From 95968f6b477e84064df0690816380ce293064d89 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Thu, 30 Apr 2026 00:46:05 -0400
Subject: [PATCH] oo7-daemon: unlock the Login keyring via systemd credential

oo7-daemon was running but its 'Login' keyring stayed locked because
nothing supplied a master password, so libsecret clients (flare in
particular) blocked indefinitely on keyring.unlock().

The upstream user unit declares
  ImportCredential=oo7.keyring-encryption-password
which picks up matching credentials from systemd's per-service
credential machinery. Wire LoadCredential=oo7.keyring-encryption-password
to the agenix-decrypted secret so the daemon unlocks at session start
without any prompt.

The password itself is a fresh 64-byte urandom value encrypted to all
desktop recipients (admin SSH key + mreow + yarn TPM identities); it's
opaque to the user and never typed manually. Owner is primary so the
user-scope unit's LoadCredential read works without elevating.

Verified the activation script chowns the decrypted file primary:users
mode 0400, the user unit override carries the LoadCredential line, and
the resulting drv builds clean.
---
 modules/desktop-age-secrets.nix          |  10 ++++++++++
 modules/desktop-oo7-daemon.nix           |   9 +++++++++
 secrets/desktop/oo7-keyring-password.age | Bin 0 -> 785 bytes
 secrets/secrets.nix                      | Bin 3359 -> 3419 bytes
 4 files changed, 19 insertions(+)
 create mode 100644 secrets/desktop/oo7-keyring-password.age

diff --git a/modules/desktop-age-secrets.nix b/modules/desktop-age-secrets.nix
index c54bc76..dec1391 100644
--- a/modules/desktop-age-secrets.nix
+++ b/modules/desktop-age-secrets.nix
@@ -66,5 +66,15 @@ in
       group = "root";
     };
 
+    # Master password for oo7-daemon's 'Login' keyring; the unit consumes it
+    # via systemd's ImportCredential machinery (see desktop-oo7-daemon.nix).
+    # Owner is `primary` so the user-scope systemd unit can LoadCredential it.
+    oo7-keyring-password = {
+      file = ../secrets/desktop/oo7-keyring-password.age;
+      mode = "0400";
+      owner = "primary";
+      group = "users";
+    };
+
   };
 }
diff --git a/modules/desktop-oo7-daemon.nix b/modules/desktop-oo7-daemon.nix
index f5c44c3..90d42a9 100644
--- a/modules/desktop-oo7-daemon.nix
+++ b/modules/desktop-oo7-daemon.nix
@@ -31,5 +31,14 @@
   systemd.user.services.oo7-daemon = {
     wantedBy = [ "default.target" ];
     aliases = [ "dbus-org.freedesktop.secrets.service" ];
+    # Feed the keyring master password through systemd's credential
+    # machinery. The upstream unit declares
+    # `ImportCredential=oo7.keyring-encryption-password`, which picks up
+    # whatever LoadCredential leaves under $CREDENTIALS_DIRECTORY. agenix
+    # decrypts the secret to /run/agenix/oo7-keyring-password as the
+    # `primary` user, who is also the user this user-scope unit runs as.
+    serviceConfig.LoadCredential = [
+      "oo7.keyring-encryption-password:/run/agenix/oo7-keyring-password"
+    ];
   };
 }
diff --git a/secrets/desktop/oo7-keyring-password.age b/secrets/desktop/oo7-keyring-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..1347efd741477476700a8b50b32893e8998e877a
GIT binary patch
literal 785
zcmZQ@_Y83kiVO&0xDjV{=x*QN<=^d(pNtJQwNPt5=X;BH$-X)Vx80{db>4qpvHau_
zPN5yg<4TT|hA$C+7qQ<q{ph~d(_e1hZ%!(oP$+gtcz@EnWbFe2JqOl_K8@J7k2Bf#
z%60!V(U}H^f*Tn&@b1Z~bbgY)RNVaN-ox`|EMI=}$g)ziBPai|{W@~$?K^>MdQ&Sl
zT&O#pTJZG6@x=8Hjue<HmhO2`lIih>bzS#W#ou11F8mE}<L~@^<H5hEtcO{*-`qBP
zJAe7T6BG5;oq7`)d&Vq!)AQh{LxmgTy-jBR{<1I6>DOkxr2i+I81@!S*Phh!|Ne%4
zfqzcER%P|&Yd+l46yjr>#AL0rWmlucf*pa^uc>`|?|NM7{-XPWKiZ$&PT4l+S>>CF
za}2MiUeiyXFmsJ{`i1*9_ek5<H@x`xM)Kt1Nv@~AoW0P}ZFMi}=YvamlQvHm^1l+h
z_1N$86|-MS>A5qlD7@^vZMVg~6|3JSF3*3g<`EFCrxmxa{;V<oys$fJe{EjM8a{1i
z)2+1Gw&;|T=k9Gw6>hU!@Af#iZe^*8r+8Of#OIaIGPuv{y)=^c*($x`hQ|Ek?p#Gl
z^Ve+oC)}ufkvrebc5A#&dv;1wnd|cB9N*phdvpGL-|*+DGJi^?W$5RdOY;R>q$^af
zUyu}dwbI?|k;opW%9!6=#tXmxvz+DmS@rF&OX<Ju^_ew-|HmzPv?OxF)vF70gYw@v
zpPwC8J;hi+>@vsSrNKTCJ!`Lp1nvB8;#p?Mb~Nhr0=G?XgOX%7)Ma?`tzbX&x9sMv
zEs~s5kJpvGe&pe~O7{C?q3nk<KLliGnN%+2O`onYS@w(hq+{J1OM8WyuT@>q-*`Ou
zbX)DC*E4u79gF&TC)h7eYu}WQ(GDhjAA|WMtG|A;ZDIA$aO}EzK>l}fy!X<&`FCG0
z%damrSbXy5!Nl_{z5TD2WUh-|+v?GGZ^7%YpU(fi6WC~5^rlo|Qiwsb%p(2AdzK5_
z_cipGKGVi-p39DUr+Zz03%33HTpe=sPS*dafA*%w$L~9N^6O879cfJ0mq;7){N2#~
H<5@TW_WYub

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2eec575aafe3150c198b331ea69d2f174ce72590..886c5e264e75a1e6d13bc3b0d0640b87817a4e8f 100644
GIT binary patch
literal 3419
zcmZQ@_Y83kiVO&0Q0*(*wTHh&=Kkuatr_RuO?=Ck^-h5Cs%FcC8Abm6DqgK6rP-Z)
zO04nES151z^YV$X_LO@C2Xe3cVA(&Z&Z)NU7^k}U6uuuFr#F1`J-u<};Zz3AUt6B1
zxR?HqZ+Q0hP~&~CRDldD^KFU+ESjxKRbfq+pJX?L{|&hjd{4ym)#c1-b_-u?D^0w`
z`|HYnx!BsE24UF;FJ!OHO!~$CaPQt#&!*pd^K@5m$OK_?UzPne$&XL5h7?M(*tE<(
zdG7VA6O9|!+=yTOj_snLyVj?Yt#0BEmi(S{{=3PwBa@o1-Vwj}S)60*$|-Mkc%{-r
zdqZ|uK6<sXqa!JC>)r1aS_dwDY*=%Cn+ngP8A(F#9}8YDVUW4&?7a5MyesM6IezVP
zL=<>df68ch(X`yIbECt$6@SGVZ<PfY_lexNx28nu(7(IC9-j)*-FY*(S$DIv<%65+
z<_0j>P4!mmYya#y=is3X7UBM@(!m$q_*IqHXTExK=y=hQy^Nt!Cr-{=B)?9>$COWo
zlj&zEZ+2ef`wCXo&5SMO1^S0hWHZScbE>3AM>RbR+4U*lj~n0DiJFHdCv*jfcsy8i
zzWrp@k}SiTsR?4w?ygmB{>k-BsNX}TP4jemh2Wu_%a^Zg`BofV?D3#A`7VQStZfX#
z72OZ>@1-1eEPJ(NiKgG~pLdf#&UU#|mS_G-;=wG-c_-%I7ISEyyM8IxWU-I+z7^a(
z^`}&fnrFAM8~ivHln}7*PkU8L^*>hqJ5zSc%x!F`Qc+%6&8jMLVI{v*PxO&9(Z6LG
zb&_t(Y@GMRT7GN(QfHoZPV-K!4f8#-r1DMD*~*s70$z15d)t|o<TK8H(!R3zo8u+d
z!s+$dCoi974O=1S^2FI?)neDv^B!<YN+q9sa_FGj+=p)xPPUxB(KshaC^AwqDsfBO
z4EfMWrUIL++*9&Y7Hu+RTDRd(?41P*YPP;M+P}?w<&_EZKVMqZ{XWq8xX;7oEvyH%
z%+|ZQb?%mqJ^FXo?Cq<TyxF{FkHU=p1Cfi~?{hGSJ9*{Y$=3$YRO64Y*uiC*#m#qc
z+c%d7Uzrb8>8_i9LwVZ&m5xqwyArjX7iC=3-|BOGMeO~zF|Lno6^_1aO%Ry9*!QdM
z+pMiW7ASn5_ebr=d9$0`b1v-^^qa$>x|D54<KBp?3tgnEPg<W@#$yxr<=dJK>1Pl2
z7X5V;|IJmnX1_$XS%FdN_0`+?!jyv4&X@DsZj;(RcX~?EokjZtC10QP3CM~4-6a2Y
zQ^LW+2c|22e171;-NNb#?mIW{ow#Ug#M&GB>f37idukX3OGVZ(Y%TxDvZX5j1G~P)
zMF&rhnF+nB<<}P}rQO;6pnLIwQ#*th9hdPnS9`8F6=YrC&&{B2zsAsl&t#o=%fXwa
z=XNb=xciCMtyZl)q(0!?`z3Wc65D1Uc=0xKo095e+e6`UK_0vhv{F_(Pnzsi<WTo`
zw&l^>u(%g3Y<aoo*S)!7#1&vU|A1s@wR4Q-DVMANq-KRbk}scCFOjiz`?kUdc4p$M
zS6(*kd3=18knxtI(>GpfcsOTUxTxXx?Hp2zwTjoAvs=eu8~yn89a*>83%A8>&F9-K
z(dlgD@=A1zyZ5}xWXaN9&8yxgE?OmSl6zyV?bU-?fAhV4>kfJ^OP}>AL_+V=58btf
zxzkoP9N9AM!J^W~X}9XNcA4?%6)8sed}RF4;dtVe^^`)@73VLr9r$@<O}?*;D#P{J
zoTpA5(4M_0U~5U$<+6h;UG4T_>etgIPhh;BV#VBCy8UsXgVoxOqf4iKb+FvXo7w)1
zsr<31sKB`fs{@yf(q08dYUXJB-nDPv5@U8&^*$fZg)2QPnvQbG)OuYvEb*;2J9Pf#
z29rp=otp#}O#QHTiq!0!4Rs%9#3Y)PIL%}<6Vy6*P%-tL;q(13m8P7zC@{5tM<NF=
zpP<X;>A4+izuaJ5J9SUjob;!Rjd9lvO5N^Vxie3z!pERv^{#&(reBb6RchK$%;<Gw
zuJiopMZ!!AOxfoynRjG+)n5fE&y;`B*E!tkf0g*wELs|=e^<!=;+l-6VA0=l0V&43
zLG1dyzuuY1AJ^9^p3QZszCdr|!-7^d`%RA@&R%@@%PE5ov3KR~GX8Ctw)~2T{ywLB
zAsnab*}^3+9kQLVvqfmX!0z|m&6yHqhPG!d<lO4l=M)ysp2jtA%a@NgCSK{8qVgg@
zZl&M}y(f+K?YvLEd0cWmy|qp)jj3cNPv&gtq;sn?IJD1-tEQSvP`@8oP?dY<&zz>R
zEsu=LcJBT?cgMWI5Y>)JZXCUHlO$id&iX5LU=z<Offe7MACF`goOI%|!M>t@rB@@*
zcJFw&&C_gG<HxMET$k!R=C>Oq?@K%SM@W9*J=-cjx$Kwk!sapLtl=uV$gdnPu(tf$
zk7zDdzSjX)x|g?POE*qPu{zpNBKhZB*k(QTKUQ;im-^j)7!=F-dsa=((R;E}gY-Vz
z?Gc%*9_1PQ>4J9E&Xno1#hq7|>x5i8@Hh0zHh+ojcUm5KthaTVtHg6C;@-qVe{b&k
zG^<Sb^Ax?B*@EIvv=7CHvmfGEbw<)vYq!#S&-~X@O_L|P%oMlo6Vej?t8g;?>}-qB
zisXVtKenkWm!3G)XOVJKrDLs;`;Gf`@4|YNwpga!y|dEYV$rYIe#I3L46_a9Y<PI`
zK~%|_NB2q<m3K{A^ZCS~)pK+%%#h5od3uEJviQG(DPEy-{HC;j{Hjs^w88U9)k^2G
z2g#eG+uGA|Iv*}Pp&xos=iX8Go5$uReqC6~B-(X-|53J|oYws(pJzCHEuVU2(yn(l
z`;Uo+?tfe!^P=UvaI|aS5wYc)xjts)S@=j;-2QA*R_bfHd%fZP<!?Km`m^7k8sb0g
zoBaaqMR8fODf{K*Lhc=VZfosU&b``0*j=J#L4eeTy}BDdww(&vF@H;a#nP?DGv=hG
z9pL-2dZGVq%h#7@oPY3S;>X7AAI10G-}HBe>6$!^3Fgyo+<9fvka;okjHiTD=DC+4
zQWKI7#h38aUVUxLnJpk{yUjFwwi3?_>)-ErUu>QuUcR#;aff`6yl3cvS2j}1S~D|l
zpJr2KZ?FGx$B~z>Tl;qZr5Y~2*U~rVPuqIs$*Hh2+@e834>O|8v%gHbceX-h&67or
z=lgRQx1RE9uRgickb6#wNq60aSCRX(=TF}FeeZEro$c;>yJmd7uxS2M`R==3=PQp_
zn6Tdp^5?cpn(-`xfzQSBp!v7@X+JaO$ogmSOMP2Dfh!^G^?#R$V&A<I`{j;1n6xlf
z$<{l|>{p++`E}m%yVgOb<uyL1yc}$VtM_hsDZ!XwKH-V1k{&<vd3Ce6%%qNq>eKY1
zx&<`qeokCnswZdXrNH#D)N6rjLwax5j?B;BwEiy0+;VX81n=AWYt;X+zFm|STDwPW
z#i}m{vgH{TPV!i_sA09?nU=ojgtkn}Zw{B^`wSJ&`F?q~_C7=9qA&YW^b9w1o_=p~
z;={TfpZTW$x{>>j!>W0@Ytt6xO}z&~YyAvV76o}Ma}njARsZ{uR9MHyEe<~AEI(Wl
z6<Du-nz`}1%jA`fM?RNs{V}1%Qs-LkP3t?$+27{f`0-pkTr0uaXu9H*&l|StGt5~T
zvsJw<C%W&D<Atf$F3mo;prPdbjo4j0C!hQ?-)-~qk@$+mno1@+CUG2ECj9%|y;a+`
zXFPkk`Ek~tx=SCPh&?a3^>d}&j<-G!(@$sg=Nblftvr2rqRwRXhO?^k@5XL>P=C+y
z>G{*s<~8|zwdgF#*sQs5Mef_TAJhHT^_B-|7|o9r?v?D<cr)onS3-l~oPx}Zz?itm
z@@>(t&dd4S)e`1)?_qq+c0#g`RpIG}AFuaWt<M*Y%YNGbaazolGr7k8DoZ+JB|h2w
zs$EyDn|&ql=hL~YpVmiMXm@OTx=Xe*X}<4MgZS-XCySrIxykzP(W*1je7hG*8gJoL
zGRX|A?T<RiD|s&C;^ET<26BDpKCCF2!O~vSt~y7Kb!8oMfls-j+^@?97vGBH|9{2j
z$LzOdLga0^=&QnA_og3<`SaLJur5v7d`7DvcUg$gTaT)V0=FxD<m$T$t(1>GPk-BI
zlRwezRJ2;p`>NQO63>8$!f6ZZBQ;;MG+QoNY%lTRkiFBIs~xhTLRU18?_QvP{K*{=
zueG-S=6#s|^_X9DKL4v96F(fuFDeu*oTK=<PIJ<gm4a%YPZXwJX_=oTzLfc*Sk`3;
z&o_-9-KTwg7VUko|B;!J)nxA8@0U!N4`-DGiOZajXma~?<@6+XqdQmQ1FzoRsW-8o
zqvvM%yfDuzS!+0t&-$~YXwj5a+x51U?QXN^TXj`v^AWENi-gtI{FfHn^8R9*(E5`+
zm6<zO%50?4?ku)R`Bs@6R`nxt--?iyeXq_s?+K{3aM=58`nM@v0-xG-{_K(W_O7~n
zF3Is?PFLgG?u2=@tPAt5YdPP0mEiPY{hxp{%I-1uW=z#`n*LHfzScqY`6_dfcX}so
zzMOa^f0FC!TPoA;{JG_P{Jf81^$`_@$9x7%PMeK3YrS*iIsN5Yc$!9o?QFH%884F@
z-x)hUno~0I?c8gf|JxMrWOB==O4zMXi1}2Z%-HZ@wp#~Fp^N?P<14?ef95R06s{3u
etLpK1@~<27Urg@!RNQH6V)p6##`m%>rT_rIiL&DW

literal 3359
zcmZQ@_Y83kiVO&0*b(*AXQF~}wbB3bXGg5^Bu}j}co*JPR+e&3C^FbKct&NC+uFJB
zYz}c%Tnf6tQ{Ry#<X*TTP~ifz(w82Ml=;hNv^>ZcS!ua0nzNNxcGJfA`5V&zuF(nZ
zXgxUP>NJbolOHxLf3#Cqchaf<)j^CurZ@avZudM$V$lZQiuShFbk8rnMtxfgw_VX)
z;VNtrEx*25;wz7O?d7;7y_16`>9BoWIPaCN<!a6F84qT?(_%f-#;BTGU=XtMTi8|s
z{Ue?|o9+qDi2QtNd!ftmH3#R}bxJI|e%rtQ?C)Upb9o2CvS#^2n55OY2`W2pl8||Q
zgvHZI^1{A|MOCp=k7RC)YJIlpp3xeXXg05am<!wMZg-weN}u!1Fw^+O!6ixBPkSmC
zT#b-il(Nl#qru`i99ogq->+J;bhy6REqd%j`@yvO2<MddX;HIl6vO}B+aL6@S8C^#
zd+pMPb@qimGR$MxlFGR&=lT`<z3HzuM+(}PGRPfE&GCA6e9u=M;aHvHyB0pWA?ws_
zpQ^_!w=ZU2{R@ZsGfxC~Y}0>at}f3xrS<EL#L5-_Q%g?kC7k{3TIqdUOn=VLB#9>_
ztJa(d)c-$8@n48&gu-RVi^i=n@zX?V1gh3OuISC(Fg4=KvJX1~*0V(Thox3;n>O2_
z!Y3;-$I5tpEdRUMokuUv3y!~*wSVWry^|yazN-qweU|bl@JcIn@fX-S!D9Bb!up!q
z%!ZbkN%jj4%?{hKuS}`jC-!sxl(`P`rastsqjA$h%fsR?`z^F*b(~9#`KTwetLoUZ
z&@}~73D!41vU9PO-#`C}F?$iyJfTM?=05tCY*e@C&%tHNGv@kyzp1!>()pl^N1`6q
zl{kGUd0zb0+~zT><?K1HG8ecTTisTSeQ16^C&qH4#Vn`bwI3U6Jc1W!ta$w{A+Y$_
z_DZHrv-<qa*DRm?@!jIW>#1_PHZg<-3%y=*Ou{99I^WFqUe=lhrBV~pGsNaJcIQpW
z%iccil=A6U*LkLKaMxcboAFy%tk!7)_mn4Qov)R?Rcv6LS|9t=$z)r_Yu5Huby<fi
zNr5YFRrqQ+Z+ar*?@;pi?t}+(#kJxWu6ozAA=UU@-{xl<Zm-_a5IkXj{%6gCq6P0K
zmLzU{kjTz@)IVcd`A*iC-l~&qGE}eL_@Q+(ynUwEga8hg`c|pWYPEm+<F#g|_&wiu
zJLtkHyT+YI)Wl}3bSn({=o0OHd8QiEon=Lbln-94RLe*f-(PQX{CV|0sq=x?r3z0+
zzMssr%;%laS;p!*qka?jc`lq5H@VVpMsJT)_Dn8Vo?h`kvrl+8Lk^!sy8D{~4d10_
zj!9nn=UOn2ZE5A}2K$fK=j}b#v2NP?YqO%_?$vX;%zV4TQ0capL)7`C>2WKbq;LOz
zJz>XX$*aBJZSJpP{n|cl>#Mb21)f+Wq%ZTfi=Fjj$_{tY3kGs5-@TI~KB#aW{_|(m
zhgU)>o>MPIPkxkNbtP}L)*CsmdrrYimOe7wxnth>*sS^4o+Xb<S$&SJ3c4#&ci#K_
zp9c%$?|;l#_-dm2<#TFXUAtm0C#?A0G9l7x<C6W+uVt>?2-5i~|2s`;2X~a;m+h_R
zQW*<2ni%r$kDGjS<L!lf`ID;dA3RX~Xwscjk+Z6=jZ_`h?PKrun=q?M>f?sw<)Y2X
z>;093{rj7}J!iE}jE`gI(x0i-`1;ZI>juo6Kf>qTzqLSh>Zik=W{1429E%P=6qu(N
zv+k&ss6gG~qb%lg)F0Ygl;2&hvgg;Fmm53RUa-+#(-huw!ET;cEK}Ea;s4*Oy;j9s
zoAF%fV#PVp50e^#d7k#`a9G)Q39<ULUO9NJbb?3Gj16&h*Jg+@lzl&@(e-HWic{M&
zqGj&=Kk>xu{Tl|umE9?auT9q6tYGbbMYyNZ<GS6((CzD7zr>w+?7Q;+-OS`U@vHgu
z&#$q}Sf%mKhV62J_P4X|(^PhKtg`x0Ab)B`jd=XU`li=$f$@(gOq#U8YH~qQo!KR~
z{K@AQ?%?ac`SQ53wdd2MgTCF8cg|T|&Wg<Jh!AaMyb$nt!IZ`s|F$Mi=vo;+P5WGr
z*J0n|CnjmiC*E4(wE33B^7(o_{&^x7P9{n%I=^B=iR%6=_w3Jh$25;J*kmWq)6cpd
zvcOz5rzuqOSVyU?D_7Rl%G>tBAF^X+`?lKTB*m`$dEe6dCgZMU?|#KswD0?S{jg5W
zj3C`7((`$a&buWtcjGs%nB^P?)h=z8@%p%v)9um4^#?rWH#+vXHC$&_2rj<!ZL){Q
z()i%!RSBj4r!f7_iv8<!{>b|eOYL>9M_sQ?V2WRG)uqGl_rasjwIY^%+f?iRvh{!b
z^YiOcI?Fv5-h86H<%!WvE2D>@vphd$?K_azX2rF>x+tQw&T#RgRi-kNuUAae_$>YM
z#ijLTHqZTZmNu|WHk@^7)w?wde=ya|v9nrz{P5{R8_qoP)sNA9_3~EM<v@*P1@nso
zQob{P-K%^1MCEU_tDpXevghYtlg;Ngdp`O5n-_PkZR~1aA2D(6nfN79w^Z}8V-5ds
zMcmTbx_94h4NJwBG8X=v!kUeB(=?2&A5A>&vsrW3JTA6i&WhW!-`tM07S=Fc%1|#N
zw48GnkKhyTCeN-X5tF7rUOKDiq2R+6Q>Wb!PhTJNBJpNssM5z@pFV7|_*;|p?p7by
zwIwV2@_pYuWZP!d>1>(zEO1l&NgXT6iPn2I9~V*O`L*GcdB?3iD^-NW6E3Eu*!vmW
z6lzsEY3H+|qUfR)fANva+GVAeIRpz-El#CwQNCT5W+lAxwN&uF`Rb~yq8It&ULD@)
z^z&Q5j9Cl&oc4L@ah{qgJYmJreZLmBx&7EOg}p-|Y4z>ZITG;&N)P)oFMsv4tv<g=
zY()-B4A&Z!%lqs0FV~g{G=3;q_@K(Fb6UA7?=vUWPgWN7dvaO#E!H<O*v{fHTZX~^
z@8zqnzfSFWyGh0(p-=Z$Iw$X|o4M}<Jyf;sOu67ONwXpOkAlmkyL)?Nd`zbNn|Q)I
z_haefuTNJP)YYvy|6-O}&xsq?15P{^jd8Br?-IxL!}7yZ^}CY0zB(<<Z~h;1oa6eX
z;O?*>+gKl#uT}ZG{&Am^+hB8ar}~2MQzq4`-}U}+KH$M8V7~8nwo60zZDspSkw$lK
zUY^ZZ8Yp|6x1v;N!girx3$`^nlD)|lA2tQ_*oiF^-<Wuc@2d2sT9-p_Hwl<TB;Nji
z!LL>}NAkdo&zcsQ8-3-@PmN9cHvQk8mR)k*jSJ_M$loqHS)tHu##O`p^*ra&-Oc>n
zMw^<Rn6h<k`t;%8T-9CKf?_HwzB5Rs96FXg>F4>+l@Cf(mpn*LYk3>FyD+#)#_<u8
zdHkZesdu<j4sw^*$o-oq+ikb&{TrsQ501*JxwuI89+~au_t~O$0#pC&E}>X|tKVM@
z7ft0eWmoSnRL;@4D$xD@)PtD+CY^iZ6w6bWT72V5^PJ`PDc`m7($$vBp}8@d*AH3O
z=WTz-cs9eOjk&bprxjzlAlJ_G3)R=>^jb;#UD#Tv^*>Q*-)6@&GuF=w*C(1hd7k|>
z{D#wx&$ph0J`{H3y7KSFo1h!=iw~ZV`!;*uPkkwc>#f&UFcxHP-~ML0lY>oe*=3)<
z$GDy|HN8HuxXM^LE8*&fjrV0gy{O75Kd)!ls;v{Qb0c0=Z@JwTo8~)n4jJ{Y;r@TM
z`nAu?4=YZyEc<81z4A;+Mg0Q(dFh^ugg<;0GMI4e^+X?una7uTET1g${{Hh|r-BQt
zQ<hEfTdnBXqO(er{o|oV+rKl5np4<i-s}Bg_d2uKPwAneQ;?o|r-J^Sj}mVWUGS7{
z;Nwb2Iw~Ki_@u7j$~v<-ooU-lW?3$(RzF(HW;aL3yIONa*<@z*b6vK&TPm5Y1Z$oy
z{4lla{<h7_)+;m4e(T|5v+ea3pQIl5-2uXBRZTY+?b>bdY^AKFMaj(ar3*{=W?baj
zxn8cc`e<M0a+`Jk6N^42Sd}h%aOIGMW>M7_J2sCuW<oQ%mj`wKcJQ7w$wSdnVp>#$
zQK?vv!+~@1cdM@c+9=ZK*1N%eW}kJ3S?P`srLDFb^+oR=Y&2HgB$6v@+nDh#VV#c4
zEEhecr-cXF6^;k9mWte-6Tj^V@05F{?gBpPmHXPbPM)fKY~Oc6EL7&4e%XdfyC+-k
zOjqRBzpeLw@nxZlU9b4Jtq|J3_u`i=f8CEx@(NvfYvPXv)rek`cI^{t|Caa9={oHE
z+s1CSUvG`)m%TRXLM@g%*RO4z8z<WAV|2MU<oi2|Ip4p2JnmP&$J;3A&aZ&bpvpr_
zL*4Iu-_579*>B5%A0BO@LBdwXH<si(r}yvGs8;R~S|(Z>bK~U0SxxerMVeknC&e_K
zOFE%^=WSx-B%dvZmUJY1^7wDH`x8%x*SUk&G*3KBQ|Q^UoZs}%k8AO3MLA!&+RhZ#
zo6Q;YPt?|Auanc`K=yc<y+Ln;*q+Pk*jyF)Iekgp$){^0^`E&OaeH#C;Xr|&l(6k4
zHRZzRXSF=OXgqwdUvOS%_GPb`kDdie+%Ga@yb;IRGQ;+v_TAFUAE#Wsbz0ppY0E{c
OpD{)D8tc5P?*jnA5R1_O