From cf8182afd61938a7cc52ba3b3361f8ebe7571226 Mon Sep 17 00:00:00 2001 From: s-prechtl Date: Tue, 24 Mar 2026 15:24:19 +0100 Subject: [PATCH 01/10] feat: uncap file size for immich --- hosts/hitsugibune/immich.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix index 0c09030..dcf9b7f 100644 --- a/hosts/hitsugibune/immich.nix +++ b/hosts/hitsugibune/immich.nix @@ -36,7 +36,7 @@ in locations."/" = { proxyPass = "http://localhost:2283"; proxyWebsockets = true; - extraConfig = "client_max_body_size 50000M;"; # for large video uploads + extraConfig = "client_max_body_size 0;"; }; }; } From fffdc559ab63f0272761384584840b1c4fc23591 Mon Sep 17 00:00:00 2001 From: s-prechtl Date: Tue, 24 Mar 2026 15:34:31 +0100 Subject: [PATCH 02/10] feat: bigger files bigger birds --- hosts/hitsugibune/immich.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix index dcf9b7f..f7d4fd2 100644 --- a/hosts/hitsugibune/immich.nix +++ b/hosts/hitsugibune/immich.nix @@ -36,7 +36,15 @@ in locations."/" = { proxyPass = "http://localhost:2283"; proxyWebsockets = true; - extraConfig = "client_max_body_size 0;"; + extraConfig = """ + client_max_body_size 0; + + # Timeouts for large/slow uploads + proxy_connect_timeout 3600s; + proxy_send_timeout 3600s; + proxy_read_timeout 3600s; + send_timeout 3600s; + """; }; }; } From 53ec53388eeec1a829e1ad971dcf44b59779e4f1 Mon Sep 17 00:00:00 2001 From: s-prechtl Date: Tue, 24 Mar 2026 15:35:23 +0100 Subject: [PATCH 03/10] fix: schauer --- hosts/hitsugibune/immich.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix index f7d4fd2..1cd18fe 100644 --- a/hosts/hitsugibune/immich.nix +++ b/hosts/hitsugibune/immich.nix @@ -36,7 +36,7 @@ in locations."/" = { proxyPass = "http://localhost:2283"; proxyWebsockets = true; - extraConfig = """ + extraConfig = '' client_max_body_size 0; # Timeouts for large/slow uploads @@ -44,7 +44,7 @@ in proxy_send_timeout 3600s; proxy_read_timeout 3600s; send_timeout 3600s; - """; + ''; }; }; } From f4ebd7fe79478c77b3f3a54ff046393ba6fa05f5 Mon Sep 17 00:00:00 2001 From: s-prechtl Date: Tue, 24 Mar 2026 15:51:07 +0100 Subject: [PATCH 04/10] feat: bigger uploads --- hosts/hitsugibune/immich.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix index 1cd18fe..1062d32 100644 --- a/hosts/hitsugibune/immich.nix +++ b/hosts/hitsugibune/immich.nix @@ -39,6 +39,8 @@ in extraConfig = '' client_max_body_size 0; + proxy_request_buffering off; + # Timeouts for large/slow uploads proxy_connect_timeout 3600s; proxy_send_timeout 3600s; From 62bb7aa2eab926075b4c11b0d23eaa1ec99ba046 Mon Sep 17 00:00:00 2001 From: s-prechtl Date: Tue, 24 Mar 2026 15:54:51 +0100 Subject: [PATCH 05/10] feat: full config from docs --- hosts/hitsugibune/immich.nix | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix index 1062d32..2f5cd76 100644 --- a/hosts/hitsugibune/immich.nix +++ b/hosts/hitsugibune/immich.nix @@ -36,17 +36,23 @@ in locations."/" = { proxyPass = "http://localhost:2283"; proxyWebsockets = true; + # https://docs.immich.app/administration/reverse-proxy/ extraConfig = '' - client_max_body_size 0; + # allow large file uploads + client_max_body_size 50000M; - proxy_request_buffering off; + # disable buffering uploads to prevent OOM on reverse proxy server and make uploads twice as fast (no pause) + proxy_request_buffering off; - # Timeouts for large/slow uploads - proxy_connect_timeout 3600s; - proxy_send_timeout 3600s; - proxy_read_timeout 3600s; - send_timeout 3600s; - ''; + # increase body buffer to avoid limiting upload speed + client_body_buffer_size 1024k; + + # Set headers + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; }; }; } From 357480c8075d9e80585e13b160fbc2ce3a1f8680 Mon Sep 17 00:00:00 2001 From: s-prechtl Date: Tue, 24 Mar 2026 21:20:11 +0100 Subject: [PATCH 06/10] feat: matrix oidc --- hosts/hitsugibune/matrix.nix | 58 +++++++++++++++++++++++++---------- secrets/matrix-oidc.age | Bin 0 -> 939 bytes secrets/secrets.nix | 1 + 3 files changed, 42 insertions(+), 17 deletions(-) create mode 100644 secrets/matrix-oidc.age diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix index a04de12..2031fc6 100644 --- a/hosts/hitsugibune/matrix.nix +++ b/hosts/hitsugibune/matrix.nix @@ -22,13 +22,19 @@ in { group = "matrix-synapse"; }; + age.secrets.matrix-oidc = { + file = ../../secrets/matrix-oidc.age; + owner = "matrix-synapse"; + group = "matrix-synapse"; + }; + age.secrets.mautrix-signal = { file = ../../secrets/mautrix-signal.age; owner = "mautrix-signal"; group = "mautrix-signal"; }; age.secrets.mautrix-signal-puppeting = { - file = ../../secrets/mautrix-signal-puppeting.yaml.age; # your encrypted YAML + file = ../../secrets/mautrix-signal-puppeting.yaml.age; owner = "mautrix-signal"; group = "mautrix-signal"; mode = "0640"; @@ -184,26 +190,44 @@ in { settings.public_baseurl = baseUrl; settings.enable_registration = false; enableRegistrationScript = true; - settings.listeners = [ - { - port = 8008; - bind_addresses = ["::1"]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = ["client" "federation"]; - compress = true; - } - ]; - } - ]; + settings = { + listeners = [ + { + port = 8008; + bind_addresses = ["::1"]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = ["client" "federation"]; + compress = true; + } + ]; + } + ]; + oidc_providers = [ + { + idp_id = "authentik"; + idp_name = "Authentik"; + issuer = "https://auth.sprechtl.me/application/o/matrix-synapse/.well-known/openid-configuration"; + client_id = "xoTtitlCqRbK9fjl2VAugYdswYGOLUJUzeV1dacc"; + scopes = [ "openid" "profile" "email" ]; + user_mapping_provider.config = { + localpart_template = "{{ user.preferred_username }}"; + display_name_template = "{{ user.name }}"; + }; + } + ]; + }; settings.app_service_config_files = [ "/var/lib/mautrix-signal/double-puppeting.yaml" ]; - extraConfigFiles = [config.age.secrets.matrix.path]; + extraConfigFiles = [ + config.age.secrets.matrix.path + config.age.secrets.matrix-oidc.path + ]; settings.turn_uris = ["turn:${turn.realm}:3478?transport=udp" "turn:${turn.realm}:3478?transport=tcp"]; settings.turn_user_lifetime = "1h"; }; diff --git a/secrets/matrix-oidc.age b/secrets/matrix-oidc.age new file mode 100644 index 0000000000000000000000000000000000000000..606d7e28e488505ca0cde6a665fa362376a88e80 GIT binary patch literal 939 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP5AezMN>}hq_KfuP z57al#%=PfCGD)+=pB+?5#SzK5K&%bnw4bgQCW~}T<%$AkZG2c z7w(c-84%`C9ub&V5>#5^A5~-=P+^f$Ruok(=#YnUiK#>JboS8W5VH zUs38Fq#bOSo|v2(nC0T>o$ZvD7F6nMgXIku$lv=2rnWOJrlxbA#R^*?o?Ur3$;_g}HQ<&zHmR1x|QOw1qtE;QvS>|tC zaDLGpdIKMW@b>96>OB2Wo*Ia$ndaaOXbuhfg4R0 zX_Z;TyBjQhmRR0& z$+DDLbwSgXMMeDwc5408ulZM(xM*tWZHMV%TV<|hoK9&jP~TVdAggOa7R!CM&i*gE z#ZGgpuvjnRx1V)xp7=J2yDJUC*Q&-o44oKo@~DcQQ0&bMw Date: Tue, 24 Mar 2026 21:43:47 +0100 Subject: [PATCH 07/10] fix: move all oidc stuff to extrafile --- hosts/hitsugibune/matrix.nix | 13 ------------- secrets/matrix-oidc.age | Bin 939 -> 1334 bytes 2 files changed, 13 deletions(-) diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix index 2031fc6..d4dcee0 100644 --- a/hosts/hitsugibune/matrix.nix +++ b/hosts/hitsugibune/matrix.nix @@ -206,19 +206,6 @@ in { ]; } ]; - oidc_providers = [ - { - idp_id = "authentik"; - idp_name = "Authentik"; - issuer = "https://auth.sprechtl.me/application/o/matrix-synapse/.well-known/openid-configuration"; - client_id = "xoTtitlCqRbK9fjl2VAugYdswYGOLUJUzeV1dacc"; - scopes = [ "openid" "profile" "email" ]; - user_mapping_provider.config = { - localpart_template = "{{ user.preferred_username }}"; - display_name_template = "{{ user.name }}"; - }; - } - ]; }; settings.app_service_config_files = [ "/var/lib/mautrix-signal/double-puppeting.yaml" diff --git a/secrets/matrix-oidc.age b/secrets/matrix-oidc.age index 606d7e28e488505ca0cde6a665fa362376a88e80..5471554b3e1c1225ee88841be72747ad99d98155 100644 GIT binary patch delta 1307 zcmZ3@zKv^wPJKb7WwxnfRI){3Nlk#}a5 zc4DP*p}vd0t64~Co_3~7aX^t-S$R}Zx}{l?Z)8AGlxtF&TNziFi9t}Bvs0F9MVUcb zifcfCW4()8u}@l{vvX->X|7?Kc7>OrXL*2GMS7T{Pq2ShX}*hbR!B&;zjstwaB;dX zm%F>6Z$x&wzE_S(Nq9k?MWt(`wzjulW@cefxSO+Msk?imb6Jj`v2S^4fQeaUNO_)f zimORjdbwF}m}zEt3YTG}t8<~LX=p@#pkY#JT78nIXINTTqPJgqh@+3CwvVSzu6K!3 zWL9uWVWdGtsCTxRNtR!frFNlVg_%oKVTl=+r+@2YN=bE zQ)yCRm_dbwSx}{ShDD)4flEWpJ`%WJy3~rKP7) zq(4_+l%aEavX?=yw^w*sUU-&IxlvTUyGeLpg-KyxQIS(|Rbg6INk~OOdAV^?x_hR6 zm3yvNM3SLLN@#k7XP7e=m#(g^f|GN2V7<3@T4|Z3ds=X4Zc=`QS#nZZri+WEW3aiU ze`-a#hlO)Mm_d4QK39fM?-r-d^b@_BOK1IPsh$uym64t2O7|Xrt$3g_SSjx7DR~aze}Y*u&TE%GzjD@c zd8nhZ@)xg8bnV}DoqyCCC%8?%FO>6b${Ue`Z8Dbix&{qAd;OxXt@wZT!-4e1!uaUy z#J@%Lry1O=vfsX29ezK5$}eq!_V*48EiQak4u7zVZCe}1sm82@_on;2pI5St>F#FH zOx{-CNzZP0Uw^&teFpa)rTuf=_1rGFsBB$kvt#jl9tV@M>GQV6E|QCweNueoR_3nw z9=oOT67o`oL0t7$%vTrg5Dto8aCpI&{m&MZNU0odeOY+!wU}>0I#qJLn*=EhsK6Q6PBiqsiN6-JVE@nEIVw&*Uz*}+g(%8m* zto^xsN{qi{q$i3N2XkIOp=|8=L1H(%-b3ptTV7@6S3h|EG}G=dYkg~aTlkx-r{9)m z#ME`4x#-DU;&VYh@K})jalOfJUP!;petY$4+*GElutSQfjpg5pCY_dJtlRkdfY+(y z%9S_FShdwA#mBSE+QoY&ZLdbr#B9^X(zQl^-_CioV{&G(cBX!$Pf&h_ zd2xg_%=R+6blWkI%axo4F@rdd{AxJzbbK$u5)L||S?P-%&ORFQE&g+)qPQFuuZ zS46m5S&nx|rIA5WnYW{XlZT&CMrL?+X=rXpwy8&9NJ&I;U|ykHiix*zUPy+yV~Sg8 zctmQdfm^<#Z$wJDIaf+SSyrK+Sy8y3rF&#{V!gkGTWO%aYjRYoL71CSKt^y*eu-0Q zT9QXdL1~6(a8Ol{xqfACaDIMCMtN9PepDG(L}XBKvWa)Fw^vYPUZQqNXi%8Bc6N|| zR$56)Mp#goftPQFvzt$7pm|1Oa8OxgK&gvUd0M!Kxv58Z~Amsz=EfN_O(X}WV& zR=snPvzNQGenf7zb7fANS*b@rlxaX{hJHnS-xS2nT4yjzIK3i zplg_!L0ML?QCgO<1(zek!;&qPQm6w(AKz_o&s7RmlMPSI z*JzvFUG+VfXGykI?meAIvokV2ayxGG{)(8h^w!LXjxUSC-KPX-#>UKa_O87CIV1Rt zTK!)~eopHXy)R_Ke4pQSt$UlN8_RQBVtLag%Ti|51x;HP74;w3sr664=3ianqN$~~ z9j1$ImARU6I;FWleP7XotgZ=JEce+u`@ifKJI$@aV!eppe%85p;@c$dt~3Z=s~Y<- sbYj5Cqbhnru{ST=miThW%l~QP`6WyDu}`}3;Ng;GY{rk4o5^MY07ySikpKVy From 07f653908b6a599daed74e282835c5954f57b776 Mon Sep 17 00:00:00 2001 From: s-prechtl Date: Tue, 24 Mar 2026 21:54:20 +0100 Subject: [PATCH 08/10] feat: oidc matrix --- hosts/hitsugibune/matrix.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix index d4dcee0..b40ab61 100644 --- a/hosts/hitsugibune/matrix.nix +++ b/hosts/hitsugibune/matrix.nix @@ -182,15 +182,16 @@ in { services.matrix-synapse = { enable = true; - settings.server_name = config.networking.domain; + extras = [ "oidc" ]; # The public base URL value must match the `base_url` value set in `clientConfig` above. # The default value here is based on `server_name`, so if your `server_name` is different # from the value of `fqdn` above, you will likely run into some mismatched domain names # in client applications. - settings.public_baseurl = baseUrl; - settings.enable_registration = false; - enableRegistrationScript = true; settings = { + server_name = config.networking.domain; + public_baseurl = baseUrl; + enable_registration = false; + enableRegistrationScript = true; listeners = [ { port = 8008; @@ -206,6 +207,7 @@ in { ]; } ]; + log_level = "DEBUG"; }; settings.app_service_config_files = [ "/var/lib/mautrix-signal/double-puppeting.yaml" From d915a3fe2d67ecca5b22f9c8087931782edbfbac Mon Sep 17 00:00:00 2001 From: s-prechtl Date: Tue, 24 Mar 2026 21:57:35 +0100 Subject: [PATCH 09/10] fix: issuer url format --- secrets/matrix-oidc.age | Bin 1334 -> 1302 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/matrix-oidc.age b/secrets/matrix-oidc.age index 5471554b3e1c1225ee88841be72747ad99d98155..7523d8ecb02913d08e5fc84a29092fba70b1008d 100644 GIT binary patch delta 1274 zcmdnSHH~Y6PJM-ii&;rvK!ICQfuU1=VO5HkNuF_4n3-9gPr0j;OHo>>VQ#8(UPw}g z0hd{@b9zCJPexdfBunSjcqNQU|xsP$0yK$9U zhM#djX1%syRg_1Pxo@^fwxf$*Ze*mhUrCm~uTP3svR^^2Wm$=Na+C_g}+Ip zOL}0wi%UsnwqcT+t3|4hm$8MVzDbFZzh5qwcT`DwQJz;+sb6JOjzzYapHHNIMNqJd ze|UIGM!2z8g`Y)Xq@hQiuU~43k(s|~c!s-kVwGW1NV!LTvb&!)S9q9vplf-aYoM=3 zRlQF|SZQijRB(E7j=Q6;n^9Vzn?Y#4e|nHta!Ej*Q+bBBwp(d(KwxNkn6b8TWJpL+ zN-zd@L1PH{zcg;_>GaEgAeMQBlkv0JWtwqICad9ij;iK~IJahgS$ zL1lq&hH;Q%s%fFVfpaJqm#(g^g1eD_YQ0;gTa;0$Q=ms;u9=@%l2KHuSz1*@xIwl@ zu5X2DpsQnEdZk}QAlIHFndNtdR^+gJU-F|gX6Ff^ry7x_Sz9Ju3S3mp>$mUBrm2n7 z>e(OdnHOK=ksa^5bz@cMHR+p|G<(HmUrxH{EjIOSh1sk*w+_@6miqZDELxI!H~7ib zlg{v!>sTdDP-*x#o7?t# z2it+$JH59Q>zg+gZqbZdDL3iS!jDh2&*tadw3<1qrJ+9e_Uj{?f9Aeh{OpGK-|bH) zzt3*}eX2WqrpwEM-El7ua8Fq4KbzyG%F%J~rxOq{o z=Dw9d0)9Tbx8Hm@t4;Xa1GBDe`D@opr%HuSU%aE|q+ht|hs&MiJi$#>g4TcPPgdUE zv&U0&p&ZYgGwq)ljoItX8?Vhwd2S{!$8?!Y==$VMKANG*)k2q8gpSExP*W*u<-ePk z+G@Av<&}A<$(wc-ODCi#@pvuijX3!!?v?clo!N)1Z*eg=-1c}Z6u-%P>tXLrE%Wbw z$(QOp5wdum<;mmmg_|yIHaq@w`m-5dy}iF=YtB4h^=6h*P`{YJOq3KSUiq1c!+{5}VA71~u?4*)Cv&}|t{k9!1 zKh9p5Io0y>^I5x`&V`6Qs*%_AZ&0&yj!V{cuCj4DIs11-(AMM9;%j&O>%1B_dG?vv QR+jzDcFUicDKokN04WX+`v3p{ delta 1307 zcmbQnwT)|nPJKb7WwxnfRI){3Nlk#}a5 zc4DP*p}vd0t64~Co_3~7aX^t-S$R}Zx}{l?Z)8AGlxtF&TNziFi9t}Bvs0F9MVUcb zifcfCW4()8u}@l{vvX->X|7?Kc7>OrXL*2GMS7T{Pq2ShX}*hbR!B&;zjstwaB;dX zm%F>6Z$x&wzE_S(Nq9k?MWt(`wzjulW@cefxSO+Msk?imb6Jj`v2S^4fQeaUNO_)f zimORjdbwF}m}zEt3YTG}t8<~LX=p@#pkY#JT78nIXINTTqPJgqh@+3CwvVSzu6K!3 zWL9uWVWdGtsCTxRNtR!frFNlVg_%oKVTl=+r+@2YN=bE zQ)yCRm_dbwSx}{ShDD)4flEWpJ`%WJy3~rKP7) zq(4_+l%aEavX?=yw^w*sUU-&IxlvTUyGeLpg-KyxQIS(|Rbg6INk~OOdAV^?x_hR6 zm3yvNM3SLLN@#k7XP7e=m#(g^f|GN2V7<3@T4|Z3ds=X4Zc=`QS#nZZri+WEW3aiU ze`-a#hlO)Mm_d4QK39fM?-r-d^b@_BOK1IPsh$uym64t2O7|Xrt$3g_SSjx7DR~aze}Y*u&TE%GzjD@c zd8nhZ@)xg8bnV}DoqyCCC%8?%FO>6b${Ue`Z8Dbix&{qAd;OxXt@wZT!-4e1!uaUy z#J@%Lry1O=vfsX29ezK5$}eq!_V*48EiQak4u7zVZCe}1sm82@_on;2pI5St>F#FH zOx{-CNzZP0Uw^&teFpa)rTuf=_1rGFsBB$kvt#jl9tV@M>GQV6E|QCweNueoR_3nw z9=oOT67o`oL0t7$%vTrg5Dto8aCpI&{m&MZNU0odeOY+!wU}>0I#qJLn*=EhsK6Q6PBiqsiN6-JVE@nEIVw&*Uz*}+g(%8m* zto^xsN{qi{q$i3N2XkIOp=|8=L1H(%-b3ptTV7@6S3h|EG}G=dYkg~aTlkx-r{9)m z#ME`4x#-DU;&VYh@K})jalOfJUP!;petY$4+*GElutSQfjpg5pCY_dJtlRkdfY+(y z%9S_FShdwA#mBSE+QoY&ZLdbr#B9^X(zQl^-_Cio Date: Tue, 24 Mar 2026 22:30:17 +0100 Subject: [PATCH 10/10] feat: samc --- secrets/matrix-oidc.age | Bin 1302 -> 1330 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/matrix-oidc.age b/secrets/matrix-oidc.age index 7523d8ecb02913d08e5fc84a29092fba70b1008d..83ecc9cb6ef12638d5d62f2ed45252f56b20ab69 100644 GIT binary patch delta 1303 zcmbQnwTWwjPJKjVqPbI)pI5R^YNA`ZWq?6eSXG(6e{oqrxoLP*hGU+mS7b_Ixx1gc z0hdQ$TA*KqpPRQ~pkUR7p56j!-ph_jDNs9{i^vtdbjxr>i~mZ`s?xl2k} zewvF{dYWO9shhuPeuaOTZ)IUhYLa_#g-fPaU~pb>PLi8>jyG44qi14hVN$q$h<;F7 zfp2h>Z@sZ)Xi>Pnx3O2MV@RTZhEYmoo_ADKxND$KN?t^XacHQ%kC%RAlyjhCd5KRp zm%eM6Q(#$oZg#49O1M#FWQ0L*vSnaYS!#$^cu7c*UrA(^t5I3Hv#D`qNshLcXMuN$ zXF#}qQI>XDN|vc>3YTYiXkvw>rDuU}iicy4N4=A&qj!0fcdk#We?gL)Z-$q*vq7P@ zzp<}dPH0N5o403VUU^AasZp+JRJe9QRFXEAXGDQza7tF7iA#xvWpap_g;|M5x~q1& zM`c+?c~quHuAfVim$#3;v1z4qM7ft|innWcR;CK|rZ~dSHlQUSvg3 zPuSJm#(g^f_qkkbG@m1Xt;%TQd)tjSCWx-MpdSfW0YTMTAHUp zNO@>#rB7mLpkruxIoGY5B^#BOo=!Y<$;4pob7z*ekW=}oqjVADzU)Hk`aVw9tHq)l(7sPgiaO%&w(ey4}$M#lU0 z_roFvj=}2!r(V|~-$|o9V$DB+;B_o#GJ-Z6 zKKbEF=Q%@&q=&uVk!*}}Ou zx@{tor#_HcE!loL%df5F@@ajMeQ%gOC#<=4kB|ALsqi{pu1>R-$#>rzisYzb7mQeS z$E`}k>>ArO#_03)NyQuV7U-oX?Fbg!<3204e?m>ta{u;MFPs)GbPzuFeM|Os<708n z*ETiysw%r!_sKch{4ch6;(z14cB)U)w!ep8CD)|rs)ngcJ1ZsD?%rm9w))kphkJfx zhaC9Gaa=U>eAl-x3FlJv#Hu#fUwiJ#dsF-WnV+_4QH^ODpRc|@&stx2V#akJU6v+& zPva$aQ~xUbetD;NZ_RDH^!Z}Pw>VQ#8(UPw}g z0hd{@b9zCJPexdfBunSjcqNQU|xsP$0yK$9U zhM#djX1%syRg_1Pxo@^fwxf$*Ze*mhUrCm~uTP3svR^^2Wm$=Na+C_g}+Ip zOL}0wi%UsnwqcT+t3|4hm$8MVzDbFZzh5qwcT`DwQJz;+sb6JOjzzYapHHNIMNqJd ze|UIGM!2z8g`Y)Xq@hQiuU~43k(s|~c!s-kVwGW1NV!LTvb&!)S9q9vplf-aYoM=3 zRlQF|SZQijRB(E7j=Q6;n^9Vzn?Y#4e|nHta!Ej*Q+bBBwp(d(KwxNkn6b8TWJpL+ zN-zd@L1PH{zcg;_>GaEgAeMQBlkv0JWtwqICad9ij;iK~IJahgS$ zL1lq&hH;Q%s%fFVfpaJqm#(g^g1eD_YQ0;gTa;0$Q=ms;u9=@%l2KHuSz1*@xIwl@ zu5X2DpsQnEdZk}QAlIHFndNtdR^+gJU-F|gX6Ff^ry7x_Sz9Ju3S3mp>$mUBrm2n7 z>e(OdnHOK=ksa^5bz@cMHR+p|G<(HmUrxH{EjIOSh1sk*w+_@6miqZDELxI!H~7ib zlg{v!>sTdDP-*x#o7?t# z2it+$JH59Q>zg+gZqbZdDL3iS!jDh2&*tadw3<1qrJ+9e_Uj{?f9Aeh{OpGK-|bH) zzt3*}eX2WqrpwEM-El7ua8Fq4KbzyG%F%J~rxOq{o z=Dw9d0)9Tbx8Hm@t4;Xa1GBDe`D@opr%HuSU%aE|q+ht|hs&MiJi$#>g4TcPPgdUE zv&U0&p&ZYgGwq)ljoItX8?Vhwd2S{!$8?!Y==$VMKANG*)k2q8gpSExP*W*u<-ePk z+G@Av<&}A<$(wc-ODCi#@pvuijX3!!?v?clo!N)1Z*eg=-1c}Z6u-%P>tXLrE%Wbw z$(QOp5wdum<;mmmg_|yIHaq@w`m-5dy}iF=YtB4h^=6h*P`{YJOq3KSUiq1c!+{5}VA71~u?4*)Cv&}|t{k9!1 zKh9p5Io0y>^I5x`&V`6Qs*%_AZ&0&yj!V{cuCj4DIs11-(AMM9;%j&O>%1B_dG?vv QR+jzDcFUicDKokN02L+=_W%F@