From 710efb7fae0edecc4879cf8166bef1ec26d69683 Mon Sep 17 00:00:00 2001
From: Brian Picciano <mediocregopher@gmail.com>
Date: Tue, 6 Jul 2021 10:25:13 -0600
Subject: [PATCH] maddy vps

---
 src/_posts/2021-07-06-maddy-vps.md | 115 +++++++++++++++++++++++++++++
 src/assets/maddy-vps/success.png   | Bin 0 -> 9360 bytes
 2 files changed, 115 insertions(+)
 create mode 100644 src/_posts/2021-07-06-maddy-vps.md
 create mode 100644 src/assets/maddy-vps/success.png

diff --git a/src/_posts/2021-07-06-maddy-vps.md b/src/_posts/2021-07-06-maddy-vps.md
new file mode 100644
index 0000000..93c76d2
--- /dev/null
+++ b/src/_posts/2021-07-06-maddy-vps.md
@@ -0,0 +1,115 @@
+---
+title: >-
+    Setting Up maddy On A VPS
+description: >-
+    We have delivery!
+tags: tech
+series: selfhost
+---
+
+In the previous post I left off with being blocked by my ISP from sending
+outbound emails on port 25, effectively forcing me to set up [maddy][maddy] on a
+virtual private server (VPS) somewhere else.
+
+After some research I chose [Vultr][vultr] as my VPS of choice. They apparently
+don't block you from sending outbound emails on port 25, and are in general
+pretty cheap. I rented their smallest VPS server for $5/month, plus an
+additional $3/month to reserve an IPv4 address (though I'm not sure I really
+need that, I have dDNS set up at home and could easily get that working here as
+well).
+
+## TLS
+
+The first major hurdle was getting TLS certs for `mydomain.com` (not the real
+domain) onto my Vultr box. For the time being I've opted to effectively
+copy-paste my local [LetsEncrypt][le] setup to Vultr, using certbot to
+periodically update my records using DNS TXT challenges.
+
+The downside to this is that I now require my Cloudflare API key to be present
+on the Vultr box, which effectively means that if the box ever gets owned
+someone will have full access to all my DNS. For now I've locked down the box as
+best as I can, and will look into changing the setup in the future. There's two
+ways I could go about it:
+
+* SCP the certs from my local box to the remote everytime they're renewed. This
+  would require setting up a new user on the remote box with very narrow
+  privileges. This isn't the worst thing though.
+
+* Use a different challenge method than DNS TXT records.
+
+But again, I'm trying to set up maddy, not LetsEncrypt, and so I needed to move
+on.
+
+## Deployment
+
+In the previous post I talked about how I'm using nix to generate a systemd
+service file which encompasses all dependencies automatically, without needing
+to install anything to the global system or my nix profile.
+
+Since that's already been set up, it's fairly trivial to use `nix-copy-closure`
+to copy a service file, and _all_ of its dependencies (including configuration)
+from my local box to the remote Vultr box. Simply:
+
+```
+nix-copy-closure -s <ssh host> <nix store path>
+```
+
+I whipped up some scripts around this so that I can run a single make target and
+have it build the service (and all deps), do a `nix-copy-closure` to the remote
+host, copy the service file into `/etc/systemd/service`, and restart the
+service.
+
+## Changes
+
+For the most part the maddy deployment on the remote box is the same as on the
+local one. Down the road I will likely change them both significantly, so that
+the remote one only deals with SMTP (no need for IMAP) and the local one will
+automatically forward all submitted messages to it.
+
+Once that's done, and the remote Vultr box is set up on my [nebula][nebula]
+network, there won't be a need for the remote maddy to do any SMTP
+authentication, since the submission endpoint can be made entirely private.
+
+For now, however, I've set up maddy on the remote box's public interface with
+SMTP authentication enabled, to make testing easier.
+
+## Testing
+
+And now, to test it! I changed the SMTP credentials in my `~/.mailrc` file as
+appropriate, and let a test email rip:
+
+```
+echo 'Hello! This is a cool email' | mailx -s 'Subject' -r 'Me <me@mydomain.com>' 'test.email@gmail.com'
+```
+
+This would, ideally, send an email from my SMTP server (on my domain) to a test
+gmail domain. Unfortunately, it did not do that, but instead maddy spit this out
+in its log:
+
+> maddy[1547]: queue: delivery attempt failed        {"msg_id":"330a1ed9","rcpt":"mediocregopher@gmail.com","reason":"[2001:19f0:5001:355a:5400:3ff:fe73:3d02] Our system has detected that\nthis message does not meet IPv6 sending guidelines regarding PTR\nrecords and authentication. Please review\n https://support.google.com/mail/?p=IPv6AuthError for more information\n. gn42si18496961ejc.717 - gsmtp","remote_server":"gmail-smtp-in.l.google.com.","smtp_code":550,"smtp_enchcode":"5.7.1","smtp_msg":"gmail-smtp-in.l.google.com. said: [2001:19f0:5001:355a:5400:3ff:fe73:3d02] Our system has detected that\nthis message does not meet IPv6 sending guidelines regarding PTR\nrecords and authentication. Please review\n https://support.google.com/mail/?p=IPv6AuthError for more information\n. gn42si18496961ejc.717 - gsmtp"}
+
+Luckily Vultr makes setting up PTR records for reverse DNS fairly easy. They
+even allowed me to do it on my box's IPv6 address which I'm not paying to
+reserve (though I'm not sure what the long-term risks of that are... can it
+change?).
+
+Once done, I attempted to send my email again, and what do you know...
+
+![Success!](/assets/maddy-vps/success.png)
+
+Success!
+
+So now I can send emails. There are a few next steps from here:
+
+* Get the VPS on my nebula network and lock it down properly.
+
+* Fix the TLS cert situation.
+
+* Set up the remote maddy to forward submissions to my local maddy.
+
+* Use my sick new email!
+
+[maddy]: https://maddy.email
+[le]: https://letsencrypt.org/
+[vultr]: https://www.vultr.com/
+[nebula]: https://github.com/slackhq/nebula
diff --git a/src/assets/maddy-vps/success.png b/src/assets/maddy-vps/success.png
new file mode 100644
index 0000000000000000000000000000000000000000..3d24c2510ba0a186cbc1ce79e2c221a241879584
GIT binary patch
literal 9360
zcmY*<2UHVX)a_7|Dj>ZFq&Ml(LKl!Ay>}3i-lR7vQZxh*rAZYK5RfJvqzjQ6=}Hv>
zgwT5@{PBDLTkE~GW+ihoGk0$8J?HFw_C0U)bTsY}GZF&;a8L8eV*>!dX~3Ra65?V%
zLl0oX*e@Jk0}U0RYLpob0BnHfV`ZZtoSj^vFzU6N+x(AzKDJ9`UvWp_6Gp`d;NYeh
zu2MGe64JOeR2o@Y+Marm&n@YecVZ?nA!fD~9#j0Z6f~>vR3GBuKl!Ptqe9s7MCF_2
zqtLz4n}`uI7VfqdLK4cur@?=m@<JEIuLgWyfnrd>05Bo~*t`Qc0U{+_F<jy?58vkJ
zdB2FTt$#mOp&hbSN$me?hzt^a?z4Z1`{nv>D?82;fHD%F6ITz!Mg0rs-`z^W*hc7b
zq||?%J;DE^0O9?FhrNj{$_Cpw?ZNS4`}fp4LZ$FjJtczw-q=oPWw|sl<kc(%M%0n^
z){yR3$$-F2`1*D|w-oq;$A9bXNU_f}kKp5$Bs0UuB-R3CT(THj6;`ARrk#Cql=OL1
znl7e#SFl~%QQ+cCXrvcdleHDY1$kM-o|Mf*2X_Sv=PoKy3>FllX%bK}NmQpAWZp#n
z%2n2QkC~*u@ZK6}JEDKDrUsK_T)@9pR1PZo57Scy+-AYARSU?mgM{hfMonm#Y*-fY
zGCn6Y`HLS-T9^Vxh)Xy&9M_Qc)^3aJ*9vYOH0K1&b-CQfXHVsCP?rM}(TXc#PVziJ
z9W<1*K3_j+Mj;irFgLo{$t<(E66`daMdS=YBt$Uhe`6ND!^#$^S58>`@)x^W9*UP*
zjiQUZL27r1f#x9$DGhyaAHPqe9--2HpEupnua!+jCdZ`QsHSDe?|Msq$fP<g3;?Wi
zcVsj=-(M+7af%cY{r<YX`7OFRX0<uy`NeCa^z|ttYJF-3261k;ZsJ4}Ve+)Lxw)(g
zM1FRga~h;F<=U+RF=Irl*#tyRxkdc4RW1L1{#3*AXncxk^`K35b~F!6&yt-fvuD$y
z2z>gw;b#~=GAxte0EZnBwSJuI+T>6I9t=)@LcV3@`GK#x13f!{5k~)&u9|k{d%ubk
zkL2GQ+IMLpmiLZdSPy8?qc;3|{)uL*h_gDw#EI};@_frpI4FF+4#|;+<Ss=V2hAVW
z3-+$Av5Ge|_49B$4S!r(3S`s8U3k~kr1kf(@9@1ZPqoD4A-Hohg=Z~I#x{r_^{eXZ
zouLzDcCHH<ImO^mWQpy?Z5DKtwL&(cYRHcU5D9%%-TfuKM60AxfN0>u>Yr2ey7cb$
zTRfdMArEyEBlkjTIJ(}tTw%$(Og4NSTnrJqs1x+%cIuo%XTFoQJ|um^(RE4xPWGNW
z6{(?feMs`0nm#Agp1<KPoG5>_hmdDTHa8$+qQHolQ5IbG%y}~f{_1>2@w&C8*7NB~
zLuUmud}kiBET3Sy4_*o>*5_~CeYS?kvzVA3{~|?SNqclW9PH)wr*wuu^FG#dn(>IN
zTJ>0|qyi408Vava<O)*)qgOBbb7FmIzXHGyF3yPkri^T+huqv3(1pJ8@ne{KqIy#V
zN<%?LdV4zNb87Kf_1VE$r$@7q+K1<1D>2aVuoeZVC{5;yO7L>M`B8C<Ki!}+w1>I_
z&(<KuUQYe=t7tSEajc4$$g|8IWPlt?z*tT(GXb>FqFuRoTtvd7A=5nlAeke1DL=dL
zC&7$D6!OQY2k42<p$?0On~PPO50z#Jr*6i?!Ni`TGocu(kn?b*Nc$~11v(zxWOJKK
zjU&qzCHJB0F#ge~Wmtr_bByi@*fXPVo+e+~=9rwAOp;!8)-oFaOtj8IBSOkr3QR~t
zwl#!x@*9+j(Y>sh6P^<Ucdl0FQ67#ii|3PQG{ezD6KZjZ9V#9!j~C`+E-g;M2Om@U
z#KS|94hee$lHJ3pOG~C06CsuBGNU^$-+zYNV!l_rk&sr_`wX{ls@?X6;T(ahr_dQy
zAwhd|mNAk~7q=2BZ((n>e%jRMyhkGo+T~^~vR<9d$}Ojest9w09zf%#LBHD<I-m8v
z@(^L?^p+!PUeEy|)hj*_8@u^=X5ayzrZ-BSB8bU|GNLbirMJ^BX9puNC!LE|M_L4(
z^AEVslDA*ZZn;$$l#W93GDq<`PF2cub0*8`+MarNm@+=T&GR($Ro$6{Z7<(cg^QiF
zupC@&q&+dJ5a%^^%_?zEXT7C;5X}ZjQ?H<k`;Z&Jgg)?QM&Ui<ZKBq!3J){X4MZJO
zp8<fZ+^i0(;{JXd=o2p_<#Vd4xsL+W{-Oo07>2rckl!-2T4UKJJ69}?jo~mh-0$b1
zDLY6deWUC9_hZCD2Q~{NNbf1LD|g$URfYKN_85<x(4B<`w1c=c^sQ~aOfjrb!3Dg-
zR5p*x$HRho0VNPM_{Db2;fi=+gxbKLHyh{sUw&JTVd(!LlPRTRapBa&c}PC!stoJ#
zHy^$qJt9vFx^SX@NsN5k-q#Z&mFMuaIs7po*VNt_cG4;wcuj)yGw>1k4)E@F=i9L#
z2jNS*vw*S?Ao4R&nIQOwiVl9O26NQn)rzMd^X(W<eny^|lgRGksb`>5sB=*2DxYjQ
z<cPc23Hq^AC->w69#Ln}`WjYXAdzlg^5QvY_GV9QXolCj@G$Jv>B>~o2HZbmgQNGC
z;1C<H3Izmz$AK-HCf$h`k3l-gf&S6&&8KMV<CkyBTLX|2)wgFyi5bGLF3_E{LZNKK
zSJ7+H735;icpHzriAtKa_D>4|FLe-(N*ONj?i&pwYm?S7Gb=1p+TLXL1^RRhemdR%
zaKcziH_+U^D%IE61v9T!@!2v7_1>U_-&n3<h*;8sMQei3g#j#;BROf1cO$bKhmk}a
z>BJ}cwfW?T(7zUax_p$8hzcG@QaX9nhrBi@R?+XIeGw6JeZ3bER0OHKnDS++ZhTZd
z*E}H1{CxPMuKsGu>$cBq@e9*v>jSn6EC!226TU&3=CV{i%jFw)s5^~`Q6sy#U)3n#
zeuDz_Jt79W?CWrW`d0$7{E(ww4u=`}gZbWMMFET!;%Aj?gw7&{qV2U|iBlR){zCy-
zaX$H@7mcq-uL(J9K*4!|Z8@w>Ov?HV>J>)iVL$YxbM=4I?-uew%8bx{cS+mIUgX+<
z>aU|TgpE?UVc8;Xiw`0?1VFRzz&?ipotFnrmWwovtm~{1hbghb3KMR{6%qU!ctrEH
z_!Rh>nnS!YfrV{#xdrHnrER#L-~9Oi0K^q&9r|8oyQk#wN<8TI+>-J46IPw@%s5&d
zlP_4-x4%DTfX^<F)nTTeBkK|1H*bbs!orxliLdXCTJTdq>2f%Dee_fyv1b^js|R>_
zLHKaZl9wI1+zp=7w~h3CgQ-_cY#w7)e){B0cpe4KOD8eG*fV>Y{AFN;GxC_@U6$LB
z)mqRc9RZ-nZ@d=~vO2W{zM36E_zEVlJ(<2P7VbP)6d{h*#74oGF8MPB=cd!J>(N^_
z!oo51p6yjCL`ZO@)_k}$Y4;vc0)*LnSxT9=v(A2ExqWW&a)~Y|FBz(B*1j9Bu+XeU
zH)=@zQOvRAIz_eT0f$3B7UsD)i+|qS>wi}}Q0Cbr4(8X{1(``bcw{AD;n{e$>(jRV
zC}D05`UZ++DYvmF3MaIUHz}-!q1lk4F(#Pn9|g|*OuTt9(jC9wmGUnlfd&g?=V><G
zQ@a|nJywrO9WO#+*7|37)PY6HWNnpgb@H5oSgcrdwx9?7gR6I}_QG*GUa3u_(n%-!
ztvIf`K63Y|4MPYd2;Q7}+_}iHrT=@%K^}7x#w>M?UpsS5MgSy}1}3v3j_R8#A8xxo
z*2^l%?BIUWH~2+THqj(duJ1nZX@bcwq_^p$#J=U7QWp`gF=O%OWxA{AZ9xJDpycj<
z_xrOZ-rg>BkqDQdS@x$V_WlLe2(5f$x}CEiI?`j&g?T4RkZzKLOuCxB5!c*XG!<%g
zkTvI*vwxE(#Z0Fj)}oYf1974v(HwDw#Ieyx>55{fFX}wsPeG!wxP5Wr*|5S)^@=nm
zLiAoZ+v4395e2_M|Iu0nB77YXO|yEbhF(EFN!SbI6~DQ&1o7P<{Hx`j!5yZ~@7hMs
z&BjBJvE9^IQY>;wi2oF%Pt8S$t15bM{ZSbflHicEfBkXnth<{h4qu%DJBFfWa*L=U
z%zA?c1(})g|B`HuSK-aaoc~L+?TD1ZNd<K?nXue+ULMP=7v=XT6^O7c{B&Rv-gOw$
zqKx~lYeCgcV$-1%&0k;QdluHSkF_{Ub+&g$GfiLLhda$L{P8*dTeaRlB(3uqk=brH
zP|mKCt9W)pAR7B@uA?q|z3uEsNDy9SE^O8wOZSfkzrf`%2Azdr4z_M@z|o&Hskmi!
z8k3i<CeBm&B5t2YJT}_a?ij5EVG>KeWY56y+M488PW_Y5?AZ>v-3ULZV#l<@P9bt7
z-&ETAjL$Udp<<2q;n%OR5g0hC5a-R|`)iPgS^6WPqt}R}dlnx~1f1^udPSXhGymQC
zEy$y}8tJ;#L1p}Unn3+uN`dvB%7!K1P}Xm}x70%-OW~U`ntkI=!@=G=RC0~i?R7;$
zV6l?2j_FAsNpZI*qx^3x;7Xl*un%-qb;4+|%psS>1KD4ygUAuMXp)!_CzW?}Em`dq
zdup>QY8dJk_UvVU&V@pW)TV1i`H+@`#X>zy@Zjqm>?K3h+>u$NPaE-(j=DM=f^yUf
zR{59A%wOQEKfje7pL<(X#&7MtcVfu*>hSiF*Eyz6xw}V3A^-dBI-TXM`Kz@{nX1n7
zgUbQ5`0eR(#)?4gY37U&!nwTj2VS0IW~gb^MQ3LOH2Cc0t<MpO{Cd>_e5fzepH3j+
zbTX?kUA?{AxgoREX*4u+NTGe^Az0fm+cxa7!rHPyR$g_25Q@1xi?FU+Cg4fhy+y9m
z(Z{U^V?HJdbY89M+MX{k1!778H$tq<E8wfIUY~qzNho<b6m}+D?T%S1A)(<~;kZL|
z8e<se{NpQ@x30b3LQGj4m5=CxZ+dE9+p?a&%qC|9B8SlD=rfQ6K0`9C#JWl5;_dMh
zHJ5J7>RTPy#jdTbd`;*TXz}{|sqq=QylSmtru}kU*Ht*RIyB61%+YCmK9&f{O>G^Z
z;&V(u63!NNU)k>QW)UuY>E<j7ODk*l5_DOuWwtP(28%aCdqVOHsyumER7iexN|{8(
z->`m>VUzGy>pE;p@%jU3wymhL7#&#MPQ}WA2V~~92lc6Lk#8^VO4?{fU<N`HG8F4C
zmlJuR{AuO3orfhhAR}*XxFYC3&*w<#db4ed2SmfzJ8vhh5I37s4g{Ux5WAUBFASp8
zaxwhqwY9hy>fV~<7s;M6hLu=*vrE{Y;L;=v9C>-0L4zuyPtOm%o=1B<w)M>zux|?R
zZ){@@$Zl{7=|73m!bY+3@5qp68_`&+y{}{Ud9&z^ydc>1h6+&?vGOOY{0QN0b+RJP
zM250vUEzOnkubp&?LN(#?%2ovgzxA0L?YYIsD(K$5TG<3W0Y>c9k3iZ$mZ|{O!zMe
z|4Vz{jy?-1ZB)}M&+J><TQT)!5>CDp-0O-CUT&(^Lga`A&$jM)gkaZKV%qj;o^+oR
z)EqjUUsQ*5HG5p2ER72sE31?C1+YHsrtbLk<3kvh4qgpWU1I%J2_Vwr)SRGBLN*zK
zG*-_Yw$l2AZqI$KJ*tait+|!UB^X%%Ho*tPfSqe+Ku!xB86d-QXgcNSO1GU8DjdIH
z;{Aw6(xVj|y)l|8o?rNrgCI~73mn?>+4M|`kHlnme~eXsW~=D?&gn4RNWMfFu7}SO
z&EU@`>Gw}h=)@1oI}5UUSlWy9SsKm%_s>Ars~Oz|%h`_vmoQ^<j(x#gcS>(hFTDai
zZvW=>2|Qb&!T~;-li&c=H!}zU2qITLc(sKG<QLS|ONptd96`um=ym_03T}bFy1XH<
z(t&?KU<`=UnE!v$QHfOn5b~H+4iek27q4gNMZTd?o$|J+O&1y2<%0<jV#M_|f!q8;
zRJ*{;n*ol(XLFX>N508YQq!6Y|0fji;v8g#LOC^)vma>2*?VR`PWpKx4n#Jlmq^)$
z@}Yhzj3ZC;J~JL~oV~g}M%cXPw!vUfBYT}UvO^-7DhFL0O9BcR*%GhbH)DKm2F(kW
zQ|y=ZLjzy+)P7a32*pU<wqf2n_0614&h{OiBroK$RAbivP{B|CAC_U`w@oj4c$&QU
zYOlH)YKZzUUebBpA6n)zqa)R+r+;`Hm|-cjzV|g^^X&Ev!F0oI7luU}3L<P8QDd1)
zMlkd%6L)6QPd5CQkZi>tr`zEtQyTY~)ly1MP0}nlJgp8c@_3={UTu_&v}IH1@aP|w
zZ40iuVrqRqhI9qa#xz7rdOf#x-N}g(elfum%xeWh8yYmr4B|B&U*YRh|M@dUd!Hr&
z8KX<_Jr?U2?38v4B^7ln%CQNk7y$_|WLb(!<j4Hor1hfYjtMe6o{k9>A{7Ry7giAs
z4+z(~n68d5*?f3lV1l-hLMi-#@b5c@uj@0$cnEuIFq>Gp=l6N7!oji-HZC7)M$!o<
zA!DiZif_FoR1G=H$i*ljTx#!oMy-=cO#c!_<1TN!*t<i4uU0K{H5_i1$6*PIKlypX
zJ==7&q(Q#jYG#co%5R_a;-vp4k~P5qRYPhnn8-_J_z^S0M{wvHDISFqZ<=d^I{hWV
zo00L?_ViHuFQ4A3v>6oWQN&R4q()UTPQtgqG{kqJ*$|kOHJ<$7gH~a`e>m;I9?3=s
zKVof~L)YK|-qCuz)VxqWBWWE9{Hn(ksa<Kx-Ru%-M7V=KoN8mKH56(U69O@`T$I1F
zlC}@vUEd=AL;EJJNJn$%v2<=g=|WYPPo+-vwDWy0s{6e$>m-OHL4n4H!A(PGzuyd5
z)0-z2m3eyQ*BK&98_0QMWU|!dzKFs<02{y;AvG+YT(l8a2?0x}-H$OyeNsD17|ly9
zjUZWhVn`j$Ci_~sRQzwup~<jwFXklox}mF88Mi12fELCWI4X(C)dYb(;}_zB;k3ma
z;)o+^HQDV)aRq7o4c&G|f1~!y6XrEmFZcD&2D%8agog?TU)eiagkIH%Us5gQVZ3z*
zTMjBXqgO}&Go+YIEbcEpyQWhYd-thBS4s~lHr%lR_%RHwd+%B9unU4{>2BW`eCfKQ
z{aEjKoq(C3igywob<w4VHRJODLPD)jX<9XXW*+CPmohA*+5+BIMN`Z8QH8wlTIQk4
zxg;Vx{{n@(6x_qaSTcvJ9{IvqnO!F7fjqUQ0rh|nv$mmNF9n1PWz9H1C`aa1@FsEb
zKqI49JtSvk=(EeXOOrP<Q%&HUsX7=Tw?hl1egx|!0lIv?PIwl$9F7(!hvYnr-x)1K
zI9Cy=P6+na2qIs~J{f<FjIk){^NHq^*NM+{WJtGn&gv+BQ!|n+MN-n`ek~-#UGovE
zIkmJ#I?z{k%y>Fy9ZuTvQhv>Gx%WCf$Qf=)rWH8fYy>E&Y7d}Q=lVHI`HXvTZ=$M4
z8~Yne7#*Bb5h1u^OYW}dBU^7X3Aor*6NUlc6l+YDPa#z`re>aTK7pM0&#mLlJSO#U
zE5{y039T>09C$T%-$^&-RrT6_FPge@C!Pdu8YYlIe%eD7S^<5@U1BRma$7k`OuH$6
zGoX{gnuokkEs4)?qTDT;Yg24cM6dpyHEE3kpeBwTY%Al|`|;pjdlsyz#)a_<;}xp6
z_Nn<|%IC@9efsXKkA5kvrr72r1BnX93MV2`&VtEpvz(Zc=V@<^&9SV-7SqFYXrCzc
zz&Dr`y1&G#Zfn9eoY~~47#fyl;YOIWfmMSriF8`p9`}$F-@=Yt5kG%T#CO%yUajJJ
z;pr%C%WaV=Tja8;iTb>_+b3c_)@*_Fn~mjqH(cqVczPL2a80x~NP2(rimu;_XCigD
z&rpmmA=&EXrP5983Qe*?={xgXdyGR$ldfR@uP??+;WowSxk<fz&Bus8TC6XeiJ?f~
z&0RvqN2fT4G0IZ9k*MIxMIgvNqoCPWeb}&GDT?ilNhwb%<Zr_>oS8FHkhEH>cI7=%
z?YPH37WF2E-CY|_GO3%z9&o3;J8A37VE;|Vu-hkMq@g9Rn$lmh@#&pgrCMA8vx&G8
z#YqI`dsOpih4#aEwc@dO4IaB2=C<Yfk1o*EWYT8l>D?sSJQU1c|E|M1Fy;4qc!5QT
zFq)L{gX2ch^xZ+^IFqXCgO#w3C-Echj~e#DAV!92@$<X^)s)@QMs?^ReRQwa7Z-$2
zPFcg^PCc5G-F}S7pg=y?gSX@tlPY%5o~7DYu6Py~GEZjch6k`oJkW6?Ojnd163g{S
z#9pkF{AqvbkWm`F>y;8|P_~O;O>R!O+e>}upVCxV9vFO8Tij8;F=?7p0|6YI`CVSF
zAGZkHU3(I26$}pyXp~%ud0)WyGz#(4Mv_}b`zbGf(Xl0qgj7CZBkRO6Vu@YeGszJE
z3{mq^3La!YmrGp^cz*!4ordIgBz!GQX1QBXN#-V1Fs{d%0Vx`?xO9GEi}W+@<7u1C
zHubuWHPaip5TELk`SR;bgFcHnTg+iy{_JW}*-X3Nr`U;n%9fWq)in?03}w!L<g}S{
zb?tx)$W}jE11)K`=EfLkr|kavdERm+&(AN0IC2b*7dE9UTue@L_;}#rJMJW$b}liK
zMu%ekYj)R=f>c}m2W-Tmm6pdSoR;&fK1<svIc)u<nYW5s%5KdU(WCTAIx5=SOGu4l
zS1p+(IiePffOD7p;4Gm=?P>sa=6BV`V0Xx2nmTmi64@3<N#V;rGO4aY=zuQ`aoaRY
zG`BC$?J`V()=o9t8@{6N5Y@LF$%>?BgwxnP5BVya(!qDE8O%||6*u!zZB+fGx(J)M
zg=Qlc6UJ&X%lbqsIWTZZa@+puV%}(Ds0o;sA>(n%ZgkE<EYIm?qJ6i0^c|~%48`qJ
zhpV*Kk4L6FuzZMN-b8$(DeW3eYh<5c5Fbcg3)c>|8k)X&>_q4@8=}K{{(1jLo}*he
zgUnf3jh~xjpb;%={=2-i^cH-!C;kHiBwVErp7r<hXs55dNs3D-KB0p;J+Eeza^XfC
zt)Y@^%6}$nKRw7tu`i6)X()=*_hu-3*DRj?s9o6--<X~!BkeT60YqxiT=*N`aj8p(
z=?>w7ZGAC*{sWqo4|#(J-GRtIlNLeGyq-RT^j{NDOOH+a)v`GSjtzvHYt39t!cpl3
zW#aLQ#^n+updg#dv1|(_orw0zZ~NKkBNM2o(83M_3F{MjMeLHU%-@Xo)38+DJ2C~+
z(&qjRnAKsKw@43sJgJd~JWL8NFmg!;AFHORJ2eHMwy!p>KUSlvL*`5Mu-iE26!hJf
zzs*8BYEQo-j(&Q%35>49ybL*o=!YAWI7&^XV(o<dYw{y4)YQ6GnK<p^el8q<usCG8
zC!TCKXv;ti^Hpu>{_&U`Mtb|8<Hy?xDxRlQzB-xjY(m!GO)MgpNE$8MBtwdRn@%xC
zJB`|Upj!uh=Nra!FMJ2*1GJ<7r49EGfsbNBOugP|XTxIVg53<1_vOwyG#n_oq0oG=
z%#ndw$Dhf~>SXPVLFaLCj?grSP);~4<^621V}PnQAHoMvb`?16DWc-mX%E;A+8n;K
zBa|VWo=<a9+xURokb>dJG$HQd8I|FC9z?5IK)>hCG(qg8k>;z=wU@<1_PM@$7C!at
z4+7l7##7f@p)S6rZzA$l9z0WnW#VE@V#>-?^pRtTnIA5oR4ED5%rY<z>)H8MAsLc{
zDjBi%6p4Gwe5_nBb}&$xD0#T@iHUOKLl@yRJoCp}Bo9d<HTq@S_8pnF;yG-@vnp#f
z^3gd|7L6ULV0)k3S=3f^2VjF1(L=sSblZy-cA9GAi}zuO;x|-zrwpFzOFEY)--#qb
zP6!Yu<<EC=dAhqko^SqXww#|@qp0zC+pNLF*87=m&v}`?k0v$(@=a9nW$033!IWLP
zu()7$*5k05MUaDj%%R=-Req+t^$xKWU*ZQ`fE!^Y9bDp#o7MZ`w3&I}gVVr=$9+7;
zboqWV?u@wwZADxXVkV2(Nl@Jm?2Ng)vY3JT^z{wh+NJXd0k#F5ZfN}+yN><9+}<;c
z>z{la9}Py;6s01#h?@H|Xzz<EA%w4thoJUHxw+q#;5|M9+y#yd?4)Qk^#85vfZK}?
zE#aemI0&7q1Tw(-)HF=W*vWX!Ee`;Wduqm5LbfCNHpQ#=3jtuaG8r8AcmI;4Z|x5J
zcb(sp$J?-N<9@y6`B|KYDrFskBNGj47aoa{{%I&`=@hWz>FP(4n>!0Gdoups0@@*k
zD<7sT<Yy48<UnKzIA*i8WJrrH&AJ1o=}w0S(9hyUMwNge#?@;%F$VO()TwS=2@k9R
zHmpA#n#KL~?mopN+G3-!E5sKIM_9OmBvy5PtYSjYmoyI%!R*4Bk4GpVX`>V`i+Z0H
ziiP9^T!6n0xqOI`e88>07{pM|*qcNl|3c+BlZbgJYnBl*$~-Jz?=cmJ(kEq-RxO5P
zKXTKY{mS()zOwP!UE8G!QhYzO?Jx!#`BLHS?hAD*zQI;WT4^&(vxk|Gw0@@?Q(~G@
z=Xss(**d?sSGqsk)A$qTrcA$lt>ocKmGf4K{q(cl?a{qZX4SzF&z%mvm;8<vjrEt%
z!{)CGJuc||X#Bg}BG+pCc&JdGm^cj{KYuHqSs??*oKw~$mgiLVLC0qJ%305a=(3CJ
zO6!Egb}h~xNr-iH>Qos0(w3cnc!kBbvI>3x_(V@jlMjCAco!W2VR~>i)Oqo9vI79{
z75>!%V53w~8-`t>NZlzjtASKawBo{I$TV-zrK!9jMDy61tO9JbOP0WhrB@nm?W^X-
zslMKDOEBEUPgz#=XWCHOxEM*2gXLxgtU!MS`sK}UpM{-~!{O|$!Tb34&d8`C43~0P
zhnG(G@c5D*?F>CWPPgE5wu?7w72OV*nB%(QysJZ^sv#5AW)3neapWL;AL{Mq=8(8B
zj`ikO?q^qY5MP2<YmB+}R<7!*+M15bQt7*=jU}_<@qrYOhI-WS<g{7PGu?bue>@cU
zSg%1{mv;)gCL{i90a~USLu>sBD1YUG&F)ie>>Qenu%KRcNCY;TkCY7dAerHpFqJn`
zgbC256F(E$HNOU_8Czai-{<j7hJrAaORIwc7g^OO%Wvg{PNo`J4XxK&5*(dYD0$u*
zDq*4Gw~%$PhT_(4^Z3+a*y%o5MsL<5x3`&^gZ06@aVXZ=fQF0r#TD(~+l{m#W2(~8
zv}&FcKArE0x;o<c8dyN?w6b>I67{d2&OhHoUL)HsVc?olQ3*=Jzs71jvstck7F$Qj
zd+uH>f>~&gG&^Z5{_Z-aVUfPkZtCoxdCFbN06;JGTdLA~#b_yyQL)(QW~1P$^=lXV
zTA%0F-yOG#&F$*S)*#_0tFS)Cg}-gz<8NXe7n-V$kGrv?yRXDN$ZrJ}YH}~j^0}44
zdQUt*NpeIT3U7}{qrCpl8AL#8ZGdOQ?C&>AH;6CxASw=ltgn3g-fQ9;4^G-J;oZNe
zU=@~a5WYRv!70K8<)=$>Ii%1t$_0#Lv4&4EP|#^fqeoQp^6%H;t<QgiDiwmdZ<Yi`
z7b4d8OBXMBd7K0xAJcbip~>WNeCyS-W-l+hF6wL(@E;)GUt0Y{fB1E4QZ_zne)z;^
z7gM*`iId`^iH(3$#x!OlB?>biE>S?Zx=@t9k3t4~$Icm2Ikxnx>${!w4|`+&DNG_u
zk|O~N0qIX3wTaL0H9Z$U=~s9Jro^SbgbvZ)E!_6=Kc<+%N;JoJCO4w>{NCAX1Atnq
zX0lch$)Rl}S`zI}Q_?AMsi1Y-%q*x{;U8B(Jy{V)jrNf<a;*%bv|_b?<0(wlZP1Ab
z8>9Hp>s%BQiMX&TQUPfURKzC#t8S6f?9u@3tslU%Iq&=@PV@2rCqAhW!2SU?(fnkK
zEoQk=!^8VmSCUE<c_}@p2%Mi|Rs3JVIA4-)3ZroTDf)w0EuMJ|1cd$5PBt>I^82f?
zE&zK@zlIg&lMcxNg@2j#u@<oD(CKXVugV7Y5_jg*Ry>?Ron_7WFY=!(zQOU!t!PIw
z+^;1hcV6uBQx|qK0Q+7gkwl?VZ;#uCd6NHIZ-c*8@eUW;$v=54|6ftf+dCmD{}t-Y
kCGRs~b#d&-LAbXd0mh)Z8v9@@bp`-UHJ!&*Dt6KT0|Zb7G5`Po

literal 0
HcmV?d00001