f<&1Kpk~nd=j8gUCEKn0
z?dld#(igp#PP>zr4#Al$42=HX8PF98kys8}e6Yu1^^uvydJI&783l$Fj-m(oq-ya7
z;+E&tqZ9Zq9i%yUGm52M)zVY2@basM_Ssh-p|Ue)OF$?k6@Zz`hsmEwx{@j+6z=N8
z-WERUw~}!atmZBiF9p2yHKEC2@+;egb47-_6)JM0i#8Ru`h_}pO*-F7s|7q!obWf{
zv-9mSD8@jqGBtt@Ur`rOC&WTax-oomXo--h=)zQHy}x1eG-P`)ltS)=nK0<Yd_tCJ
zKd~Rg9Pt7v+VyyQMPch2Sc=gTe-tyxv|00!6vxbsc=GMuXsm6}Q%@$GpKSLYgu0xV
zZ{AsC&g@_hsy&IX`wg1G(Eg|T@&T057U3wB*FduSlSz|^3urfCR(l>RCdX!=l3s7f
zu)}>K!>>nB&J{0Y(ac~sBuUaR9ESLop66&<gVmV00`oqqot5hxj&SXI0ZdXmFxKER
zP0f^dd<$m*+Sq@M;#^X1fH|4kAVOkL?cO|-h**gcIU@BMGfki_+d)YLR2ryI7Z|?j
zqfWPS03*&wGus_c=sgAlBHrgYFW}I(aWwpjkyymvFxfK*?rXb^8BZScprK(sEb^A`
zx{?_YY7P`(t_L=SJh{<zT0ugiwzxMtkbIYFo~|1Nd~X#HB$+HqR8w`cqUf-%#~F*6
zw%k*1)xwoXLzLlW5o80t+a<rxnZur3x(pd99Suco#%N-g4-gI4Txu=?SC+l&d3P2{
zsedM=S!?u6oTQqEnA1t9fjmeBr%<WGl&K!`GGVTDUscA3%#K-V=cayT$ss_9PW%L}
zyH|QN6-K%v1<|9!11=bpKcl9Y9;j{i_JT{cYd>Hr1Lc2jOL)l8%YMl)Fsnd`z%OjL
zhb(!-RZBP;4H{hlxiW!w5o$Ju&p?$Fs(wG2D;KoUm14@cgTS`29M(NYm%F?nH0c8g
ziYU2114^xdHj5Ad6W60j_&u@;{y+HK4P?<f;Z}VvGHp1Jh@)u7Be_$!h)-$TBDMCv
zOf?#`x9+#E`y~DXCpYyf#UgaHsL}B?dwvAM4)y8ozvtgiG=1$M|Dlwx_H_VqNZM*n
z_K;Bt$Q^pYpI(Bpceq^jBgxgLHVeLBY&G(4E0f;1_}9Xy34Es{>7#F;Y$ADx?}b$+
z3V1`v4IyXCzS;({+nmHx23@J`?p<N7>Ap?rhyp%0Vv2=PD`#Qt4jcJj;M_o)CS`U0
z7XK-PYfqha!;ILXH}8VI(=Df@!|S}uK}C@{srZCzZ9R&x4sCvWBHp+R8i=3bkV9i1
z61U2E9!~_&@3m~8c^-qMygD$oZo`uJvF7W5K+W~a5jQl8bK^pW5^{Nz$H3U|rTA8O
zf|rDIYs=E$KI^PaWVRMQuo@K!p-uqN%;riRf7jOiyS##E6;Gc>=>Rb@6~w4LchFWq
zcsyCeW)Tx-WG21H2c=|_JgXXV{9^(wYr^aV&?D<cwy;0TR0>Ax#L3;UhF_E|mT@8a
z$;>x1!%Mu}P&}$<o0VZ48;-jXoD^B&^vD%@c1ay9Zx7IhR<U}06P*9czrwDnDW+BL
z@gzGyQ#DNyUB4Apfxa}PLR*Y8b3PbTA`W~|cSWv@V=iSyy5$Hhlfjo%{1Kd(@1FJ{
zBaGwomGx~^^1BxlmkCo5FnrkLu?ya%a?c!yP}&3md8ckHr3GdguS(iHJ;4+9D)8@+
zLaZgUHzw<kr2#Amzgx_5U^p_L#6oZxZp>H&RXB`Poor%=jt^rqy5Ps-Ke#74%)TYJ
z?Vh&E+dF(7e!|9%70~2q4GyB=s#Bjoga5V4pGJ>@cJIMAQY>m)^1BMbC@d4~77GCy
z(|rA+w`wYdo=P9btrVSeR6J%+O+?P3_K0Bjo%JRsVf@4-$3Adft9exj>_Bgc3Ws^}
z@Y9ljh>ufC!*~?=pKAN^9`V+(l;;h+3~WaGxQBkv3cj_zMvuy&@@wpT%yurlD0{!$
zy(q0UL$&<a5IiQ~M~qs^fiC)AkH--d{_|@)QWsIoB$lKlh_%>YzKo5-aq|uXE*WU=
zqO2#uC_WnoN_*t*6zq_p&~#BI@AQri&)U`CR)~3-g5r6s1R0EGMRfL|0ULJY1Py?U
zT0{(W-k#D%%31A9DaQu~s&xC)QX%PSSGVj6o+iBhz{L6Lg~?Hxqz2mA+fL?1z2FTL
z9E_ueHf*ykxwfRF9)0x&p(z8tqDaRZ4SUFk`)P<OVN@X$qFX7h_arl@W(W@y8ldwR
zM~_hBVwks<aDf29PT+fI!vhNpU8nb0_#54G511EZv<jbO@bFT~0f)0O?)O4pFVACF
z#z&he`dNIjXh!8sdQZk))es{fyP5)BGxyZwOBFa$c;D?drix3(3@hWzf~)^4X`Xs)
z;rJ>R0ghyVW9(!KUK(O*ZBiw4+8>-uktQ0e{Yo*N?bQ}DPMOvRl~3!F!+t$Q7HvqW
z)dxit{D|k#jbaj0A6z(7oxui-nJFXCzW?q@X%{=0H&inET$S*8KlqP-O&=$*04!aK
zm?)5Gv!<c<j0s%)g#GxO^I95?nwSgA6pJS}J%qXvk}{!h6WHpNY0Qb{WIVdFi;a!8
z9(j*E5>;iJB--c|c%#mo3YjWiFth+Kg7Oj9sFY~6VlK#9%4%P67MwSo9?#X3WCLi#
zQY4UcFBC&7iv?XFlFpdLZLULw>XSn5!|wd2<6!7u79Z>ifC=cH1m!w$TFeMTy*vHz
z3u-6u`6{(Zbl#G~kuXfP|4Rc)YMt}Ik=>T_zM43iHPvvP6E~iWqM31+utD>T$34y)
z&elB~i$}-E3sqi=%^KZNPDxnB*al3qv3v!Ht1V^+YWC*f;i%JIH+$7$m|A*?;c9X3
zH-XOs%X#a&3k&hl!@3wh*Wf7)j*~6tX}!S7I=jIZaL>?1<&~K!VWrpqc)#`e$S5)Z
z*9Dp=gnnt3dZi{s!SkBirqeU*Vj&~npLme28^9>dtKaxsu;sdt6P~&OpyRX4T(9F9
zF?7;dM%G&)NR0F^+_LI9*SuZ9kicQ7Pf8NVKk`kdjdUHDD4km9C3ePj%ZmH_ZpaCN
z+)8UtRaBGkB=|zrF>4UdmRQI{JebyhNcWO@0wgO=Rnuv1L~EqgAW1vT27uobA|m>%
zhW_{JO0o)~le@{$?|l%0<d0aBlQtsNV(N7A6pQa=rXj??o1S9e7>Cb1HYy=?jA=DK
zj!Ko4@rmpn%(LgOwqra-NZLccXs#wK${5f>OSjWkEL$L_JSs3|TUmn}MDG_=K<jj?
z1(9ix;l?w6MS05`%c6(@AjZy%VG$CuA>~{!?kO3DY{!iEzF8f{fa(4EKz3FuvFjg$
zte9kH!6VzmLsBz_;j{S@YbVGUdtA+L4>@O)AWPh)Sbgh_gKF)3ED>f(TgC6(8pMhg
zSGYwzxu7$aPQqL&LP3Y@L4GC1h&OINjSqsF({~pKEHQox$&J9j6DZ#I_A#6UvC(=R
zd=0b(tP=tvwu|uI&pHpeY_*Dk=Odiu&Ee&x40~DSPeuEP!34Yv|HY7%yqp98a#zp<
zYiqxzDuu!i!qW<pSs67`W(`(?CTdXTOtOIfjhR{(Wz;2J8n%MyF_o^_PIvl(11^22
z8pKOJtsd1tN}Mn$;L$Hd&QDqc27JNy_cyY7i#v9O`zLT}Bx?|2e<5w+2tKX!m|T&7
z;)<l2(@Au$)$(?Y|4t9gc>`<w^!V(;!>}Vv>v*LMwYi#j`=D)R(daHeW~??2G$l_o
zB-8<tXa(5zPyn-FulelwaKaSs0^3EfZ1xnVCK&3L5mv88HBc>i+UDM@aAmDXD;87c
zY6qg-x{+XPXu)JmK$>(Xaq{RPiXMqb>Q@Rk)06=h`Q{qatseGbi4X3y#<2YzSW9{T
z9eB840r`AVp>A9hnu~USn;9h=wSxP^qUMlZ6j5oji0+V4l-D8Z7jxK~ryYsbv>$>U
zRWN+V2g?{WGw2-Pw;Kq?ya-V0fhypJ8D44Sb|q&+Zn9woU63S{?R6cn8YMv%YSWp3
zHd?b%#%+s{g9&`;-e&MtCy=(WBkVlOZ+OykGeLD`=ED@4iS$jJz$jo(uME*^$;9)@
zir)bI6{~7y5h~l#A0&!fD3P39%-VC-p81ut=%g<N-5~MvuOJAGUuM}c&ztq!ey;$`
zTVCv3w$3$|QLBF`_2yp`T=>g>U_wM7!d=LWEA#(gu`@z_BkeD8jFm5%isW7KZZhLN
z#yEDIUhoMzikB;CUZa*Z3Sb|suPY1Q^AyP7_eUvn^UK9zgl@2RD+fJ_wvevq_Qb<+
zv;Kg@lyG`ouhVuip4!#ni74!mYk@JJ;V5+)nliY==W{Yuig_vuA;;MeBPFPT!cpw3
z60Z&;m(9%Bf8iRO!MpYmv77{A&ct&L{<-Ci-wjF`&BO*I>ZevakgJ|f<-LzwV-ru{
z6;_N%8ZAZOTRr_L8qxZh!+XJdy$5?ub>WqySqlFoRi?$>!`DKnn<Ri*#TvVKH7z}F
z*oJTBzf)m05MWE&$(8j(^tZWEySf6fpxcGB!yK)+je+D$-71@5o2j58J|n~&=I(r<
zV{XjVyRO9Zd_Z9lZ!reNmX5Y^xVoS<bT!pgJg%*)8LbboG#(_pfHyWuQPhcf@;F!G
z^F`6nOBE*2mjA-wigE}*&<{&Xo?9Lx4p3hp4K+m5TwzRY1|0)cCuC$4d`waRZ5p7o
z2J@qCG~<7iRBoNRx_jv<f{=Cg^f%?TduPR{99;Rn!TN~T)R-+Xa)18y+@t;ST6%6@
zXD9@D*7L%dcc=za&QSoJy1+sTF|m!1tQ~DgYo>nR!LOIVOMihz&3JgpBMP&Ujt!gp
vAEulF@egMgamEtelxn;vY{d_TKT?I4TgI4;tu*kjONDD{FBDhDQReDJn=d*U

literal 9902
zcmV;fCQ;b{M@dveQdv+`0E1cCQpx5Sj91uNt4DxCGQq4f(3fd$kZG^=d<8G&yhO?%
z)%MSAG_n$(OWf2&Ky1$oXzkR6#ol-MO^rYKY%dnAs-kC4v-dxCX^DD$3V!qM-}Ey<
zQNovA1~#SrXZQH52nL76{s=#FCl~r{5J}*$o9ic3#AP-x6Ssv1!4=uGkN%XAG5s;O
z%Kaotrz^3gMjCc-(_PHu|59MekRB}tC?@Y@mS<0ia_V0gH*CVa6h>GD#)I?^TKZzl
z2XAk+>zVe{fT`O>l?Di})rBk-AZUR7YabVCh{uFB7x6Ql!WTne8+51W%yPJ=_Mp>F
z#zNu_oLi9tWs%!%XfcSpH1(iF;2es^)_ECzRVy-A&FJ&jrEt9Z9)8yU&$bRxGT4y0
zgg;p0_~aX0{7XQFOEadhp?^Yk?h=qNGi3r!uT3VP+F{?F@<e!O>2|HdH9lvmU)@t@
z1Dgi@<*@L%On+u(@K#a*UhvEh+)^3sduku@R8|DpQ)U!BoMDJt+Y<DK!}B<=<(|CX
zz`;E0C4=TtYT5z=Mwy<75?&BlBU0aK`ZY9KDHZEe{2WrnbzZKctMtw2^k60){32AE
z@a|?RzsEloksm6xL5tTa7L}z@-^_M-4ms#z*L>1NJQyN~!R!1ql8vwUb*%|Tqd*XK
zsOn?)CwcEEP{L#YvFzh--PttMzZX%6Q-Y<|2~nMWe5PoXdGk)EmTfq!VuG~SseHat
zvqTafSKEAzEIiS(bMGznsWp=L?dQQzem8I%-Ot>$D00VY1dzSJm}K5ZC|q)Fus)r1
zI>8}?wu16H9Zi`y<*_&t&BvI;am*9?Bq=QZeeebEMntuG(Wuz9Y!!X;a2MVDIhSE{
zz+NMYyL=-oplNi-&<`m|6nzoy(@S3^4<UoBE;GaEs3|Q&D^4`;j%MLKe)rP^cuN3(
zhKO$laKVL{um934wmN#8KI<Azp}ab(yoW5LTP@sX40(_3ue5s<Xcpq$wP!ayZai5*
zsX;jxoTJoyB88<jS%116{BV{O`*V6>hD*(myg48b7h!UBksg7u<V_^ae|7RcI1H5=
zj3zMgk$y{Q^GMkBd`qd11j!Q&1+S`B-EX)O#5^0{1+3@Ux?Max5}^Bgip9Ogn$|HY
zEj|7DAqh;74;l#s-0_|Frx1K8_#`I~-!mj=J{eNO2>?sSHmnznKsE~$pGzEe?Ur?H
zA|&}BnQ{Kqfo<Q1ccQ}laUm#78UF3Joe@|}{2({><ieTRW$jscG_Ir!Al~Lb35>Kv
zA*m{F+sCUtLZE%WN`U;v438>_+!eU(VVk-TB4<^WN!<eAwa>Qfh(e$%zVAQd!FKu0
zJzjS13Sz&he@g;pKS3zkx<`{2Hh<}Utj9wj*iJ!t>@PLWf%;`z#Fm#r@dsp*UhcQB
zZJ^g_^jjPEGwO7w_+%f><l>0Zhx}mc^I00EhqFc`)!-qNgp7X#jzA`@q?u7Dk2AIt
zMdb9$uiS#FGS!khXEZod3JPr^KATyV7A*a_LM`Bl={IrS2a~UMw$3X}e+{B{SeJI8
zqMuR4sCx#Epoe+BF~F`)_7LL8Y_@vFuOy9Kx~nO5=~`l^Dnc&H)J)jJ#1RsxRnnZq
zX0}{TX@8L*0`;p8D{bNl$jIDV!L)@YR$)<xMdi?{`)eZE;2QbCF~*xM4uX!ontp9j
zyjwyk2+xOV@5*?S$j-m?)qh9S{<orvS18Z?K=2s5Da{uHnq#zVGk6T4={SOIDJ3&&
z#=(o1FCK@+0Cj`6vFC)^_!ktrf+XX5{r|YMf~ALMe_JQ2h>0aP;#dhT&Q6D)p-gqD
z4gmFv{IUp{G`egGA(OOa>-6!z_|K{+|N8wl2p#T;+iv<8!(kegC|pP$Zpotx*FAr=
zz_TB_&dGj=C|_vaC!Jbwr%t~?o0U>{U983HwOuCk5YDq(PONPI*%y6A#Cu_}h0&*N
zu~@eHM&W99j@bMHz5%qM4!T|B9SKHLD`0^?@yXC1)f9->8u4cyFi_^0_`tidmiKD%
zAMNjV555bOo!~SyH*UlN>RZD5kY`xi8Lgw{ftq5Kd*N$23kqi!hukzyHOQ`}^pO-w
zBVJ7FHUG24ur5HP+46Yu4fKx1*pf|sBrHdrT%S?9)w!_(n#K9W$)1|2NTZi|h%NFh
zQKu>$sAWCF{yP*w`VOQDE=}g@qDy`b!vX&86_8a6(DG|1eOJ{uZbc4q)6$yFePY5I
z@(LX8!rIqwpWon8hiTE|_J?y!hR3+FD+P7i8L&Nlj*tqs32l|?X$Poi;U#;25s}vT
zj{1&bAe_)Tfg?&TCVZ15Of0nF6}-5_fa*Gt76@omu<pfhv0c~`FqBnX!9SAJvJ-Wk
zEQcMSMX?odvcY_bJbnZ=7lA!zL5Ema`WtGEdy>lZ^TFGS<xUUVQE1G=fpa)UP#Q&P
z33J88pvQVY4eeN^t1V9?KWV+MPm_WPgbnbG!GoSvC@}JBL<h&(r?TQ=RCn0tngxoY
z_idN0!<Mpu&I5}G$9rG`Y`W}6_X3G3F0eoB&m@wPNe&-fkO!Wzv*ZMPs+SSo)<;MU
zV_cZDdvDDiwJu)u$TH<;uTx0=9xVH>ZjypXfDznAt#hQa;jd6JBe{%cbtqMyoGgE%
zqAD8Fo-Eg+6S>pp@AxrK;;Gac@yb&JvXwP2K>p>=Lj&zGP%G~F)_eP`&6Ole+g7Yd
z(A2eyWYGrvXut4Br=k=L5wJK{S0{3?Nzr#Vi5sDHiaWd{Oz07iZBGNJg=6A5-<mNB
zLq;Ud3?`Yo4F=+pA*PKz-?5+HCL@k0v<d$_l37edWj7?_=8JWQM)n@q(tQzu+8aMS
z?HoUpix~dR(JY!>YIoxX-K>^F5s<K*$PX9po!O@AsaWh}23_BkjZC8=<JGI=X84Uq
zBb#PABkqMZ@u@kN$T+I1ObG6-rhXV}?6ztzQo934l`BW9*ZWp!_(9n>pOb3=5_F#O
zgFQQ8x|dM(%b2%~-QXtN)cU}rx%97ngwUIaE@M3a=-^*jbi}$`fMYfPS}VZq?R-{;
zIlsxtpOVdd2kns(q^1M;7`9{1+Gf+KDoVacXmO{%VE%Ep0rv%(+^mt7WOb}{2giB7
z`Y234>cHSOGj%!h#96=?S+r_?DK)x%3akgIC?=XS+XglVgkFE?FL<WEY!2+Z?hCv2
ze;+vbttOj2f9+balex#Q(EajXZ`6&lYhjVOz&HdE;HY9}?9E`ywo}11h@K=ez6fbA
zSy~sWIl_-)?jgGa{T!BVDK<~|IUR+f4=YM&x0dS|f!JR>$hOl+^BXgcLc8TIy(>()
z#Z=D$ZZ?7dph6vUbc;dzx9k42_g2LSzhB6t+4{`h5JVl*veFq`pWaDJT^K1#@xPJq
z?fhU%(NHn&E}zFyMEhr><33Np-=$rZm{uknU;JhU?R)P^?XzqzKR~}Q3%`ks+SgCk
zk;1&wu{zDDFrO5{V9U*+VcE-3{+7p^<2v3THXrvYhVc!>sRP`Fmenntq*m%35$?Jg
zMk5&ZAZ7~~mQTojL^#^Bp@qHao>U&bGWgi>?}ViD=l<fLkc@a4@WeYrO0TE)j}XYF
zWu^q-{aKFU90AT&!IIE&q%&1klU24<*l?0UYn4n&I;SGP=kF(r3t?i_43j}KR3jS-
z(%1z9Hri-To1Sl5-e8gEZr@|iFBAI{kBBOxxgKf@cWM=SkWCmbBIyf<d!FLu@lSb_
zvX>stg3!qOgENzz9T<$)b_M0e1?YK1kJHOaVzl5X2h-YeWs?8eThSY(ZW{$C2vwn;
zZ;)Jae^2Sy$Zv;A3%b-UF^lY@<0cSd3E^g-AycW`)HGHof{?-8C{R{ePodNYe^e`w
zafix-Jm5H8eaf)fv8|7j31waD+3j<(?MXm{2d?fAkLl=O;gpjY!7P8@FqIXlbd36r
zu8ZbBdVdy&Zb|ih>@gP}ZOJfx>}y2%aJj-U*avvx`&*tg-sV;~%?JgTDmP3JIaL%C
z>deyIA*=pp&oHL~(ol3stO@LiBe0H3tIIOxyaD<7YSo$V!#uQJ?`?hsc8ejlqz>vb
zJEmQQXz#yc2dITWsJ&$C<kWFTnwLmpg>>vg&Hr#<GFhFK^c})-lIvPQ->$`YDn50_
zHbAjs0%b9c@s1f^qlsD!e(Pom7gXkluApA016k;5M(K#-RVTHP<?iRr4VQ)tN0D)z
zXHn?}_HE3u&|SZ|IXrY9??88`s&JBFw9=WX&>TSE74YeuHq7Q0NpVXUpZ&X%_fGEw
zAGab`$%1O>0;>eKi=&q1(5TIPJ{0=n!Yn}Y?_fnzi6r&-BL;OITv}IQXeFezwq+R?
zqaOM|K~<GammGE%M5V{(dVT{EEo(xIAOa3^8Wq?#n}iT=o36Y@hdT~W--gH0^D?9b
zrR<{skMqE7%1jN!jzaGF$Qi;;-PFTlHXi1rWC;y9!x_L9(3Dq>Bn0gdgASKVo6PAh
ze*#TwxQT->YGKTk8uf7yr~yJUac9O)%MLva!_A^>47^RwT3faosQC@jz^|q3KVmgy
zkTes0v$QkFN0;tM8D|F(i>`(98=9egCu$3+bK|I$k`X-cZB7*Vau0|CDvn*fGTI|j
z!LsxCc+W3|oJ!X0+SRMG+Q#cF2L0K1)a_7LqM4vABLqF=CHB~bpVky&1mk8!fuF~T
zn)}gX#=Qls1!5>pm(NfuPF8W*cte%I#>BrY;*KN|jlVWQof@CVu9S%7pv=9j!#({B
zXIf7YgMc|h#bBp9dyfUm3Le5RSaz*VZA&R2klDGKg$;=aZ#TK<^cb}V;0)i;kTZ6T
zwaH)xFAB#}N-%4yo?qLwz=Gmcv;~Pf{R~+2pG+luQ|*xQv@xY6R8F+j$m3vj*O*7^
zy=rE71o~Hq)YWFGSXFV_NMCK69{$9}09T*!GBxiD->Sgv)zPRUi<nT>`x#OQsB%=Q
zB@{zXv&b~i7wGZT6_|W*_RkMh@F*M`ZTp}M$9(S3I#yJ*F@B$&mHmSaOL@Ow_hRrR
z9O-qOQ)P82a(*D?&_hRDBVSjg<nih>oE&TKXho^|k)^N$w~_1M^MFDi(i8$wfb|`S
z5}%&!>Mw+_c0)#8@Xw3$r9(AMNy&}nxTBu@Yw7LjR?xC%jeHs%4prdx*$~jb*rgZl
ze-J_}Q^;WY>uJni9JZta<{h^le56mR+~nmFy3uU-{Dd*VOOp<l^VpqCXH2>-$3T}7
zuf3+(X$ax%?{~09A$Z*7?sFb5SdLd1o-G-Z_rPisr*#3pXQ2(;Nnd)s!QPsGk_3i|
zOcg=unn2T$D!c=;jdV{>l@)oDn>^a)RJzq`%MjD;{hlk^S*mGZK>_griL_|#%8L7O
zpP-E!CYA)d#R-3;>?y!J^S@+4u<>I=gfDSHU_*nGJ2lJ0S?hL?zh{i}pZ_L)J{hj)
zF|#Y(wnh;@!<>sm0ovCa_=6)=QeUq|mQ{|IOV^B8%E2Z3(1Uj%1x-|KU>4K|tF1Rg
zD%XllHGWs@+oS291QcU(KH*r5Fh_@l?A>S(?TaZnm>g4F?iyBCuhg4;Y|*RyKN&AD
zmBuc$+$lofP;O@&W$Dr8dsH2u*;0UG%d)_0moLB5{UA{p51T#$ZlDo!^NC#n=xz;!
zf@)C9-$qofBGm{_cw}`S!{x8KuD%)->Jin($K!mUHP(euv1Tao@m>%^I5BemDJ>>l
z_4G+CPB&!<<NSO0jyKD<Q*H4_jy-}tD_u8`51ZoDc*6$FtAx`-lwxpXmNJ+ghlM5~
z4+?Ulo4E3iLI7F_OG9Ecnpf1@J*M}2w!PLXnlZF&Z;Q`Tp>HjZ@vx(*OLtoU*YW%<
z0(RnNb1RfY`M}3P!B-F)OYRxQn%0lXgq~4wCKp%aCgn?_@|b69XBkz!>4J5Lg?SBV
zs8u42YT@+cZ)(>OWhHD*Bk%bat`OqI_i8@)ZTB*-NXnb&%9XYtc=N{LT0QG*6|Jf?
zZYl96rWt$S00^uMuiIUJrJ`DLR9dVAX*x9^#SY}k;QXO5Q9LTfrHUkT4h+9XxRie5
z%SYQCBpoKx5!!l<t8K%<hX11V@)-jUm4D27q)-;Y7yHdEEk8P#>T{fcW%Hw$VFy7x
zemqTG7=ffI>!F}pGgfp@ROo);KyJOF?qHq<hh=q4=<oeRI(w7HF4(>TSm$*kuBsVz
zZy0+p69)is;kxr$C9#WYxqS?Hbs^GzT-8AC8;%9d<a^K-PHTCnqaQ>;vDn1-xHDjx
zqd+#<*PmiXt4D=gd(fa$`A$;q1x0S(_xQGgKsF>&Q^i03rr+u!8Wl5l2i6T06?{ws
zO3xryy4^4ADSEc)`Wc8uZvYhvwp`?C9h$yjWpz5~8Sr9nQ1aLsC!K)uZj!TzWwh2u
zoHDI6OI5Pr`qB9)%yy`-R*<ExX@*DCTS=L7Z5;*v3wfgrCe##geCg9q&N>(SzlX*E
zp*F(G`r{n39S<D(+9ffd1gaTf=k9@2^shFX6ad<h01dLtQLqsr{C5*c?OZC45H%l;
zYN}Tt!`7IYd%d)8X<lwIpna+jjoS}189mRl4x4U{=HG56qp4PBjOSB2anUCJa$-{m
zOsFw&!X|UAqLtlC6KnWFwQUN*8#wDe1&BT=8>GU{3l^wz%c>bILUm^%NRs&vNRu};
z2JhtjWZGp7q!8_L*hKl4p;>%J8lS;%;Bs3x^OQNk&(D;gw82_PiQ7~b0S$uhBgPJ9
zX(6FDfiGB@>f?3lr@#Bp#puQr)vs7*WR%&#CeQZn+y<L92RM|F?!KWB4;9Tg8kg9`
zxC7ZEWp`Y~v3!FlK{gZ#hqU0TWd+=Q%=f-!ug!C}CV>bwuDX@-53c|~-L#5SU*P2X
zi+hHXe{b1?qKM+DR|G-Nem4`7gtfG4xfOwCTyC(jj8aqrkXfsj2ZQT>G!$8xm;ugM
zrtQCh*VRi4`YJ=ZgF-bzPKL5+Vi#t<K-O6RX`bFJHG*Se?lU;&{<H5;2enOUo{s6_
zqh7DFwxkXbwQfuG-5zPo&DkenFQIC%edN4)YvMHKkxF}gN;V?ZKd&`TNZcZAnJ3VO
zuAi>cU%961Uaoro#&eZ~GGv)xMv)r*EFpIzzkAiX`MIoKXYix>Zfm-De5t)L7*CL8
z45D<1My|^A4dEjQBvN=|qzopS*sD35IT@oem$<r=9EKTMj)l`@6V={=C~M~3MDBf2
z%-|L-E2Lnl|Izr??1&c~ii8PTmhQEGp8(-6$B0UVX(hFN<-m5yQB@W+ERs;@GwD#E
zt5H;>>{773D~#H7wy8jGI`#VZiPF@nU*eoR8O_|wF5_@&pn+o9@kXYe9aaiS_U#mU
zxi;|phb&=UC#Z%xH#zU$Au7CPKT*iW)L%<&ucMsCj5CUP=kDH-8x3i|Egi_PkVcLb
za2Pn7Q0vGZmHgOMHM`1>(!S0+hV5MnnMOe!(mV*hmU2;?W|^Gm-$SJRgHvssX2N&t
z`g^>}$?L1~N&TUY?$@F;2RxBmP$7T5UUa$4&Yc#Cr-C<utmT{nOzK-!a?{B<doneR
zp!J6l0Z9U>ksVOcBhN{9cu4}4?!w)N9u|Xu*$@-=s_#k4`UeCrv0bPN@nM#nl*)D%
zi)aJhPeVyx)$%u6OMm7n;in>>qZgMq=nU>iy9xB-z#dz1Id_h~5flc=&7g{{%bqp@
zi5gOTsk5Q2S6*>d@i+xo%HDGKzf_y#4iQDnCG6?wf6xZFdGr&QaSeOGQ69RcL>S|6
zb&oc8fM2^yGqxB>I9zGC>#k;tY(`EsaU^WpQd)Ws=CMSjnUVsF(yPF5RNk_lcZ~Un
z*#A)oRECl|Lq%vD0BjD;NX9g6Nf~o>s94I$uEfs_d5_6FrT8Jut@#>a4BHTN0=y3*
zmlj3tJ3~AD+brt8l|>X>RIP3*>tV#K`x%(%e^~`u^9rIJzeMzj8&}o*1VksBxO5}`
zcd5}fj4lCAVBit5yD=hm$-29q)fZ9TLpE0AU^9Uo%!usl0`9OhKOaSD_YyCp#Gz7t
zNp6K`zD3!~+Ye$ZW9Dz5u(@)(l^QDD1rKn4So{@0RA5iJVi{4Q)c_)Px^bfeS%<S5
zd@z`w5VY^|Jr{!SpQnW`A-bP$gQv_ZmC0-GtK$e9Bo~0DrPerj{o^&%+P%XZ@rj+K
z+dbK~&@WwIHR*xZW+%k__PjfYkRc^>Xzhtb_(mO7G)sUT7(mTJ0-(AZOe6DhcG2zt
zH83?kQ=-AQTcEAT*(ab-0(4`6<kc7o;v=d$^y!7A=enH5dp#C~BaY5!q6;12?CowS
zquF3F<F0>ATBp^;<w*1O%pdWPn{N~2fusb$gVSNEJWBZ9?`qoVMu?OPA!)|Wm0HWl
zXty~nx_Mu-!Yn_g+M5cU9$sHfhU`*EO)BQ1%N<h%)p|~#URve1mVLtRxR%`FJZnL7
zV3Z@jVU|?uu@XM&l3t>eW8<-VUFZK<g!K6@%`)+AgJH@Xts*;6{KhR{0v?)Fi$}{v
z<7b8|3B3>3^&KgRiqmT2AZIDz3mLu*?UPsiXlKW@L4E{9N~5D~t+>Xj3#lKIMx>Or
z61Myd%0yaJ9UwFd^&3(c@W<h!H_QL3snqC<u8Jjo5~^0IEYUv=|LSPQQ6Ke;003TB
z1DrqOu+m@MTI+G`_Hg_VsZHS6!wE9OHwxrq1+$n5bzI`2Q(~B>dLz>nPm^Z<USQgE
zRCYN3JtaI^8LqAX;ef(ntQ-PXk}78of7~THg)5Pge@qs9jfwi7i$1hes<V7Xj45gu
zRwUTwzMO>P`KMs9NLn7#1Gk9d83Om`JKCyFIMOoSclThcIHUGT<3f`IzoG4LLxW2L
zo?dx<G~!Zf5@@a+6!$$N%|A<Cl1%l&HQ3l1#jH5e+dt9{#5_FK^W!9NV?6kMO&$~H
zIJVYISdg^Kc}sD@S%EGYDFi;FLkt&sJYq8MH-sWEDz5q&B*vj_Txb!O-Yzb7ONm;j
zZW*N@qD6oY$+@p%wjqV(En;_D?A$@Jlzhzu#Tn>Z<6yVvLeDl)!-`>9-@EUS&8GOW
zvZYw6R-s1#s&I3BMrJlMzCX*xB6Y&`344(mFD<BLD`*nMV#eMSG~xB~FHhW0II~Yf
zVHMwRT|yh4j^N*C0w@`(?|+hyklI|j^Zwc&kaK`}y1FIFc-nOTZ~kp_Hl%R|v;I2H
znhPzG7p#_RBlhrCF9mpUr(#{xvj!aYG~GY3&GXS;&I?<TL`zG*ttBlimRdIWEkfEq
zeG!aVJDbDn+uFIFK{0VD%!zT&-lFOld1rc_mP5)^o+pjYXeif5AKslm;8<8>Z?~-S
z7{`S7#F%K-|NAa8#gi(>dV{u+dzGy2g?dn2lt4OdlafGOObU>SK8wB(3RzEp;rk5v
z0lT>6EZEF`L}VABxBJ7$T@kM5_5J0SoNA8)DjzNgF+vdhh2hYpSQM_Rwdk|_aiwCE
zYt5#olST|}3)?0^7JMw4Q(2Sn<~gV@7;Nt?Y=@4v$zjWz2>;`eMcI~eql^mzAwpY-
zwR5!<MfLhiFpOef{Hol+a3_2{rB#nUM|0%;J9!DX^Eg|XRD>1B)R0tttDVjRH7$UJ
zUX#aa*imH^pvlJ{6vGZ3=qMbo4d<F1rRs6dBOjSD_^IcWh6!-*ze;LFOKO)E;Pd*P
z6f?WRvYAJ**eEbND5O$yIsTV5u>6yi!5tuuY}?apV&w}>XbB)_YYaStF5VyK=^>rS
zQjK1L+E$`e%s!Bfy0*6aYc=&~<h>!@EQC)g&{X^NT-5p=+4OHXGe2~8)_LWtkX;SS
zHoK?O-Y&swNu6_C+?j1`vi+~~v>4heXcEQhR~d^o+?A+O*KaU@yq~$PN5D~~mZVne
zK?-Cd-1Fm)YGc9g!nYRTCy^SazL0#<S#olm4UwTj<G8y=YSs-0JZB5EYt)uSKGsVT
zf~jT1?Az>{bbi2#014N2uK5TE(F`I2D4hhvY++P_YfbG5uFq(yq$i-3TL{iQJzVdh
z%O)5}eTAT}(Nggj&$`_m?<1vEOOkU(he`LzbunmQR|-|EBo38CvtvlKR2H0g+V(I@
zXgB(5&mGolKMOs{Y@~f2ud_?~|KVIo1FUyHQymZ$wfk`%w`><<@eda?Ydp{Wqy5>a
z@g&a6Y~v}8Y$7!A#ivO-e4Q^S9(EHrdgZO(7>3;}B7_YidK?@&;clSfiCf4yLhe%}
z>W_=`{Q4moXJZx_PXASzVON@Rqz#`d)cmdpeZ_IOIlh-%In8^d7#U67jYLyS<~V}-
zW!NepV@L(j0>k5})sDaVnGT@~9hyhmv}Y-L?ot%uX0Bp*<wiOf{Pxg7+X1QG-u$@l
z{<pW@Jv=w0dXu9?Rlii|@@B~%w};D4PVGM8ULiis^iG^F_w)D7=t_T5D81Q8u>ctQ
z><9s#j}doo3(8^|-#Z?n5WJNc<6%ee^J<HPy{9_<yJLS2hGjax!8}{TA<k%9F*sSY
z`vNp(!Tj%)$V~chbS(B-q_u310J=K4k*q6c@MWH_vS<bp@)dX`p3dpN17`ZW?w;In
zn=0H53B-vSML9`rxG9ADzP@?K^vs3MLR=KrN}hiEv)-sKf6cvW_$zJBZ@ACZ9I9t?
zTHRv}Pq}Y=kMr$^=0E7VKz_adWo5chX28SO__$fujF9X&Otp(r+$leL#t9BXG^m7!
zFz5=N#k2I3b^2JjL_GP=dz}#aNZ84h*sFORrgc9+5C?u&<792ApmGOOdywUdoqz&E
zLgwCPC-VEm$)PR*I(5TVbygvhR*kdU<*Mt!Q3_g&F)|eO%ekShMB%VQ5!9~r-l&vr
z9XOo0_nBym1ax)6!JC(+%IMUlkPETee`{9~(F6x|t^(4`_#Fq>g7T2el!Pr6&<goC
zMa&mRgN{Pb*enyiA0VMq<0>MJCmeER1K*4(MQL^0i^&!~My6r_a+g6k`dwJLXLzRn
z-*jP@>EX1ARNVr6g_)#`V^1Tl#{F<^cx1kXa-sqiPBJsA_@NF>Ce6la&hvn_KAJk+
zuNbkb&R@0?5qrp3v0q`<dY_ji+#I;TANg7DmR}lr8Fx9d0Tj?|qj4!ebD#<}(^eJI
zq}|ACb2-B~xd=c8o4r(0qt+O2xGy3Z-hpl(fX`RCkofDwB`c-2`H1S)j0i9h8$Hdb
zqfhGSp7rs@FMyM~vOkj>c%ksh$NM8MkHo0SD*1hN1ifi1(3?k(IV=~{2&4(f&6Om#
zaB;??a_hx5w2hx;y(JMU%pK->wFzP4$@KI8G`)J9&%wLEAzyW|1~TKRae#L7jFdn3
z`TWov?VOZ4K$hHat)l%Q1nxwxtbea*9U;8J8QeVKSh$#YD9BBxsJ4fLp9yrGc1#!d
zc_^7^P150x6k(fmO@}_F=FCkw6;3tIvOt?b1gP9jlqN#yWk_{47)%RLmi?he=C6Q>
z-!SOrp1(qKAFE3L36A+lU<fst8$zrzLh_gQ!Z8ECjh16u{)czNb}l~=ut!y<wyC4j
z%E?S?dSAsfq2oE}d?Ds=<eC@<hJ(1$wl)>%22KeLqZwj$d96O%ZQ}nKp24O8-FxG#
zXB7%*d{OO_5G?DgAJ2McI?GX&>9KY6O1^1AVQAfs+72P$L>y9&F)7(v&90aoVi!g(
zU+%u9=nrEQ$5axU=SdHJq{}=sT)ga{El~jkdbUyjg~ofYV}lbzt1bz^FD)^P_xcTG
znBtyBbG0+eD9_axckPCju9GHF5z*Y_nK-Pn764NvE`ud<|6I66I~4xR0dk^S83{p>
zv~^7-yr_;v{6Ad#NG}CMWS7}E+wjRTHMQSnb<@&e=Zz0{)kLh`1BOmoS$4ojm~Ugz
zmu$}df5^5F7PJ+!odX15SYhQx1uSP#wc?BW9>DL?n?&u$(FMVQ!j$3A0vd#*ekKn7
zDKEN@U=l_K)i|AwX6m#l=vM~{HJS0HNM(K@^?E$9XrGY1a9Gn6$_<1GC^4Vwi?FxY
z^NJ@u{92MtgcgpG*v8SPb0cs*C2$}J2~i+@`Hc2syxmKrQ!R)btHpSD32w?M;x{$N
zhLud^&j^dWS2}jBtX?|y$%!U*rO96#qq4Ae-Z=m-gE>uC)Z9{iZAXHDfVZw1B7qEK
z+d?94_G466-RA15LUds%;WCFN;??3uaI$IzGsc1`$PLGqd;1(3jCaap0kt~bafP1t
zX|nN+1di-mZZ{zKb6)Zh5nNu*p4&G6<0c*qK6aX)m|G$+TRI6I0$!S)8h@oTQ=_(p
zQ`5r8nwTvin22m#x)zkh`@q97RsD>`o=XZ9hYL_ksb}guJJ84G>>Wb*Kl3v{1FbwN
zsm0X3=AwnH$so1lr(u!k^jDofSiW`<VO)$SwD@a+{SLF?+SUt8vo8%(x*b-%P3%s}
zp>{t(FNnf#Guad;A1DUGSpQBgMCFz~^*bFwJEE?8yM{sq#wh7_kA^Y4EhuHZ0q-oF
zXhy6usBmW`v!zP%_JRMQ7x_;IL%cLhRfH+<8{b-h$BWa;4H<#!&j<#|mG_p$(QRL8
zo8g(?5ob@|WF7j*>Na69%Y(wG&n&>B+V7}kR}B671__<LlyyZs*L`R&b>Tl_q48G`
z^p#}ELCT&n4<z!Q5k4OXWzpkhl@a<wwLXu$U3z1xin6KZExrsxh*hPU$K0fl%{Rv5
z%IxQbC-YG9@NyRckU<7T-CBAcl!5Vuud8dr`_woo_ntVFy@=OOO2LQf<~Y@&hlx)=
z=`A@^Nki|4WyC9x#5sF>MX!c;yE6O15ld$f#bXVj<oqu3=31)u>D%~$<3nm6N#g!y
z6<_0wXXJqZFv@?bNIcQ*+3^&h4NZD&r@U``c>-jjImN(Qr|fI;#dIG!O!g^nE}DwB
z2>pD!Rc_Y4X1|lJjYt|E1Pd4h@(WPosBn7|6>;9ylmp{}f*>ZX1Sm4EM>mFvjvQ+Y
gVK5DsF)%wvZ*O;?EbuK6@YU|ANRXXUdlOfhA}NASPXGV_

diff --git a/stacks/cloudflared/main.tf b/stacks/cloudflared/main.tf
index 5f0f80b6..3686dd2a 100644
--- a/stacks/cloudflared/main.tf
+++ b/stacks/cloudflared/main.tf
@@ -8,6 +8,7 @@ variable "cloudflare_account_id" { type = string }
 variable "cloudflare_zone_id" { type = string }
 variable "cloudflare_tunnel_id" { type = string }
 variable "public_ip" { type = string }
+variable "public_ipv6" { type = string }
 variable "cloudflare_proxied_names" {}
 variable "cloudflare_non_proxied_names" {}
 
@@ -36,6 +37,7 @@ module "cloudflared" {
   cloudflare_zone_id           = var.cloudflare_zone_id
   cloudflare_tunnel_id         = var.cloudflare_tunnel_id
   public_ip                    = var.public_ip
+  public_ipv6                  = var.public_ipv6
   cloudflare_proxied_names     = concat(var.cloudflare_proxied_names, nonsensitive(local.user_domains))
   cloudflare_non_proxied_names = var.cloudflare_non_proxied_names
   cloudflare_tunnel_token      = data.vault_kv_secret_v2.secrets.data["cloudflare_tunnel_token"]
diff --git a/stacks/cloudflared/modules/cloudflared/cloudflare.tf b/stacks/cloudflared/modules/cloudflared/cloudflare.tf
index 906403c7..793296d2 100644
--- a/stacks/cloudflared/modules/cloudflared/cloudflare.tf
+++ b/stacks/cloudflared/modules/cloudflared/cloudflare.tf
@@ -18,6 +18,10 @@ variable "cloudflare_tunnel_id" {
 variable "public_ip" {
   type = string
 }
+variable "public_ipv6" {
+  type        = string
+  description = "Public IPv6 address for AAAA records (from HE tunnel broker)"
+}
 
 
 terraform {
@@ -99,6 +103,16 @@ resource "cloudflare_record" "non_proxied_dns_record" {
 }
 
 
+resource "cloudflare_record" "non_proxied_dns_record_ipv6" {
+  for_each = local.cloudflare_non_proxied_names_map
+  name     = each.key
+  content  = var.public_ipv6
+  proxied  = false
+  ttl      = 1
+  type     = "AAAA"
+  zone_id  = var.cloudflare_zone_id
+}
+
 resource "cloudflare_record" "mail" {
   content  = "mail.viktorbarzin.me"
   name     = "viktorbarzin.me"
diff --git a/stacks/mailserver/modules/mailserver/main.tf b/stacks/mailserver/modules/mailserver/main.tf
index 2e9c4b2e..cc24b0f5 100644
--- a/stacks/mailserver/modules/mailserver/main.tf
+++ b/stacks/mailserver/modules/mailserver/main.tf
@@ -465,7 +465,8 @@ resource "kubernetes_service" "mailserver" {
   }
 
   spec {
-    type = "LoadBalancer"
+    type             = "LoadBalancer"
+    load_balancer_ip = "10.0.20.201"
     # external_traffic_policy = "Cluster"
     external_traffic_policy = "Local"
     selector = {
diff --git a/stacks/platform/modules/cloudflared/cloudflare.tf b/stacks/platform/modules/cloudflared/cloudflare.tf
index 906403c7..793296d2 100644
--- a/stacks/platform/modules/cloudflared/cloudflare.tf
+++ b/stacks/platform/modules/cloudflared/cloudflare.tf
@@ -18,6 +18,10 @@ variable "cloudflare_tunnel_id" {
 variable "public_ip" {
   type = string
 }
+variable "public_ipv6" {
+  type        = string
+  description = "Public IPv6 address for AAAA records (from HE tunnel broker)"
+}
 
 
 terraform {
@@ -99,6 +103,16 @@ resource "cloudflare_record" "non_proxied_dns_record" {
 }
 
 
+resource "cloudflare_record" "non_proxied_dns_record_ipv6" {
+  for_each = local.cloudflare_non_proxied_names_map
+  name     = each.key
+  content  = var.public_ipv6
+  proxied  = false
+  ttl      = 1
+  type     = "AAAA"
+  zone_id  = var.cloudflare_zone_id
+}
+
 resource "cloudflare_record" "mail" {
   content  = "mail.viktorbarzin.me"
   name     = "viktorbarzin.me"