From e140140c3fec4383327faa37e6e54cf8da52d6b1 Mon Sep 17 00:00:00 2001
From: viktorbarzin <vbarzin@gmail.com>
Date: Tue, 16 Feb 2021 00:01:14 +0000
Subject: [PATCH] Add LE renewal pipeline

---
 .drone.yml                                    |  39 +++++++++
 modules/kubernetes/bind/extra/viktorbarzin.me |   5 ++
 modules/kubernetes/bind/main.tf               |   2 +-
 modules/kubernetes/setup_tls_secret/main.tf   |  17 ++--
 modules/kubernetes/setup_tls_secret/renew.sh  |  79 ++++++++++++++++++
 secrets/fullchain.pem                         | Bin 0 -> 3478 bytes
 secrets/privkey.pem                           | Bin 0 -> 1726 bytes
 7 files changed, 135 insertions(+), 7 deletions(-)
 create mode 100644 modules/kubernetes/bind/extra/viktorbarzin.me
 create mode 100755 modules/kubernetes/setup_tls_secret/renew.sh
 create mode 100644 secrets/fullchain.pem
 create mode 100644 secrets/privkey.pem

diff --git a/.drone.yml b/.drone.yml
index 24e911fe..9a49e596 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -28,3 +28,42 @@ steps:
       - "git remote set-url origin git@github.com:ViktorBarzin/infra.git"
       - "git commit -m 'Drone CI deploy commit' || echo 'No changes'"
       - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master"
+
+---
+kind: pipeline
+type: kubernetes
+name: renew-tls-certificate
+trigger:
+  event:
+  - cron
+  cron:
+  - nightly
+
+steps:
+  - name: Prepare terraform files
+    image: alpine
+    commands:
+      - "apk update && apk add jq curl git git-crypt"
+      - |
+        curl -k https://kubernetes:6443/api/v1/namespaces/drone/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
+      - "git-crypt unlock /tmp/key"
+  - name: Run renew script
+    image: alpine
+    environment:
+      TF_VAR_prod: "true"
+    commands:
+      - "apk update && apk add git certbot expect curl gzip"
+      # Install terraform cli
+      - "curl https://releases.hashicorp.com/terraform/0.14.6/terraform_0.14.6_linux_amd64.zip | gzip -d > /usr/local/bin/terraform && chmod 775 /usr/local/bin/terraform"
+      - "terraform init"
+      - "./modules/kubernetes/setup_tls_secret/renew.sh"
+  - name: Commit updated certificates
+    image: alpine
+    commands:
+      - "apk update && apk add openssh-client git git-crypt"
+      - "mkdir ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
+      - 'chmod 400 secrets/deploy_key'
+      - "git add ."
+      - "git remote set-url origin git@github.com:ViktorBarzin/infra.git"
+      - "git commit -m 'Drone CI Update TLS Certificates Commit' || echo 'No changes'"
+      - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master"
diff --git a/modules/kubernetes/bind/extra/viktorbarzin.me b/modules/kubernetes/bind/extra/viktorbarzin.me
new file mode 100644
index 00000000..2acd3e4f
--- /dev/null
+++ b/modules/kubernetes/bind/extra/viktorbarzin.me
@@ -0,0 +1,5 @@
+; additional bind records added via terraform automation
+; entries are usually programmatically added to this file 
+
+_acme-challenge IN TXT "6TiErEakwCp5Ryy3ICW8XVm_uGCUU9UhNZv4XFFnOkI"
+
diff --git a/modules/kubernetes/bind/main.tf b/modules/kubernetes/bind/main.tf
index c8b75338..c11a7934 100644
--- a/modules/kubernetes/bind/main.tf
+++ b/modules/kubernetes/bind/main.tf
@@ -16,7 +16,7 @@ resource "kubernetes_config_map" "bind_configmap" {
 
   data = {
     "db.viktorbarzin.lan"       = var.db_viktorbarzin_lan
-    "db.viktorbarzin.me"        = var.db_viktorbarzin_me
+    "db.viktorbarzin.me"        = format("%s%s", var.db_viktorbarzin_me, file("${path.module}/extra/viktorbarzin.me"))
     "named.conf"                = var.named_conf
     "named.conf.local"          = var.named_conf_local
     "named.conf.options"        = var.named_conf_options
diff --git a/modules/kubernetes/setup_tls_secret/main.tf b/modules/kubernetes/setup_tls_secret/main.tf
index 3ad16d9e..a5d11383 100644
--- a/modules/kubernetes/setup_tls_secret/main.tf
+++ b/modules/kubernetes/setup_tls_secret/main.tf
@@ -1,7 +1,11 @@
-variable namespace {}
-variable tls_secret_name {}
-variable tls_crt {}
-variable tls_key {}
+variable "namespace" {}
+variable "tls_secret_name" {}
+variable "tls_crt" {
+  default = ""
+}
+variable "tls_key" {
+  default = ""
+}
 
 resource "kubernetes_secret" "tls_secret" {
   metadata {
@@ -9,8 +13,9 @@ resource "kubernetes_secret" "tls_secret" {
     namespace = var.namespace
   }
   data = {
-    "tls.crt" = var.tls_crt
-    "tls.key" = var.tls_key
+    # Cannot set default function in variable so use default behaviour here
+    "tls.crt" = var.tls_crt == "" ? file("${path.root}/secrets/fullchain.pem") : var.tls_crt
+    "tls.key" = var.tls_key == "" ? file("${path.root}/secrets/privkey.pem") : var.tls_key
   }
   type = "kubernetes.io/tls"
 }
diff --git a/modules/kubernetes/setup_tls_secret/renew.sh b/modules/kubernetes/setup_tls_secret/renew.sh
new file mode 100755
index 00000000..4ff4ae3e
--- /dev/null
+++ b/modules/kubernetes/setup_tls_secret/renew.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/expect -f
+
+set timeout -1
+set le_dir "/tmp/le/"
+set config_dir "$le_dir/out/config"
+set pwd [pwd]
+
+spawn certbot certonly --manual --preferred-challenge=dns --email me@viktorbarzin.me --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --manual-public-ip-logging-ok -d *.viktorbarzin.me -d viktorbarzin.me --config-dir $config_dir --work-dir $le_dir/workdir --logs-dir $le_dir/logsdir --no-eff-email
+
+set prompt "$"
+set dns_file "$pwd/modules/kubernetes/bind/extra/viktorbarzin.me"
+expect -re "Before continuing, verify" { 
+    set challenge [ exec sh -c "echo '$expect_out(buffer)' | tail -n 3 | head -n 1" ]
+    set dns_record "_acme-challenge IN TXT \"$challenge\""
+    puts $dns_record
+    puts $dns_file
+
+    # Check if dns record is not already present
+    try {
+        set results [exec grep -q $dns_record $dns_file]
+        set status 0
+    } trap CHILDSTATUS {results options} {
+        set status [lindex [dict get $options -errorcode] 2]
+    }
+    if {$status != 0} {
+        exec echo $dns_record | tee -a $dns_file
+        puts "Teed into file"
+    } else {
+        puts "DNS record '$dns_record' already in file"
+    } 
+}
+
+send -- "\r"
+# Do the same for the 2nd dns record
+expect -re "Before continuing, verify" { 
+    set challenge [ exec sh -c "echo '$expect_out(buffer)' | tail -n 3 | head -n 1" ]
+    set dns_record "_acme-challenge IN TXT \"$challenge\""
+    puts $dns_record
+    puts $dns_file
+
+    # Check if dns record is not already present
+    try {
+        set results [exec grep -q $dns_record $dns_file]
+        set status 0
+    } trap CHILDSTATUS {results options} {
+        set status [lindex [dict get $options -errorcode] 2]
+    }
+    if {$status != 0} {
+        exec echo $dns_record | tee -a $dns_file
+        puts "Teed into file"
+    } else {
+        puts "DNS record '$dns_record' already in file"
+    } 
+}
+
+# Force deployment recreation
+exec terraform taint module.kubernetes_cluster.module.bind.module.bind-public-deployment.kubernetes_deployment.bind
+# Apply changes to configmap and redeploy
+exec >@stdout 2>@stderr terraform apply -auto-approve -target=module.kubernetes_cluster.module.bind
+
+# Wait for deployment update
+# TODO: better to use k8s api. What we want is `kubectl rollout status deployment -l app=bind-public` as a curl
+# exec bash -c 'while [[ $(kubectl get pods -l app=bind-public -o \'jsonpath={..status.conditions[\?(\@.type=="Ready")].status}\') != "True" ]]; do echo "waiting pod..." && sleep 1; done'
+exec >@stdout echo 'Waiting for redeployment of bind...'
+exec sleep 10
+
+send -- "\r"
+
+# Clean up
+exec sed -i "s/$dns_record//g" "$dns_file"
+
+# Success
+expect ".*Congratulations!"
+
+# Copy cert and key to secrets dir 
+exec cp --remove-destination $config_dir/live/viktorbarzin.me/fullchain.pem ./secrets
+exec cp --remove-destination $config_dir/live/viktorbarzin.me/privkey.pem ./secrets
+
+puts "Done renewing cert. Output certificates stored in ./secrets\n"
diff --git a/secrets/fullchain.pem b/secrets/fullchain.pem
new file mode 100644
index 0000000000000000000000000000000000000000..60d91fdb0eafce05ef975361e7ecf4fbbd71658a
GIT binary patch
literal 3478
zcmV;H4QcWKM@dveQdv+`0A(pLbcD0kvu_SX1u!%B{r!C2zW&(FFRt+g=`UHcztDT?
zMB*^KEiT&DuKs=Vq*t0Z0bcz`j(2c1nRBxLgyam&I7<gFZ+JL|oiPaQ(BohwJz>Ml
zxT?-mlWh!SLxJ62_mwO;CVV<QmQF8&;1-9eo~)Qu(HHQ^xMWD5K;}qA>C>ezQwd76
z=FR`;cc8>+Vnv`uh0_$&esFp-R$V`*ZxhdqJSOnh#n%qPFjs%{+dcC$5^?JxpjKK3
z?y9bOMLH0ReEhST`1_X$wKi1%N9GkVER74`8#zwQsaO?X4OrFPyvZp#NmA}2s9pTU
z^}TR|uFNox{FW;L?DA(NZ##?gdHwMOE%CnT`!;b^-zPa{Q|2rspAGGj!bVL_nUi2_
z$b2j%`;l><<)w^lNy@E&be9cQkyES!kGY*|CO=!hydE~pX>TXg*a>c?XoBL}>Gxiw
ziz3)wX6Tk!qKw8N0c2k(7Xu{y!8p%zMalhriFQ8##sAZCwot|q9uLJPQX-7xVop>I
z$5nY(588s^Z-T~f1yZfBPWaub3gq3)ld+%&Ph~+0tD1g8iQu^2|0Iyj&Zhh=rlQqe
z^A02`^}Jky7fW{v{pA1<#oUm!TK6E}4?dnk*mTQ2+TQDEXwj11pQ*sP&{b^^AV1|G
z;5ssdT%)0plA&N+3n9+{F3^1;m9_TiC&Wn_ND(~g058-!<lx3deQ;C2Eq&Gb=$}99
z$oYkoo?F9pF%eiTG*$i2WF<l$g2<*hs3S*tUv(N}S@RnAbs)AHq{bp8Y0}4v%$i@Z
zQy3ArFO59#h`Ddn;9{i_rw{6jDWO%lsQ5l|;;wV|1mLGG&8y%n%_2uJ%9FAUC7f?)
ziMotj<P6!fx1Yq?D|&~-NCN>jD_9)9`W``^#K|K}O!i3d8&ECQo<9#j%gyhW`%8UG
zvblS|+{g>m?a_cUx&yA3kGar(HPb`Uokw*(Ni$hY-<bpV<{<2$39INjB9C#oI&2J}
zDO1s-$R+TVeBZ00`?Q%sfGQi>U^~;mbMo;!i*LsdbYsdgh#Lz;v1L1O5&EfxUjLm_
z;dpAw(OUZ9vLM}!F;dG63H<vi67@4qMnD<pUF`tC8y1LjaKmxT^u-fpsz9S0`Ysrd
z>qmonSq@e2NRNb<t=!?jgVLPPmCp^>EN?si+nC8i1>#K)(P8b-dWHzlsb7tsTi<C<
zW<(HB=g_y?s4T;z_%nwS_k?*W8JLi?{;>zn`tUBa7CR$~-7TBlXt^7%ng6;1b8j04
zc-`kWJ1D%uu}GMuXZP?!`s^q1?#z2{C#JZ!J<z@Vyq_5YIJ*;N16rEQiFV<PV<Fp`
zYM2@>KCUakI9xAL#5ePpkM36qHm%`>yZ!b<j^PugKwrmHBU4r)(iQ}&JYr?fyZ%Ai
zQNQbx`5WQ<!SzAX*dE^Fr{X@>4EHwzdEaSf%me7Jo0Q_GvFexnrs>e!AmiH}7m9je
zZxhOYBrE-WTdn$p!k8u*=R&5w4{|8|o>*<I>Ibq6Y~yW#B3&uStr^#RmE*U+Eh$(G
z2k(ETwr)UC*%4d{9&t<?{@q&L$U)b@f@}3<N#!ZjLqnSpHIh^u4elXUldY`dtwr}a
zI2P9R+{Qx3QsI>J+^rl~FB_}Z`A+<<{Te*tA0O*+32$WgJ}<T<eMJh+5^)#;;>>wq
z9U1Wn<|Hi1{W)<x9@uQZok!iV$itDE^&{8XmS_pr2AZ4YK4)|tMC#J9<;~n3tZ0I|
z?4pqocc+yW_Rrt+JOE1tO0W#2C~Gtjlo36c`G{G?eX*)|`706I%f5E;Hth~Qiflr&
zq<^@W(MQmTRA%$qX2uyyHRO^<ox8qtJkrRQF=UquvGI!aV`YgsZmV+HI6`jb;>d;h
z)hlp>pvxfM5$SUSL<hj7tutQ_9-pGHE?pR%wjLdF=`FU5Wr!v&Ypb94ke7Z742u;m
z^`)ryg|7O5%<WcYbxD|!Qjl8Z{kb#_T{z<REPP_9y+~+w<zPDt5+gp+pDS_9-06lF
zxgG2{2y{WlmDY#jU(3uBD)%ZM;%j4nkQL7PUvkC`YI;UVI0?zU5`uCHYJGreRjP(0
zXz=KrHT|ER#Lexz3sLd>>%ME#w{-~=#mRGQOEw4l5f0QM4aQzN1{V{thQil(?aMyI
z(*a7wXBId3L$};4$Z@8F5P%4<G|-|;h+bRpRz0+a#z4EVnU@TpN;nfAJ9Z>BfpSMz
zEOG4z!(K8b1g04rY`6TPcOnz&fj%Gb<-yWD<0YQ6Th@W?hQaWnXVlIz+`axr&OJ8X
z!)M}D_#B~g>(hj=PW}+ewB|1Ec6dT67f!FcjIW30DcI<xIH4z>qE-C7bKa<)j=mdU
zMZdUISPjsHvN*u)EPZ@#Wu25+470l))a39xcTb>Pv~(b3<)VBc3-`O<j=T$F;gxYN
zToYP&71|SZJ28qTs%E}~Y%on7imPQi*jh1&H0PP5AvI>bO?H>}R<v{18g}BY5@AG%
z>_}~nVtSH`zv8Y(o~A{qOnz+7^Gfsj6^?kLw!<!lea20FEo=`Hm-o8|wKYf#sNmOg
zRZquaAmqyllBs#`3+t)Pil$>9axnCT+`W~!y;Nj-<|nY91dsrQ%-~R-I$NoN!m>p`
zj_nZxa}CcLAfthe&KR$_6QMel9q%eoNbEO~HIgZxK73axBXSiL+(mQuRcCG1huzLz
z@PrO#g=~n=qu?yO^>x&4Di*SK4?lfT0?OMsaso~E^V(8OzPu0t{*b7zx#iBN6@~fT
zO_@bw?XeaaN^|4|;Z9|eec^iRYmYF<OUst6QRvmT`b1Sddn?cQQOTtY>IVr`uc}|E
z`-VY=)$k%9_W9z=-w>5BA2V$)w!J;x47iwq^#Ju&fn9uI<l2PK-yp8;rOisnavB28
zdYnF{GnfJi(X7lx&@tATF^>0^4KV*1C0@@9G*aaLMbk|ZnBj1I&TKo-%_=h1E|UIW
z_kC|a?y5{Fmen_i4{hDvsb)$B@xD4SW#+(1*6PZW;2u;;)rOe9=N0Ry@vNiGw{bY9
z@Tsz06x|j!(1R!LJ~a$lSDqE53&h3Yibpm^$(J|Pp=J>EPDmDXD<{E9O$>VfK;6RM
z(Jic#TH!SGXY+i=ojv3G*d2gqmnJ*<9#>t>VK3M22d0=Eyq~VytsGGVgC_0p8Q&|C
z`s>eOA+XX&jC;0=W4)bw%y{r>LT~yscLn6dgm1I9*l@~K90;tBi$379wV@V$t=?<a
zSE@9=KF2Dx+(=KGY1JRyT6{dUN4rS+pm36$u<(c4zxp=(E2ik9$O&)!K+nqYWVN-Z
z%yLCS!3g58nRRoX?HdCmhdCLdw(}7)u(m^x9^wOnAV<Y0+cd|-5kxQJyYBIaFl9nT
zx$(iKgE51EuuwQQ;eY|mC|<0OOQBrb4bp*Py|#|X*1RfU|3+_fVaJaSzelh4TcW1*
zNL|OCvk^If(nKc!5M@_LHuNG^U#w=(1@LnF5MkoXMGD7>#^{dcMH>Tmy-Uy*A^{(Y
zdn8ez!aS+1cAoy4DnDqYT;zfHsCgeT!uzRLfny7>O{+GGZ23G)t#U%P)qVW;Vpy*{
z4A<C)-jv6UbNUKb0!CZbxxQkWrKV?%V${0$9t!j5FH65Oi>K%{Kj*8Dnf}?#g(cY%
z!f{{UsY9kc%x{gY4QEto9k}K=(HvVq;)Bh&3ns%te`I?1zC=Ezf;>&6OO*52+M&TU
zjWSA)>Wm&<e}l_6SHG^@P6kgXUoD%nTrnGG-N#DVFnG@6f49{j1>`GVJ|7%Rf@=Mp
z*k$;AMPw=NyzF<x<=<<?@DgMZVl7WykPgGpdQA>6?LE)x*7}7V1~Rzb+ZKX(cKoh4
z6u-d$-1z%W$^HzG3|R>%n&2dyxAUAs5ZJy1ah3!*4wW05{I=OD0_4Eklw9Xw!vo$p
z%0)5^Pg_BK)t^#Gw7xjuv6E+jHO(VBG+uQB?W0ojL)d7rsj90-OeIxA_i^N+SOA7C
zc%xG++}oplKBCSa94PY{V|N>xZw`biLB}Dp&#v$~<#kCTyXGt#*>5tfZE7sCr`)}q
zOlCqdKavH;wp~3#PG$%mm@EJ_o7DY&bY2Ze-ijuktnn%D0BW2N+qm;=fCBYMYjqjD
zk76A0xu$JDb)WVGX8->k+H&#L$OiDb4-8~Chkl$n6~`J=w@emLMBSzhoAC6y`O<NR
z^Y#DF)s5{)zd0hotvM;sFRG87B=dM)_#IcJ-rePM?zSgProV{_gPHS7+w1g&L?YIz
zMCMzY;#o~={6H9@CLv8Bc-FH*xCkMg(yj5Qws2aYYKQJECE9{UD>)|)d7DTk0Vr*a
zHb^glh|u+V&+;I*$inR(I|p9A&8HYdQu}T>kEQ)cn8O*i5N~_(%>lSuU0aF<Su1^}
zDN}qNq8L_2-accLT$u_T$6h&TooqADbv<u%$x|0&9uxzU8kbmZz4)0EA{w50K;4Os
zNtkL{Yv4-KAD)XQEiy8<k&=vtNM!|??;0G3T$zq0#SFq>wtx{(UFk}48U73Nn;~IR
E^Mvl$umAu6

literal 0
HcmV?d00001

diff --git a/secrets/privkey.pem b/secrets/privkey.pem
new file mode 100644
index 0000000000000000000000000000000000000000..af948f757d1dd0ff731e6ed5ea76574d2484ca3d
GIT binary patch
literal 1726
zcmV;v20{4%M@dveQdv+`0J;xTb&Ut5pbzpYsS_wALk8rzFJ0PQ0X|7Js=}c&48>Q&
z&Vq%qf0JH4*|-FsB>D|S4KqD(RUZm?p*6<weipoH*RIW|E;g{~oS+hENKQz3*ZB#P
z?~H-vE<xKa!AbW&*=bt-k<}9dtzyqZ**qZE5sIz0Rhla>EZy*zGoVrhmyXx`38c1N
z<WXc7S7pxUa;rI$homloyY7mN{XM2=`R@?>-Pe0FhX-Qq+{Ty~IJ+^p@kMw@momLB
zHLS>X%OK7^j4AZ~;2~V~Z_~SeTSJ|P41bWcz}b1sf~xK$Im9(XIBM1(+={%t>POw>
zNCZKC+`rO0Q#7Fr>mB<Q?ZvO5xeYZrTA-@0^poJFv1Nj->=TQCv|0VW>hX>8HgiN*
z+&bO#J6KrJ!t{*xCg`iW&%<k~Kky}e9K*?|)qIA3k!31ixf|J+fknL<EF3webo2wW
zjm!1A&`o9UGr&>6E}$Q+2h$KhZj}qYsZiU?PH|`F;fO%vuF4Sx6`64Za8FljI&Z@0
zqzggx6&V>#70|G+_CU#;Ib%eEEOi9Bp9zwcuS24u$|4{HMIl3&s=cU=LJgYIGRrIv
zyL>2qQ=CkM_nYkD3IsPE>*)aE<nXsU(~z9^e%q5a%6QS6$g>Vie}knAxKLqLbx|y7
z1p-}6QOxz<g}L_|X(s5ACO)pqF!i08K<Wj~8L0<*4+7Or#>fmxlg6~}UKH;lfkvlk
zS(00OUtXJ|t9WLuI31c=VwAISpfI5q_`3ye0}es(M2zH*N!|BdmnR#(Qe`vmX*c$(
zS7snsf^x4iq?;hgg`NF(UHJCi7c-J$_3Wfqf8ZUvrSp&}<UOu_&a`+-)f$-nDnZ-x
z%uoPeQ^LaAQv%&_Xg<toJj}$Z2D+O#V&|p3>ganf@Qpq6o>T8eiQlVCS4Yl9{Czd>
z`-)iF%rACZ$4T~ng`4on;}M?&Sbb8@YG1rTk0RQS$xiecprFU%zj7@B?yWTQC^en`
zMKxJq^ay;OA^;GPmA#*|;ZOB6DNp4(4e*~aqyzt=a^iL`?@cT$RWF6urQQq6&`a6=
zNjy4ZXjm7G4>9OL)pqMa)sC>%EY6=Hcu_4F4@cPvN{<Y}2CM_9_M!H<Xv4KB`>e$T
zHKNVAJW!w9Rf;~6_uYfwjrnHrz;a@Dp)YiT_&Q`Vp%uoCAg?PV7kMYeR=NFs_D{)&
z^fWuh!)*y5F!J3%yOWP^{(8r980SR_O?CW0dPX>|+Q;v8G$k|=cS*s?<_x|al}|S;
zMop~Afo2P2UD6E1g9S$fCF39Bq@oG#!YbR-wlM{B$b=G1*A@F?qQe#*{N3xGvfhqG
z07WmFd)%OY{x|JU0lIJ~_G<-7=UtvF)|yl_(<(A8A?<u{6h~2bH&I1?+kAD^B)R%d
z9@$dvLA#qS5`+>uq?uHoC)d(d!NQR5`vamoHohrV;th_DhF4#6>yA4obI$j?>eU6z
zY)Ih#JPWpv;`UqcyB}hpZnXPn0Cxp_p4(Jrk;dfXWs=mnY1N<v8;aI1nle_s)_?%x
z@ujPPAR$#-r}ynvgb+pcSbmVD=|5akAUt)bcV8R~@6YfY>w|SadU#eBizfc1q|~b&
z4LxR+I?nctez+bP4Z#{DaL}n>x^7FZ>x^O3F}*dk2Y2^BCy;@5G!!!g+UILm%&Nh4
zq2FEmm56l1Wib?jFS=~ZluMA75ixu9E)4W!$zb0l0jhz=IBn|~WiljsK*5&Toz9Xv
zDFx~*9(^AMv*XKABo9x5CnAR6XVR5LweY9VW1(Nq_1f3TH)gQ!oLI@g=JMR*TATJo
zrW-uFZ$~&6l058cv!xbG@Sf<~wN5sVyx>~B-ZIo6Yi4jlOJoHrSnzSfN$+*n22?(}
zWTt)KF@3k#Q_l)vpTtQw4Qk48c0P_R2pA*0^{1t?B)P?IC=b;TLxe#qk^BBu=dzyh
zih20W(zdQ6`X*Jy@RqgkU_=x0;<4fimz!JKvyB+ffVFd+Jg}@pz;mMefXzSQA^~X4
zei_G5G-juByg>JhsSf*kKw>%$|25$C)Mg$#$t2_tV8llNCQYNlXF-Lpb2JdMP1kI7
za4@R;p24U|DImgG+-q^I=3baKZa`?QDm*|X9s*#S{br{>Kk2la;CTl#4v;1&a!*p#
z@BE}f<=s}OYC64OqK;U+m|M!iH%s>Bj<CW%0hzdM`YYQAY(izxFW{k`Cp>Zsrx?E&
UE_Mlq<zvd;mr~C2$Tcq^rgGb0_y7O^

literal 0
HcmV?d00001