From e719b1ed495a5853ee6464f45cbae218a6ddd4c5 Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Sun, 21 May 2023 18:35:25 -0400
Subject: [PATCH] shadowsocksserver: Add separate app for Shadowsocks server

Closes: #729.

Tests:

- Install Shadowsocks Server. Install Shadowsocks Client, and set the
  server to localhost, and set the same password as the server. Use
  curl to connect to local SOCKS proxy on port 1080 and fetch a
  website.

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Update some docstring comments for shadowsocks clients]
[sunil: Use the term Censorship instead of network filters]
[sunil: Prevent enabling both apps when setup is re-run]
[sunil: Update typehint for a privileged method to be minimal]
[sunil: Accept connections from external IPs too]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 debian/copyright                              |   2 +
 plinth/modules/shadowsocks/__init__.py        |  21 ++--
 plinth/modules/shadowsocks/forms.py           |  18 +---
 plinth/modules/shadowsocks/manifest.py        |   2 +-
 plinth/modules/shadowsocks/privileged.py      |   2 +-
 .../shadowsocks/tests/test_functional.py      |   2 +-
 plinth/modules/shadowsocks/urls.py            |   2 +-
 plinth/modules/shadowsocks/views.py           |   4 +-
 plinth/modules/shadowsocksserver/__init__.py  |  96 ++++++++++++++++++
 .../shadowsocks-server-freedombox.xml         |   7 ++
 .../freedombox.conf                           |   3 +
 .../modules-enabled/shadowsocksserver         |   1 +
 plinth/modules/shadowsocksserver/forms.py     |  43 ++++++++
 plinth/modules/shadowsocksserver/manifest.py  |  13 +++
 .../modules/shadowsocksserver/privileged.py   |  87 ++++++++++++++++
 .../static/icons/shadowsocks.png              | Bin 0 -> 16487 bytes
 .../static/icons/shadowsocks.svg              |  62 +++++++++++
 .../shadowsocksserver/tests/__init__.py       |   0
 .../tests/test_functional.py                  |  52 ++++++++++
 plinth/modules/shadowsocksserver/urls.py      |  13 +++
 plinth/modules/shadowsocksserver/views.py     |  54 ++++++++++
 pyproject.toml                                |   1 +
 22 files changed, 456 insertions(+), 29 deletions(-)
 create mode 100644 plinth/modules/shadowsocksserver/__init__.py
 create mode 100644 plinth/modules/shadowsocksserver/data/usr/lib/firewalld/services/shadowsocks-server-freedombox.xml
 create mode 100644 plinth/modules/shadowsocksserver/data/usr/lib/systemd/system/shadowsocks-libev-server@.service.d/freedombox.conf
 create mode 100644 plinth/modules/shadowsocksserver/data/usr/share/freedombox/modules-enabled/shadowsocksserver
 create mode 100644 plinth/modules/shadowsocksserver/forms.py
 create mode 100644 plinth/modules/shadowsocksserver/manifest.py
 create mode 100644 plinth/modules/shadowsocksserver/privileged.py
 create mode 100644 plinth/modules/shadowsocksserver/static/icons/shadowsocks.png
 create mode 100644 plinth/modules/shadowsocksserver/static/icons/shadowsocks.svg
 create mode 100644 plinth/modules/shadowsocksserver/tests/__init__.py
 create mode 100644 plinth/modules/shadowsocksserver/tests/test_functional.py
 create mode 100644 plinth/modules/shadowsocksserver/urls.py
 create mode 100644 plinth/modules/shadowsocksserver/views.py

diff --git a/debian/copyright b/debian/copyright
index 671828216..3cf95666f 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -232,11 +232,13 @@ Comment: https://github.com/shaarli/Shaarli/blob/master/doc/md/images/doc-logo.s
 License: Zlib
 
 Files: plinth/modules/shadowsocks/static/icons/shadowsocks.png
+       plinth/modules/shadowsocksserver/static/icons/shadowsocks.png
 Copyright: 2014-2018 Symeon Huang (librehat) <hzwhuang@gmail.com>
 Comment: https://commons.wikimedia.org/wiki/File:Shadowsocks_logo.png
 License: LGPL-3+
 
 Files: plinth/modules/shadowsocks/static/icons/shadowsocks.svg
+       plinth/modules/shadowsocksserver/static/icons/shadowsocks.svg
 Copyright: Clowwindy
 Comment: https://commons.wikimedia.org/wiki/File:Shadowsocks-Logo.svg
 License: Apache-2.0
diff --git a/plinth/modules/shadowsocks/__init__.py b/plinth/modules/shadowsocks/__init__.py
index e8c7b75a7..9707a87eb 100644
--- a/plinth/modules/shadowsocks/__init__.py
+++ b/plinth/modules/shadowsocks/__init__.py
@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
-"""FreedomBox app to configure Shadowsocks."""
+"""FreedomBox app to configure Shadowsocks Client."""
 
 from django.urls import reverse_lazy
 from django.utils.translation import gettext_lazy as _
@@ -15,9 +15,13 @@ from plinth.utils import format_lazy
 from . import manifest, privileged
 
 _description = [
-    _('Shadowsocks is a lightweight and secure SOCKS5 proxy, designed to '
-      'protect your Internet traffic. It can be used to bypass Internet '
-      'filtering and censorship.'),
+    _('Shadowsocks is a tool for securely forwarding network requests to a'
+      ' remote server. It consists of two parts: (1) a Shadowsocks server,'
+      ' and (2) a Shadowsocks client with a SOCKS5 proxy.'),
+    _('Shadowsocks can be used to bypass Internet filtering and '
+      'censorship. This requires that the Shadowsocks server is in a '
+      'location where it can freely access the Internet, without '
+      'filtering.'),
     format_lazy(
         _('Your {box_name} can run a Shadowsocks client, that can connect to '
           'a Shadowsocks server. It will also run a SOCKS5 proxy. Local '
@@ -30,7 +34,7 @@ _description = [
 
 
 class ShadowsocksApp(app_module.App):
-    """FreedomBox app for Shadowsocks."""
+    """FreedomBox app for Shadowsocks Client."""
 
     app_id = 'shadowsocks'
 
@@ -43,9 +47,9 @@ class ShadowsocksApp(app_module.App):
         super().__init__()
 
         info = app_module.Info(app_id=self.app_id, version=self._version,
-                               name=_('Shadowsocks'),
+                               name=_('Shadowsocks Client'),
                                icon_filename='shadowsocks',
-                               short_description=_('Socks5 Proxy'),
+                               short_description=_('Bypass Censorship'),
                                description=_description,
                                manual_page='Shadowsocks')
         self.add(info)
@@ -83,7 +87,8 @@ class ShadowsocksApp(app_module.App):
         """Install and configure the app."""
         super().setup(old_version)
         privileged.setup()
-        self.enable()
+        if not old_version:
+            self.enable()
 
     def uninstall(self):
         """De-configure and uninstall the app."""
diff --git a/plinth/modules/shadowsocks/forms.py b/plinth/modules/shadowsocks/forms.py
index 102b77baf..076864889 100644
--- a/plinth/modules/shadowsocks/forms.py
+++ b/plinth/modules/shadowsocks/forms.py
@@ -1,22 +1,10 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
-"""FreedomBox app for configuring Shadowsocks."""
+"""FreedomBox app for configuring Shadowsocks Client."""
 
 from django import forms
 from django.utils.translation import gettext_lazy as _
 
-from plinth.utils import format_lazy
-
-METHODS = [('chacha20-ietf-poly1305',
-            format_lazy('chacha20-ietf-poly1305 ({})', _('Recommended'))),
-           ('aes-256-gcm', format_lazy('aes-256-gcm ({})', _('Recommended'))),
-           ('aes-192-gcm', 'aes-192-gcm'), ('aes-128-gcm', 'aes-128-gcm'),
-           ('aes-128-ctr', 'aes-128-ctr'), ('aes-192-ctr', 'aes-192-ctr'),
-           ('aes-256-ctr', 'aes-256-ctr'), ('aes-128-cfb', 'aes-128-cfb'),
-           ('aes-192-cfb', 'aes-192-cfb'), ('aes-256-cfb', 'aes-256-cfb'),
-           ('camellia-128-cfb', 'camellia-128-cfb'),
-           ('camellia-192-cfb', 'camellia-192-cfb'),
-           ('camellia-256-cfb', 'camellia-256-cfb'),
-           ('chacha20-ietf', 'chacha20-ietf')]
+from plinth.modules.shadowsocksserver.forms import METHODS
 
 
 class TrimmedCharField(forms.CharField):
@@ -31,7 +19,7 @@ class TrimmedCharField(forms.CharField):
 
 
 class ShadowsocksForm(forms.Form):
-    """Shadowsocks configuration form."""
+    """Shadowsocks Client configuration form."""
 
     server = TrimmedCharField(label=_('Server'),
                               help_text=_('Server hostname or IP address'))
diff --git a/plinth/modules/shadowsocks/manifest.py b/plinth/modules/shadowsocks/manifest.py
index 33cac4e4f..52d8f00e6 100644
--- a/plinth/modules/shadowsocks/manifest.py
+++ b/plinth/modules/shadowsocks/manifest.py
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 """
-Application manifest for shadowsocks.
+Application manifest for Shadowsocks Client.
 """
 
 backup = {
diff --git a/plinth/modules/shadowsocks/privileged.py b/plinth/modules/shadowsocks/privileged.py
index 88d0509a1..4d3075654 100644
--- a/plinth/modules/shadowsocks/privileged.py
+++ b/plinth/modules/shadowsocks/privileged.py
@@ -87,7 +87,7 @@ def _merge_config(config):
 
 @privileged
 def merge_config(config: dict[str, Union[int, str]]):
-    """Configure Shadowsocks."""
+    """Configure Shadowsocks Client."""
     _merge_config(config)
 
     # Don't try_restart because initial configuration may not be valid so
diff --git a/plinth/modules/shadowsocks/tests/test_functional.py b/plinth/modules/shadowsocks/tests/test_functional.py
index 7bcdbb50b..87bcda6e0 100644
--- a/plinth/modules/shadowsocks/tests/test_functional.py
+++ b/plinth/modules/shadowsocks/tests/test_functional.py
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 """
-Functional, browser based tests for shadowsocks app.
+Functional, browser based tests for Shadowsocks Client app.
 """
 
 import pytest
diff --git a/plinth/modules/shadowsocks/urls.py b/plinth/modules/shadowsocks/urls.py
index bc776c74a..62036a54f 100644
--- a/plinth/modules/shadowsocks/urls.py
+++ b/plinth/modules/shadowsocks/urls.py
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 """
-URLs for the Shadowsocks module.
+URLs for the Shadowsocks Clients.
 """
 
 from django.urls import re_path
diff --git a/plinth/modules/shadowsocks/views.py b/plinth/modules/shadowsocks/views.py
index ad2deda1b..b0a9c955a 100644
--- a/plinth/modules/shadowsocks/views.py
+++ b/plinth/modules/shadowsocks/views.py
@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
-"""FreedomBox app for configuring Shadowsocks."""
+"""FreedomBox app for configuring Shadowsocks Client."""
 
 from django.contrib import messages
 from django.utils.translation import gettext_lazy as _
@@ -11,7 +11,7 @@ from .forms import ShadowsocksForm
 
 
 class ShadowsocksAppView(views.AppView):
-    """Configuration view for Shadowsocks local socks5 proxy."""
+    """Configuration view for Shadowsocks Client and SOCKS5 proxy."""
 
     app_id = 'shadowsocks'
     form_class = ShadowsocksForm
diff --git a/plinth/modules/shadowsocksserver/__init__.py b/plinth/modules/shadowsocksserver/__init__.py
new file mode 100644
index 000000000..62a27830b
--- /dev/null
+++ b/plinth/modules/shadowsocksserver/__init__.py
@@ -0,0 +1,96 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""FreedomBox app to configure Shadowsocks Server."""
+
+from django.urls import reverse_lazy
+from django.utils.translation import gettext_lazy as _
+
+from plinth import app as app_module
+from plinth import cfg, frontpage, menu
+from plinth.daemon import Daemon
+from plinth.modules.backups.components import BackupRestore
+from plinth.modules.firewall.components import Firewall
+from plinth.package import Packages
+from plinth.utils import format_lazy
+
+from . import manifest, privileged
+
+_description = [
+    _('Shadowsocks is a tool for securely forwarding network requests to a'
+      ' remote server. It consists of two parts: (1) a Shadowsocks server,'
+      ' and (2) a Shadowsocks client with a SOCKS5 proxy.'),
+    _('Shadowsocks can be used to bypass Internet filtering and '
+      'censorship. This requires that the Shadowsocks server is in a '
+      'location where it can freely access the Internet, without '
+      'filtering.'),
+    format_lazy(
+        _('Your {box_name} can run a Shadowsocks server, that allows '
+          'Shadowsocks clients to connect to it. Clients\' data will be '
+          'encrypted and proxied through this server.'),
+        box_name=_(cfg.box_name)),
+]
+
+
+class ShadowsocksServerApp(app_module.App):
+    """FreedomBox app for Shadowsocks Server."""
+
+    app_id = 'shadowsocksserver'
+
+    _version = 1
+
+    DAEMON = 'shadowsocks-libev-server@fbxserver'
+
+    def __init__(self):
+        """Create components for the app."""
+        super().__init__()
+
+        info = app_module.Info(
+            app_id=self.app_id, version=self._version,
+            name=_('Shadowsocks Server'), icon_filename='shadowsocks',
+            short_description=_('Help Others Bypass Censorship'),
+            description=_description, manual_page='ShadowsocksServer')
+        self.add(info)
+
+        menu_item = menu.Menu('menu-shadowsocks-server', info.name,
+                              info.short_description, info.icon_filename,
+                              'shadowsocksserver:index',
+                              parent_url_name='apps')
+        self.add(menu_item)
+
+        shortcut = frontpage.Shortcut(
+            'shortcut-shadowsocks-server', info.name,
+            short_description=info.short_description, icon=info.icon_filename,
+            description=info.description, manual_page=info.manual_page,
+            configure_url=reverse_lazy('shadowsocksserver:index'),
+            login_required=True)
+        self.add(shortcut)
+
+        packages = Packages('packages-shadowsocks-server',
+                            ['shadowsocks-libev'])
+        self.add(packages)
+
+        firewall = Firewall('firewall-shadowsocks-server', info.name,
+                            ports=['shadowsocks-server-freedombox'],
+                            is_external=True)
+        self.add(firewall)
+
+        daemon = Daemon(
+            'daemon-shadowsocks-server', self.DAEMON,
+            listen_ports=[(8388, 'tcp4'), (8388, 'tcp6'), (8388, 'udp4'),
+                          (8388, 'udp6')])
+        self.add(daemon)
+
+        backup_restore = BackupRestore('backup-restore-shadowsocks-server',
+                                       **manifest.backup)
+        self.add(backup_restore)
+
+    def setup(self, old_version):
+        """Install and configure the app."""
+        super().setup(old_version)
+        privileged.setup()
+        if not old_version:
+            self.enable()
+
+    def uninstall(self):
+        """De-configure and uninstall the app."""
+        super().uninstall()
+        privileged.uninstall()
diff --git a/plinth/modules/shadowsocksserver/data/usr/lib/firewalld/services/shadowsocks-server-freedombox.xml b/plinth/modules/shadowsocksserver/data/usr/lib/firewalld/services/shadowsocks-server-freedombox.xml
new file mode 100644
index 000000000..dcb79bb58
--- /dev/null
+++ b/plinth/modules/shadowsocksserver/data/usr/lib/firewalld/services/shadowsocks-server-freedombox.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>Shadowsocks server</short>
+  <description>Shadowsocks is a lightweight and secure SOCKS5 proxy, designed to protect your Internet traffic. Enable this service if you are running a Shadowsocks server, to provide secured tunnel service.</description>
+  <port protocol="tcp" port="8388"/>
+  <port protocol="udp" port="8388"/>
+</service>
diff --git a/plinth/modules/shadowsocksserver/data/usr/lib/systemd/system/shadowsocks-libev-server@.service.d/freedombox.conf b/plinth/modules/shadowsocksserver/data/usr/lib/systemd/system/shadowsocks-libev-server@.service.d/freedombox.conf
new file mode 100644
index 000000000..ae1330adf
--- /dev/null
+++ b/plinth/modules/shadowsocksserver/data/usr/lib/systemd/system/shadowsocks-libev-server@.service.d/freedombox.conf
@@ -0,0 +1,3 @@
+[Service]
+StateDirectory=shadowsocks-libev/%i
+DynamicUser=yes
diff --git a/plinth/modules/shadowsocksserver/data/usr/share/freedombox/modules-enabled/shadowsocksserver b/plinth/modules/shadowsocksserver/data/usr/share/freedombox/modules-enabled/shadowsocksserver
new file mode 100644
index 000000000..dd09e3731
--- /dev/null
+++ b/plinth/modules/shadowsocksserver/data/usr/share/freedombox/modules-enabled/shadowsocksserver
@@ -0,0 +1 @@
+plinth.modules.shadowsocksserver
diff --git a/plinth/modules/shadowsocksserver/forms.py b/plinth/modules/shadowsocksserver/forms.py
new file mode 100644
index 000000000..e4c993850
--- /dev/null
+++ b/plinth/modules/shadowsocksserver/forms.py
@@ -0,0 +1,43 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""FreedomBox app for configuring Shadowsocks Server."""
+
+from django import forms
+from django.utils.translation import gettext_lazy as _
+
+from plinth.utils import format_lazy
+
+METHODS = [('chacha20-ietf-poly1305',
+            format_lazy('chacha20-ietf-poly1305 ({})', _('Recommended'))),
+           ('aes-256-gcm', format_lazy('aes-256-gcm ({})', _('Recommended'))),
+           ('aes-192-gcm', 'aes-192-gcm'), ('aes-128-gcm', 'aes-128-gcm'),
+           ('aes-128-ctr', 'aes-128-ctr'), ('aes-192-ctr', 'aes-192-ctr'),
+           ('aes-256-ctr', 'aes-256-ctr'), ('aes-128-cfb', 'aes-128-cfb'),
+           ('aes-192-cfb', 'aes-192-cfb'), ('aes-256-cfb', 'aes-256-cfb'),
+           ('camellia-128-cfb', 'camellia-128-cfb'),
+           ('camellia-192-cfb', 'camellia-192-cfb'),
+           ('camellia-256-cfb', 'camellia-256-cfb'),
+           ('chacha20-ietf', 'chacha20-ietf')]
+
+
+class TrimmedCharField(forms.CharField):
+    """Trim the contents of a CharField."""
+
+    def clean(self, value):
+        """Clean and validate the field value."""
+        if value:
+            value = value.strip()
+
+        return super().clean(value)
+
+
+class ShadowsocksServerForm(forms.Form):
+    """Shadowsocks Server configuration form."""
+
+    password = forms.CharField(
+        label=_('Password'),
+        help_text=_('Password used to encrypt data. Clients must use the '
+                    'same password.'))
+
+    method = forms.ChoiceField(
+        label=_('Method'), choices=METHODS,
+        help_text=_('Encryption method. Clients must use the same setting.'))
diff --git a/plinth/modules/shadowsocksserver/manifest.py b/plinth/modules/shadowsocksserver/manifest.py
new file mode 100644
index 000000000..c18b96fc4
--- /dev/null
+++ b/plinth/modules/shadowsocksserver/manifest.py
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""
+Application manifest for Shadowsocks Server.
+"""
+
+backup = {
+    'secrets': {
+        'files': [
+            '/var/lib/private/shadowsocks-libev/fbxserver/fbxserver.json'
+        ]
+    },
+    'services': ['shadowsocks-libev-server@fbxserver']
+}
diff --git a/plinth/modules/shadowsocksserver/privileged.py b/plinth/modules/shadowsocksserver/privileged.py
new file mode 100644
index 000000000..1e51bdccd
--- /dev/null
+++ b/plinth/modules/shadowsocksserver/privileged.py
@@ -0,0 +1,87 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""Configure Shadowsocks Server."""
+
+import json
+import os
+import pathlib
+import random
+import string
+from typing import Union
+
+from plinth import action_utils
+from plinth.actions import privileged
+
+SHADOWSOCKS_CONFIG_SYMLINK = '/etc/shadowsocks-libev/fbxserver.json'
+SHADOWSOCKS_CONFIG_ACTUAL = \
+    '/var/lib/private/shadowsocks-libev/fbxserver/fbxserver.json'
+
+
+@privileged
+def setup():
+    """Perform initial setup steps."""
+    # Disable the default service, and use the templated service instead, so
+    # that the configuration can be customized.
+    action_utils.service_disable('shadowsocks-libev')
+
+    os.makedirs('/var/lib/private/shadowsocks-libev/fbxserver/', exist_ok=True)
+
+    if not os.path.islink(SHADOWSOCKS_CONFIG_SYMLINK):
+        os.symlink(SHADOWSOCKS_CONFIG_ACTUAL, SHADOWSOCKS_CONFIG_SYMLINK)
+
+    if not os.path.isfile(SHADOWSOCKS_CONFIG_ACTUAL):
+        password = ''.join(
+            random.choice(string.ascii_letters) for _ in range(12))
+        initial_config = {
+            'server': ['::0', '0.0.0.0'],  # As recommended in man page
+            'mode': 'tcp_and_udp',
+            'server_port': 8388,
+            'password': password,
+            'timeout': 86400,
+            'method': 'chacha20-ietf-poly1305'
+        }
+        _merge_config(initial_config)
+
+    from plinth.modules.shadowsocksserver import ShadowsocksServerApp
+    if action_utils.service_is_enabled(ShadowsocksServerApp.DAEMON):
+        action_utils.service_restart(ShadowsocksServerApp.DAEMON)
+
+
+@privileged
+def get_config() -> dict[str, Union[int, str]]:
+    """Read and print Shadowsocks Server configuration."""
+    config = open(SHADOWSOCKS_CONFIG_SYMLINK, 'r', encoding='utf-8').read()
+    return json.loads(config)
+
+
+def _merge_config(config):
+    """Write merged configuration into file."""
+    try:
+        current_config = open(SHADOWSOCKS_CONFIG_SYMLINK, 'r',
+                              encoding='utf-8').read()
+        current_config = json.loads(current_config)
+    except (OSError, json.JSONDecodeError):
+        current_config = {}
+
+    new_config = current_config
+    new_config.update(config)
+    new_config = json.dumps(new_config, indent=4, sort_keys=True)
+    open(SHADOWSOCKS_CONFIG_SYMLINK, 'w', encoding='utf-8').write(new_config)
+
+
+@privileged
+def merge_config(config: dict[str, str]):
+    """Configure Shadowsocks Server."""
+    _merge_config(config)
+
+    # Don't try_restart because initial configuration may not be valid so
+    # shadowsocks will not be running even when enabled.
+    from . import ShadowsocksServerApp
+    if action_utils.service_is_enabled(ShadowsocksServerApp.DAEMON):
+        action_utils.service_restart(ShadowsocksServerApp.DAEMON)
+
+
+@privileged
+def uninstall():
+    """Remove configuration files."""
+    for path in SHADOWSOCKS_CONFIG_SYMLINK, SHADOWSOCKS_CONFIG_ACTUAL:
+        pathlib.Path(path).unlink(missing_ok=True)
diff --git a/plinth/modules/shadowsocksserver/static/icons/shadowsocks.png b/plinth/modules/shadowsocksserver/static/icons/shadowsocks.png
new file mode 100644
index 0000000000000000000000000000000000000000..ef038ac138703a9aace2df15a7cbdae9d25aeea0
GIT binary patch
literal 16487
zcma)EWm6nox5ZrscNp9?IKkZ|xLbm|I}8xq9fG?%!QBZGB)Ge~+dIz>xK;PV^n97q
z)pfdiuf3N{go=_hDiR?Q1Ox=Ctc-*j_<Quf4+0$cSgl=?0|6nzA}b-P?)mG?4^aeX
z;p5YT1z1_uy2G-S+Ohw0Co<Ber2N_Da=~ZX``vb$WA(0i=||LZt>OM@ZiY>2qDe+a
z0d-j`G*kvuq`(%4{qr_E<BQ9|TASnLehnL$;2$BEi$BkQJOnM6jQc|nv)B+#`z2ui
z|3`#7ci0Mcm>&#|rxi#E8If?OimeDVqQAn7*`{m75n~>CA?{||86-?(ukh%<7bOQv
z;ZpXe4?1Cje*?YR%WSL&;76sP#xJ$`S9OeugQFphEg2pY6Jw!_i;ay<KuWq1VW6d^
z=3G}*b%xo&!pLY7He?#)ayVr`%wxYM8b21a*bd2|qYbLNg-WM#LaM=hULg2Npe<Gg
z(|eDM$71`pSUwF`CNMre9ycf`sJg$upFduT<Ty6+{eICXO<rCeeY4eRH?C5vHfMBd
zYQul4HwbI4RCyXYgH20>2Avw2(F#IgRvjq`_>WC3sV*-Q8zr;dd>On(MC|8B3?bKv
zWRZx42S%SNfZi=ZCKnoyMPFuea&mp6R5{lUm;^cIOk#d>Wld0<lL3(gWP&MCp;tvV
z7t0Gl(C_qgnjRb+ByYA^ydWbaT$%RKa3hxJKcli<ZCUT|D2*l+^cEg97fpN{N^w4@
zBUHvu0&*Pr85hH*&b+@q#@TFiJ|FSBokW*KhK%y}NN47BI3rCN2o~3*rPl5dkz(Nx
zD$0Gc<0~p}C)T?BVNnUSzrUY`pr-VTx4y<^vBpL;mEpTeeV-Af>KvjNB1W0QfDEFX
zq9TdBdTEjO{Rt{M0z#SH<yg&HD+(<uS<<MZru9>4(Rckzv=F#|KYui@$`+L?BPGJ6
zIdyf32$YnSS&IMo@k35bte>Ibgkec@z?#^aLR1?EDI&;S^2q11Yw-v8A)C`}vSbg6
zF9;Q+O&q%tFvk?z`ij|)7Z@U1&_o>)QRxxI>41))qXcMRdi{94O#9d+`xFuXY*#De
zmy(YWRU}8K6_e$LrO(geaZoy1ZafUez`&qn6hN#Hqa%69-JnujrzX%xO{SwWXy+zm
zQdD)TL>U?yqL)bY=ktBKss_rZ5RE6h(Q5gWt0f_TV9$|ct@rl!*4B$;la9&B$w?Ub
z0kT0MOMccdRMZvFDg}4;{7MuG-_6N~-?uwEJE!?wkLuEyaK%xRXcn@8oiP{*2?<Wh
zuMg*B$Vf=mKTd(kD6h&6KNY<;)rr)Wpc213R(_J36R78(JD;yKzln#TP14Rj*feM(
zWtu2Qs4*AIx=|sVR%qBon~lV-V_;$3N=QDyRw#BT)r1;I=*~;rk*gIeH`e2LkIpFZ
zIq!|WW(#;2qBTh5pWwL>XfYP3(}J$7u~XTa*u5Vw-eFXWZHJlNvvu_-i$c5dz)R=q
zxgY82>6e@RULT$*rDG+CU@0Hy6l;QnQg<HB%UNJdVjMYp#k*flD$}obM|yNhm9ixY
zp;cnUtm=>BsJV9mTqKscDE54ci3~0CwNZGiA2*wyA07|U1Ya7)Oc6&Vwr~62a2JAr
zw)_Yc-x5aR$O3A<PozGsM4D7he4ub2uv`<dCjSoF!=LpgjE?jhbrcv@3tzcsR_!=Q
zl<X{5KQHhy_D2q&LC`2yN$F3H&jYW%Z@d4ew^^f6sYwgI7Sp%%_i}pnUodjXf9nI%
zs3I|H^xK@x7b-NAH{2EttbmnzmVdsz4zfn<)WYNk38|Ng$s)4S(Ro%m?G7swp8xW)
zN3Y_)VR^G!!DkV5F)dU$yMk$o;ov^_e7l`~X4Y+bO8=7sKe;<(f%yvimH^~Wu?F8Q
zKP)V)O>{K0?ugB6rUY!pxK3z-QXZeqL@r1JLR63}NlwTMTs^kwAep?9QVzS@$-F@x
z!L>iF>{|@50z*lzdLRsa+H$dGy--Rvgy^<AbgxP|B3t$BTJ9fJ2%J=JdTY->yrze?
zU5C@Il#`Oul<!Tn5KIP@FV)5&#@0E~5+VavJbrVjLdLA=NGwS%r_H}JAyEKmnMBpv
zxBZb|$=wuZjjrb+W&9u2mY|S&6BfsGsVsw*cKiVzIctsX{pljv)7_l1$K=GsD>Ee}
zG-CgQ{he3hQ!q^aPu@hno66em6G;S)X_?~0;$e#tk8ybshsE^PFqC4%lBz2Gwi_$c
zUb7A1_TXii&gp(K1W+P$mwHf#`+27O1oQ9C$x3yZ@XxeshBHP^J5(c)-^0OM7c8v0
zLrOCw3OU<z;5s$Z^uj22ZPhWTh1d`Gp%NO&>$ugsp3U#(owbP}`0euCAHOC!Lv0`p
zAg5kE;uFB+)#>>Le(|U8PZn$tGX#<U{q@KNv0{cy7K=HD7<GDH4~&kE(!a&_V5V3P
zZ9jfB5XM5=dWel1P=QXV%*)$)JvurH>*LRzDBZGw$!}9{>X8}@MaDZ=EdMqVNo<6X
z!f<ciP<m?7k9cRt4R=A#fEQO#P@sWI#QkOzFAGWx8J72j>*l_rqn4?r&G9U_PGQvI
zzS<M{eQqOg!9BJu-D?p#9qrM^V>x3?!M?GWWU&s|!=n&DDpu~*TI*CV?l1FPuQwYR
zX40-RhK;2ky0|;sS9qd&*Lk{Cqd9^nXOF5)lV6<b>nl(XFJC2~2tKWx=44~5+urI6
z#)=~o?j{G{D1yCjEXGDagi6f?ML9X^X49ca$q?f6<?MLuOH8vj{qhXy{n}R7bEdbP
zPh?l?ndwNXLg_eC=a;)<H!CYE%eW^6-N@gFVn*yo!>FQTL3;?Os0;FFp~PC_k$tNU
zVvXw6#>Ur=pxkO1Ol<6V<H2wY@#$ZDjrP+yf?6pHh8~c}8=btCv(Orq@jE*^cH7(A
z{5?QwX{(G34z+9mE;gic9uaRtwf#F7ztBQMLQo+2#{Ql<VLA{UTmK5~<P%~aQ*{ZP
z#?Gy_RkrR$L7c_KP1M0=ecCD7Mf8N-NCc`MnA+pCI}7i1Y0&Ul!`aGW8bu^|24~2i
ztc=m`fcL^9W3Q~Oj#@U8)5`hOq37KlJ!8lhCz)!=@au=z<4>5s`<nL`>#yJ3cM+Wn
zH<s_iWn&59lBtv*bRd{{WgEb4Lcs9INC13;B50^^gIU?9em?o0T0ZrTgxhv0fQ>rS
zUP6sYAq&x>7TdE`m!>nO;pQ~nWgB=GNs1;4X`KX7@B`I;rRg{a3=ha#p)wt`h@e?H
zj!{~L^cm-WRXU&2C=DfNXbxw-GKoMMYZ^;7CzXlSdABF1^R+gYMKFdt2>HM9CJq)-
z@_Wk-75I&+=2j_3--Hfc;7?uDS$^s-T_47gR>UG2N%`LXbu?PUb3H{uM*a=x*kj@F
z!T4&~<kK%xO3GN?ah5M0M!Ge2Eq|f5q%>-B*GAd+B#J>o=l%<Q6{-ahH-?CZ)br_T
zJ0S3;P2g%~V*MLTLihgT^I`6z&1Uy|&r(d88nfUXq^Cf?4X!|xrOGe9?!@;x#j6u{
zef_m))}A*^;lN0egPF#C_kz~@y}Sg<U&%9xiHSzb#EhKdM(ggm^Kok-WFoHD&kR<6
zyt?C2(73XsEJ(yYQBC=JqOozmpzWxnfA?l%N<d5&6U7#i+#rS<UA*%A8rl=DJw^CY
zU)f5SqL01`*MfnYUYeGX5#c9u5_pEO-y?dd);bYI&31_X{&HIDgG$WnDAX}9%{Q@i
zxc1#J;NXW-UHI_ngd|%NU+)ny=zVd5bu39rE~2^=HI)DdXF-69%6#M}Dv@*FBqdL~
z{7^wV`ANimgtq>Oe_2U*nR=~l*E9;;3vz1-?aDGXQHZ4Y#Ar*rW}Tz~?F{ar$b>k~
zX>o|;Odvtt#m-RFvfJrDMW{9-f!M?y+}czD39Jv-l^#kCTG~U|4@M=UGoMK+X*cNG
zm0GeDn2&#cxPORRpmZgMmp3+*jP?4s2MUz3`Rk=)iTm<@SP@3*p}2dLY0qCEczrw{
zcC5Lt+SN7&cjQ|)KgV76oo?Vas_XMACza`;TSIHDw$aH)TV-4H1`8Snrn>DVCtSw)
z=bKB>jbLF=)GcD1RifuWQzKSdFM#`1L9gc;$_m_ANCn}oUA5L<PI<n>Ny+ix4tF2i
zmJ&+vU?-40-=x0g&l97~p90PolISobW+tx&TdN14+4A-+D+ey$yL;9~VXDi^f3XDu
zm+TWwf-u+|j-0c#PWwZVdjJK-YLv0Bdp94HHJbHD7SsLUXZ{O_8s2oQ58ZrW{4}*h
z2j(Cb?aY6lgG^!=N-M^pp+-~&%d_l|$<tyGN!*#3UQTP;WX>ACh6QJyV0G&7SB2zR
z{2&<8O}6-u_S9+8Ds+Qt_!FSqm@0#y;irswhy}CIj$!o-eEG0gLd$aT`iu#v;p*9G
zT;GVOni^<eqXsNyn+7Da0ZxQVKkJyAYd6IW($dqz`wsnpBT_0LeRw=s3@upz11I&p
z^=7wU5(OotPrU#W-xIl~L2XTbF-K5Alzmb;9gZEms!o_;5xlA?RdrP|aX9$IDYta@
zDsLSWdcvw(Fmn4n()RL%)?n;rq^ADPF$!swR#MQa1~Lw%g6;x$YW&Cb=hJTSKJ*iz
zX&l@5=`97;d<FJ8>k13xKM1IY2V>EfB$068k>|{_#DK|l2-b=)4-K<FM5_w~YyE8H
zmrCF`$%<>_Wn?_#6>x+8NiI^igjZ4_<iHD>Vsv<1b|-zpJ)f8vwI6ZN{DNXcy&@wz
zhqfjSuc#JHJH;Z}y%fw1drZ{iRfruZox?dU?7<DRaV6_k4E_0&d!x=|U>#@?J%`|v
zvW<i&Mh&0C*a-#)^hTn^L#D6-wMOV<R*|L!Im!2Vorpe)$A0$Zi(Xh!nn?4Ij#1xX
z?oc}$iL9}c_NS+(o+L!HNW~sYjs3Xrb}`UQtq|-bxVq^Y8ymZ{Lw2E+++9I1-0M22
ziCY-asTJy@UFB<y6GZgw0#s`y{+&uPGRP689VlX<`Uhukt!m21$Ry3r&qw544j59)
zwabBIg4tXz)}9UB2Xa8wD!%K{UY^)esL}T_?AAEzfy0l3Sr=hJ8dR`R(4ogFEaOV%
zQ575X<YFab6*UI=iJQg{wt9NXRly;+nal-EecypSO|Y-iKcXw-02R8SH9CzyJS8MT
z?DZ=zW0|2Gd>pNRsOJ4-g<1Gk-2E5F^zHpXhb>^<IW3X$(U&Hfja6z=0Cw1|`Aep~
z`W|-)<cQ|$MaSh!kPyvI6Lxt8jOs3_pwGiR>U!h-pmNFiwv{^JhzgZdx~&<CE!Q~n
zg2-jcA2A=>*a`ybrQy12>LwYrMQSQ4<A4MbpgcxZ_#8c*Mgma187Z63<%hytiQ-5j
z(YILE+WvAyUYG?g#*@PJ=<Fcan9H8cx37PcbuYM`foQlzRyZ!Qtu>}scGdpxFG)Gx
zC*|7lMjJ<y&Y7W8m=eaZwf8gP=<DP5e>#$>Q{?QV8+kP)s`I2<I`!$#IC$PG^<5U*
zv+%Lu5k&X+5mnHf3ktcX-*8nxI223kM(brW55qef;PH$^AHeCVIaJ_nfKQ(=naPzk
zXs^K6UBKX0v0SznQ+bO}kHs~i>2#1Nj2gkfCCkyhu8b5pH}stNZc?wkN^Biv3>Ez1
z<=DP#ob~GSm~rB4Ys+NKc`I_7c&ffNLx3n2P`|hFUyXl-frqaY)R}3H;?GB<HRj<H
z@$qZ89k=0S0z%Qab&_q6HUBBx6CtLPF-wIRSgy#J9A5fXr?@zR038ONK1gAlXJ(Ee
z>#|dToX(`b($jfUYs(Pfw-MMy<`cx#-FyAmP<_?c%<&i88(65<l6cdn0fTVDYmij%
zErL_pBN#{AfooH>j0=u3k?N8|iQcH-e!!8g!-NFGZ66Jp1B(IWB0FWzcrk(Cj5esK
z7xRMJRK*;CNU=;DEhlM*8uHITt`KE9z#_;lj#|dml~WGDAoy#i><dgEvaBGSR;{66
z&U@Ks#w^rmhb0X)f3%z|xpQMAL$OTsU&Ca4rkRgkQ^cktabhGGw`IW_m{rmi(WWi{
zn4rJ_&$OgMmNP)&x6G0pUKnXaF*|fwZ`aEW16o1z`*F^xO0*ny(9}~2=73hXXwX9#
z(DFufY7eKV{15WRlcOIPfYPyDI@;G-?DVkdEwKwDhx|WhSa>N#=hrHKOlG2*^Vsqw
z><k`TL!5aLQ}9gSZ+&H#YVKM;tw_c|+baz&`Rb(VP`RP@65dnU3bKo*mMN5q`58!z
z?sW1>F$I7rmfkwd4cNeu#5ahLQo9JXwK!2JG_EB3`9tsOLND;D*HOo`=~mHHg;+SN
z{0aRo5z1&e5m}a8Ko0xm%Yx7mOM_lLs;OR4A{P*t_W*_&0i|3aKc1s^3wMLRs-Ut>
z?6bMjxGA4|pAUC<WepeOFO&K@xEkz`(SrbLj?s!_2Q28I`nX@WBO-O$RcozKU%vg#
zL#csk846;Su9%ROm8FwJ3uKb434$)CodQTS2p1F<I{eibcfHg^gLX*fp9a8a&?n=5
zh@c?xeUO)BVmA+c7Z@BCwckN%kxT`GhmL{0AyyIpHUZAmT1prb=#U^)RaL>I82G4%
zHaR&><RxN_Fps%euOUXRlIj4AV2a=+GFKT@Tblhy6Qwj%I{@AaDN`MDL)o`dwC+Fk
zaR@6@PoUo&lqp?*B_AxbHEZ<CDWx}tZ0YD36I`bWjgleJ==LCf_u|lemg&d(Zf;x)
zX|uiPrTfnLk&=&eC;8+(t$a_*W-S!qo{<binH3J=nt`<wI7%}xsAD$GGQa*SO|}iB
zKr8JLs4yjm7WaNQEB{uDhI8(A#pxd{w<$nTM-%Ff@|zUemyUhM{;~D?{nOnK>6$&5
zoT9Zweu{RP?2sen%)K(9h2dvb5kkwDrkm-)em9sbpi0unqm=~{2pAw0XhDU)$4%qE
z)(?BF-tZsd2mTe5m1|g<MO*QV?N(sRMThEbgnqCG16xc4(z1EPWm#3vQG*Z>kS=0<
z@u64u%CwooTEJudx~P3mP^|iZAxLFd_Bt*+9AVu<$eG1_RdC0n8RoK0!xl+XSLQ-@
zY&czFblZyvdhB{HGN6AnYgo+p%s4IQl{bO3ptmB$wgOS3k`861glI)+3brd!<F~y5
zHf_3JEJ4hC(!LrZsP5~{DCOke-wImE$v6YYvtngV*XRbEaZ^bD%$B?}@Wao(jBG{V
zd<K4m;A8nHxI909L3#iY(&ME!(FUy$^v1*XV%fp2Qne_0_XLAL6eY^J8{XUfp}aHA
z>)B<*DL}DW!!Flc`-7N#YjkMSBg#!(xp1jyS;JeoYT+haTw8y<ObPB#3#rb%RGU0_
z`HRoKXHN}J@v+3!14Y#K@(J(=Y%NX$--imL`nT4o=i-dxQmyh|8D}hcEebM1SiOX<
zXA*w6#<BdCnON*_!r!Z@^W4^bLK!sfAvrE_%iCKt9xCHib40Nf7H^{@lJb}VCxB@l
zkBL?RT_x^;^mkzpPwTT6^^M@a3C!S~$@^Nd@q8|TY9)6k|Ak$eSC!}4$P@ewjO0qO
zro8t2PA=#x9PXunGo_XJf)VtbyMc94qrX`Y{t-Xu*Y#t9ye&X{&q4yaSxzU;u)ID5
z+srQz-!fXb-jv@wTZn;qn&2~4UQqKZ$2^)ED8-r@Y4}~}E49p13jqPa^59>WB}P$8
zI0s8dM@L$B@fzV3AdU>Ojp-3j!-JHzN-Gt+ZxDVslWFucWg>KGxP^2#%zEbL**}|$
z=}qKR5v5$yq*`82wTYe8AK-1X^+liJK1%_%=5l`EtcoH9sZN~i^vxy(M?J`5I1UXX
zpga;ph}K_DbEbD4SaI<SHO%pj6`v{@Khy~6*4#rv23_)Liz=mN0e>r^%02KA(N%G3
zTe6B4!3=2``86YVKoXqPUZbDN@N_T{F5x$5S^uJ9r+GnP2MCkMrBcDW<-0p<VC9fp
z7p&Gs&59qk;6yh*!4AOw$R-N1YvRIEHEOa{ef_U>fEu-HuWHyOQLSeJSCRXrlp~9W
zZ~od?t0ghy^3hHby3x1nra)X<FLceKfJ&AT3?H+pRxi@F2O)Y<)m&W)7m-w8rs9Pl
zYGKH0CWqC4n<!0~fme7e{;`;sS6g0>XM|t#9hY{S&HV}X>Lt-anE?O#uFIf^#>r&v
zVQ<UX<PFk|`OLTbv+!m6TkY%7cy9pIoES{p-J>InFA*~XLw~Kx_P}8DhFr%MKQ??s
zT-@T2h&koxZ~JgXM@XSQ;QB8E_NIH8bh+@qbZaIfVXLZ+^kjzmuPE%pU)&4}+RP4R
zF$b|kUZIn)Lm`llgyF{n2-Srzt&EAzNl0p09*_PO@?_XT3b-^>aC&lW)^tY7F%+DP
z|IBCxWwLTrP0CQPUp&Z~0^_mcYJHa&G~SoD8}s#Ub4V*kgqno0t@6#6XN0Yp2IKKb
zAMS4^L6)LTbGZiMkQ&dgKttMaL7e!}-tX8IQ5@fXwh%(j@xPV~=82fS6*AwBWxY0B
z{H1XthL+`txwbTTz&q181v0z~H+>gy8S8==!a8pG0CqzP$dW62dQ|5ymB}e4sh1De
z)D+9tTP_A{^%Pk?@7=syOnS@B4$O(*$b*1K0?34ux08RBo17(55S+LE_-ic;FazxF
zr{lv#siaDM{BrQadBWLqoS&q(I;w}cERkJ?JCCnlunk!P`*)z2uaWws{<^i{k=Ev*
zElHKSJAQbEA%KOC;yK}&x5pF{sp_!9`AYS90NKAEFmG{WGAI()&8F$1XE9Y2&vwjg
zPB3F;T*QK!Igd5@KEHn*7}7s37RYe%9geSj06dNA!c?Z1Z|zz+cqITrX_930Zs;hN
z)MWcu_pA(ssxx625!b@m@4@&8oWmB?eyN?+w{9<j@7cGsEb&y~Jb`fh)k(cx)tuXX
zAI)5c{#T36oMaQUb^ssQd_6OqmsE?emxRH*B_9q{Lv4X?i9k($A+Nn@w5)wDXW+ve
zxR_L7p89%pPkkVTAvhn;7K2{yPdh4EG~mB5kXNXE82jEnMJy3Iym4q{;>~YmwfLzm
z(#OyLbt7AI#cp_4MF52oIHX+@T{#CI{`_4IvRg`cC!rW^b2&s>X|gJ0DfB<QTg32M
zS|=0Fsn;yr!<iqpJhK=S>HN6W*QO=dz0u1+CqM}&K!~IIbESDtb(V65uIMb|Mu{_o
z7D`bG7wMXF`|O=g-ii9(sdp=jOx>(zP&xFs$11{!^<nh)=4Mg``z3~kucS@$7`Pa{
zXo_+bz9bX21~M%C$#3k`ki=QGXjESv=)IcJ^wLwOJL<oqbA@B66Rq&1tr|74Gm<Gk
zfC~}|poN2)llnm|OzTwv!@V`Urg^76Npjz=^;PpL6?FFNU{DI`&U6qung&hymRuSM
z38I9-Kcg@M;i`Mb*15P&H7OCbKibc%e5JAxlq!f&D=-I}FXWu%=kEvs?B%p_0OSKB
zL~DPFX^X5|OkXM{W7djaQA4Mm?qoKeh1lO07;aE2I=B;-@IBnSR~@L~U{?rh-)|hO
z4D%RL@``^V%dIT^$)EOFFdH)6Eblt8$l8~n;X5E#GYww5)Sp=<27O2#nwa$Se4$=l
zvd`p~h$j(nKkIt_QH^YYGKVpQfuA%WRg-+P|8J1HVerbs6xh9X59{0Z>au`rPQ~ST
z@KBRPUfyNVqo#-PFpIud#~t1~IFP<+vfp)+m^$?PFIc|Vi39Xa>8~=##$V-KRS?&N
zX#}8n!P!Nh0NDYS(E)Y)eox0o{3PtrKabBg`5`}WKFb~%Yy!JVAFRzw_SiW1d=Y$!
zP?3=bRB`H!9mEzfi|Xp?v;&-IW26R}px?(On%Ma@(7|Pe__O20Xz*e*(G&p_Mye|@
zbw8u^#Yv*sdrAPO8FKk!6plPFCj6WGRf6cM6F@oGp^%!ITGHGZ);v+2LGr9z=wNDB
zBR<keVt@IMJ#q7_C{C|T&ko8}4QfZPK?tz{k(=Auno#7QFBw<*H@7N*R+J}1+B44Y
z>BFHp6~!Jbq2an4kJ|N1Sv`29davokz$WeR{F-?qU0nRx)zORl#Moy0S^jknFY<K>
z8W~LAWwW?`B*dL?n1m(w-QgJ1ht&{_pzSHQE}Z*Ds6x$i);08L?61_aasHD#CZ2x~
z!mAH|b?w^Oj%|oVUoYnEc_W%d+ZcS)!GV=!4|sbOl176eJgVqqyE4`|S-J;3Mrzg8
zorBgEaH9;^?R^j^7-+?_&*hw)uK%{XomQlJ+pcRb87&x-W1(QDl<_JdMIvu^3{)EL
z=cmlNNe#w^Jf&XGQ1!pEDErjeUUEDcpTg@_iFogV{yFHWe9DMqK`$^G!N>u|kqmb6
zJnzS4n6G2+!mBF-$_+c|{04I$L_IPRVrfO4w`!>v^vCE^fojA%(a_B`XL3@vFgk|~
z<fms)+I2RN2{i0%$0f3Z@g!SG4tj$<0se~4`*J7n)bMzR#xXZO4&CU9E3{sf?I}>G
zuEsaDFtKYtuNvO_Mn;Jz2gH^tP03G-RDq+CN?bPo6e=aO&B9E{&ko1-aBj#x8o%c~
z5aAU~CyyCW@As|7;(Q;l$=ZZjx}!m{Tp)u36i@+me1Wsk!%qsP4n^4tT0Kt;45;$L
z60zJo6$Y4V(g-`1BF@RkYH{cX9b~x1bL;f3H=ze+UJ-Ol+&a9OVWD+tz>3V2%*@P<
zdNVLtNI37F-K#^AED)a-rRVayFLhUsT9zX(Mj<(f9Z|`!%38$C_ky)n9>X~*bOj$|
z$ZP@vg}0XRdUAeXIH)h$7acO@E`5W|t))}N33kZBA91-OeyGrHO8$IUb$EW<4CrZ3
zSiIFoGtk!b0km_0-VQ#FN0lY2b>O!{m=HslzI7=7Y$1&lqvRvix$j9F5G&QJhf$3n
z|3sp?f8E`<)!|Aoy`(?D!qfNm8S<jufZgPNJX>}_BCZn#JbX|^sSzg5R#jEmQl5^r
zACA1{)fLtCW8v>pHQb(TAyLHSFdj!ldQ+z|GNg^NOuWw6xgL?aNAf8kN))X9HA9jR
z5NiExAVX6mkrnJ+N~I*<h9CK2!tQv8spiY}V35l-u0!R^FOeD!I-5$-@5Fr(fIUrv
z5P-eBf)mU$iZLu=N#fR1tJJK{H^*J5asiHrfdw2sLfJH14AU^;sK`h)c$3I-B52qY
zKoLb9!MScpgrV~hRRn_fkfw?jN2SCu@$*n<o$aQxcDn~(lMMjg%$^Vx+6+ryD)m`U
zD6sfd(=vx46hHG$g<-TgQTkPI2XAkbX<Y4~s!L;dAXayP=sCiG=)}zOa5`5QO*e3+
z<`RqI>|KdJ@JHC%==AjFfc+7ThLmGPc)J$bEq9`Qcc>TRgpk_0dz9ol4T5g3-1-Q`
zQHw>+WGdmEosq)NFs-jhV`2aL_HBmH)}T<!W+%zj%#Js3PMZ7r%hYkZFLc{-@%IW>
zVq8z!bENpaYnyBt-!BvL;y~f;Z&;Tp+BdU560)+QgkhkAj}n@*fZ%>mJ3c6FZf?%Q
z<7EDrygk99a$u`CxG7fY2soN452I6!hF8(~OY*y`#4urMYB8sms!)_K%8y@>dwrL|
zO-Xw>?<j2HWyW+G!)xY7nh=T5=P?S@b`q!lNF1uI{v>BnJmu#ytv!c=Q|q*>5SK|B
zK8IhmII4<^c=~>i&Cjd9&7!w#o^FX?ws#3fTxdll)2R_+2>`R#P5Mv99wg`aNb64B
zvJ1+Xq5gbrG*n+70Im}6uju@xF@ewfF)jIMaZcLK>R)3EARo_Lf}EX47@0Ef8%Sg~
zWLn2f0o<G}ut6pi*r_x5vK^4*@{H?5zc~{pZ_sH_6#<tiEQ9N;i|$PH&SOd()D3~C
zQZri0+BJI8Cw%D&Dn^6KWO-ChI#eX03-Z6@OkNr-rZ1|Edb;`3-9CT31F0YJ1e8mK
z>*1a;DY7++0$E%O=EYJ_KxHxr?``vFniP$~2Fi;;6t2n8QL=@~LJdj`e+OHo6Qils
zitV76HNo9xS2dZ~bqwb4!OR)T0$c*_Ju`IS=Z946pGKX;rewG>O@DOC)`jmz&@Ga<
zOPZpWT@4*8Xosfs#cy%KA2Jq*Aa@zL*j*UabDIZ-b`tXxnRgYz3Pn)f^0B&%cJg+j
z)3Vq!<>+ikA`<O>l@x7RqAUf{Km%w3Hqj)m*ecudXt_#&d`fwiJ4$k*I57fJbK(p=
z8X+=p5zFYB(HS_aT;Q|l{fF_x54K?8RU{Y>e?I10ZCy18YfpsNw20DD;$2rxE;1JN
z8q+45vx1jW^HGO&m^W>62G?u3AO9rrXvB}nxukrk0DtV|`&!M^H_A*Fc+1m$TMaKG
zCfK3U?UBOMHW#Z!+;p37De@Dlm|JZ@(<1tQpYkmV0?k?u@r~0z=|LJVH6HR`X+<@w
zb(>MmU!hT5!}$C7<pAbngnU{#J{N6w4IJmUf*2B);vTH5BWEm}!=nDck}u&<jf(N#
zh{si(5nQu6tE!V0NZbuy+#p>I<JE))A?yq(h_dmT&M6ve?K5yiv$SfhAn#Xfy_%+7
zWh`+nx9lEJi3PHlH*G{8xGPSeaSxtlCh|5%^k7$wVUmWT?7-}ETi7TQ;V4?0CkB||
zVhyBf^WGVZI6oUssKzq5p*#-NPONh_@VD&k<b*l5LC39D8AzN$h6Htgg2Zq|$&ou^
zQfS)E%92&ma41tE*yh>`RE65+B;XzD9e}xI>Du$D5?uN}$ObG9_Q8x==&V!%zB;H?
zV@OPetJ3yxDtmPa^*!s}ZO0X<byzZKtI3#%jW9!~J3m39E;fqo7B?yf_{O0OS4na7
z2x}lH(kyx8{O{QozuA+bv*n)oiQT1Zo^jeJ-d(Om_-Hci<3wG$j$6hT!k1{R*#^&F
zQO>${EALK(_x5(CPMQE$N{$%AM7Y6<R@pWa(MQ>W*GZR%?TJrn^KHh?Vr^g?$t%@B
z)5wqFz4jE@0YNlZDc|Gx#%<=uxD_|YbM6cWskekjXi)X5d=7`v&{~Xx*iHTYjl4v|
z$R1vT5I*t=vV15W;#`+1o~OqZ(Mdz1AqYc9;a24F!mDgAE9C1hf~KGfoy2-2iKP~9
zyOlB$0x1ASnxSWJ#N3LH)$+%TD8#yQi6NtL3B_-PxJKP+``;kL%)i_A(HGp+<z=4Z
zbmTmT7lDc+zx#aj@I>@XThVR5K)^L0qn{JLXs(RqBrPE-O}NH8ARGMa1{0GG$vO{E
zQjRAYhK3tx@pkAPuX(qQQbVTa@w0n-<_4vkkdrU6L4=P->7a9?(zyh$=4e&avM!M>
zMcisj_sGzCqjbA7{s(=9zpDyNK9<>KgP2AB%(>@=Fdi&kfZ+fy_|C>>%BAG4$@<c5
zIGG1&C-TKinCA0a(7#o8cwAc-Xx__(I2a&2>^bRBNZ1$G5i^iTs*s|rmA<ZSI|nDH
z`g!)v@Wu005*9ngVQ=}j7R}W+wD#+3iqaoCej7{wva#BBCv<S+W1l7x{3VCChMg7r
zx4fg%P-00Scz7<+f_E|VTEYZC)MT<jd|4Zb9q{rAE+^e^%$EupUkHe1qGYU-5We^b
zm$0NIC;y5F4{y!>V;U)dHXE1-(@YvC3ozfKX3EIOuvsRtci`EGnBzyTKnUKjRKGWa
zhMw!kU%;iIsF8!O<Ct+f{Ebgb4oWaoLiH?G)9m1=C(|X1KB^Ub!|H7KK*fK%#`nAl
z)45Vyapv9kj8iQQyf8S2HNG;Pk^O#Z&<WW+SzKD`08CPgr$)dWAYTop$cwxe1HmTz
z-UtQzB{oF0q(bL|@4gVIs5rMrmU_S_Amf(hRACo}jly(F1g-YfZGQ>9ekNKJXZ@&$
z;^Z$TmA0egcJG}RH=iH;<r2^v+qr(F_=2<~qh8lod`MkB3;a5M+@XPid-j4dWyn|C
zr4T+&ubUwDn$4f`4_RdQZ7Md&?KH>lVc82Fjd+y05l?iY>n1!>GH#%NhV_SqMGq+!
zR^fqT?Zh%fEtbZ_d);-GT{U-8S+&-U4MT@2KYBV{)?w3rWp)QPj+|QUIK7vIL3@;S
z;nBgpHBiuFZj^?NiW}12{%^Jdyt<nBYvA#xcuzX8Tthu^7ER3?N4|sd?R99*)+@G5
zvv39FTiWN-ZXB6jv-LfH#w7HzkEDP!p8~)_oe8PJT6PzO9xef?$}#CmN`tqn3(%|E
zQ(?@-iW05q?1U?>5m_60p`XY>Jt;kpq_y5>ivrK2Uo~t>^1EJl`aCJ14bZ*Z0hI$}
zSn7o}+bT|8+ztyC=35_uO^}*f6=h|!Jy!eoyT5U-mwPx7x*jYQV8^4nFwI{$rW1!(
zd=RStwN9E1Om2UEem3H^nl1XW{**LQBm-NAF$b_?;q~_C$8ftK$<+Lu+TsJ?;=|GN
z_4IqIMb@T_{^Z}4jHg2B`13C-h315VR&`0;|N9R|V!~%ZV}uNDx4g%_j#Z(b#qd4f
zI_Af{taaCde=s3;!m#T*3afZivBU7W9Q^r^iXjw4XxI~hUf;gM#MNjPJ+gtFrlg{x
zl5jto5mo#eS&0WNjG3t4ZMY+emuIY9Wrurcd~c13^D1h!B+EXKXBPZ0Qz`3_zT!kN
z_|Fb?@q-~)m?c{+?zi`MFhk*`V}9>1x^)Km-hH>U=0fZ0K5^euBkpKiEq9(8r}hbL
zQENC;W5HelZMnPvp-_`*;ZjeCb$socJK}o3*<>}Bw&{C|S^}Ae--V(?c!;f0EI=B^
zV#M$6Pzl!RS&-4tVoL<_m~So(3{xo{dXJqVdQYlr+%7OpKI#I*fB(!@Uxk+Eqc4NA
z`*h){;%~=om^!>Fh2CJUUg3JXkFKeWAU_DXfhitSF|9>WT^nU$F=G8mo~x{~-acPh
za*!QV4|AOw<)KN|b*>8b%kooDm?BvwxVT>OGYbMVQh*2=pm<CtuwyH^QLTtMfkGzH
z)MEJZo{HgCpTM)h)w`{Ck}=WTwaPRKQ4T_FIo9E}<$k4isTG5*VG?jWbGtWbps!ic
z=F3MEK6%^F#bhAjMt-_J35AVim80s2|Bu*E`7A9Z-sc0|%J037ZmcWI_soL2+NiBW
za;EsI(XG7Vt{SNTwP@sIq4KlQbO=ddS7a=R#SkoL6^L{U7Kn)p0~ip9Ut+MGV9x9;
zT)JBG!-R-G2wffKb(X144fZ)LWsn=~h!Pl9l`m)>#-;Z6pi~AV<_+}rge=GR(#r3*
z&j{f_FYxLEWX1CSviU2Ul9Qko1b*6(6IbJ@Z7X~kbQBaNXdUk@<5rnO2CO0mLnfpb
zF3USyppAS4=@V=R^ar3x+IAWG<J%p7-8{M&%zdM|=IwZ4zJoJzwr<muc4{C50&ouE
zJ74~Hqod8vIJZqqmV3#)g9RZrNZVYzD7PLQ(EyZe)6dwXbi;xr&h`)9yt@(Ai=eL#
zxz&fUAiIc1eQH`-R!BZwrB^>*VlEyKBLXPz92QaStM}cJ`5jH2z@MXQpy$e055K=Z
zB!8r|S4}l8_eY*U6RT<`vK8MA<D~ySr94(2wz|ti71?~l<#sb#8R>5gW&Zc-RAUZk
zt$}uK=At*5|Fh%+1WD%xucdNg<KUcwDf1J;_+XIjNEySx0!$x_)YvE3N4N9YAaG|n
z4=d$TRqGDmYL>RwEzsE2L=IG{P#L?CItf#8F2r7Pb>_ksMg7s&+7nq5AP?~cs=(k~
z4}Zt01r-5qn{0URhN=$LM9)-oWkm~E`HhM1*L!yrS`7`tfknR0`Rs0-aQFRa0%cEw
zz~s?$JclEs!`_S5-;Rhr??@wm4I|GR{#2N=WR13&k0o!@G-rlMgj8y%FEXTaBZlWj
zwb<6ijeb|msSuSykL@3iclu5E`1>c9&CV)I+J`?ucJQl!sI#-P`#8Y|{1Oo}Lo77<
zNZn}pdB%`R1hF8hzD_*zn|&=qukQ&r8f1t|T2DbrbL#JFtjG{-;;!YVDQ6hXDguK?
z^aQflcZOZ<ZrvrjQJMB}4?*+rzg8%bWUX?2*SR;k>$F!{dyCH-Tf$|gWosuDj=xr3
zB?li~2)2;a^mvVd{Sd;?&&APpH7FJMk6YVlAfOMm)8qN?&4Z%iV!x3Kw&r(FSqX0?
zv-`Zzf<H3#Xn=bRN9a2HC9U6`v_s^U-KoAsdH2GYB42V+3Vix>o4jHGz1XSvZ{Fv`
z6klraRzC+;VOLRFNN{}~&Ytc67D%=Mlc1^LHL876fp^6q1u0qQX60O=sOj8A>HZ&&
z*^tdPZC6;c8&G)q=FdPn<$nyN6A)Rq?)?XA*(VLXC-1XJGiSIEQ;zW2f2#@C<|QX8
zWNj^2!88To6U2N9qmdqX$SqEXZ^5zs!ZejFkhTg|s3h~;!ksN;RDHIsLBRMSZ4+~@
zlTeGp$*f1X4rn+p(zCCV@KuQLk)zme7)X3a+$t@Qja4V6D4zX!^PXP20<(}%jjWWs
zA`q#>-jtcbxsnXYDuhl{=&21c-i>=;Ah4|;`65y8CH&R#vc6ivC8AcsF96-V76&((
zltrr+P!nFX3RPY9eYM4I2&_t1EOdI^+Pj(^!kus9V=#H8DS^;A13IEoCtz<H=*ooE
z4?^;;#5C(aoNf(p9uR&#-<~?&ojIvUOKPDQX1-D}oR*#U5ni^7ozghA>9o6mwwDY}
zF3oC~b*rJ-{+PMA5G-}Fe)VtMsFqi+lni)X-TW8)1~shY)ATJ_ek{l_3`TTji(Hc!
zwQL70miqsv4ep*P(Q&h*4y?XZi@Qs~PTa+HG6`>$G!w0M$`ZM__tx?Wxa}EFBO_sG
z=um6JGcHh+bwIDyecuTb>Pw*Qg0MDL(VI3BXM20UU|Qn#TsZm9koJ4c85ypCeX&9=
zJO3=G0|C^FBu|+eXd2h~b~ABVco=jM*uLKxG~H2;v>`DxjhuvI;ozxf2xz)jdtE@4
zpvCXe*QslP?1(e<B^oxd#U40idx)bAvI}n3z^TPKDV+Z{jz)W;1(VMTdGfdaI$Wve
z^W(LL7F?;!J#4jVQ9DPwsNcv^ge#YOx|!Xe0i1S|5ICH&QhteEgZR5G2m_d5%qj8H
zbAuwrS-mZNreFy@x9k03HGSM)lwRZH)C7HvUKF71WX?;dn*LSOb=B^7_4wG>bHuup
z!XK4#Pd&eivMY8p)r<;ufa*+~>cpM+;q|FgfiB6WRdoqsCWCmb>;jRyp^$Kyq!y2V
z4+Gx&bG1vIzLBMmvD4krU(|0U3OcA9>~+lb6)BsTFrwd7R1#&pce6b<o`p^l&y=2q
zEl&p!V>BTVvS({^<&@>wH04-~7|CaMNoES>$La1O7iIm;Yz8uC7uyZTwhf<s0|yyo
zcEUmGV{Plcx%H@5ghTriX<uZso&kF@eD}J1T!3GNS1_VS@(9!s*dpN9|8RNH(C3`_
zAE~G>hiy%Y_PrPWkqiz!wR&^G2w{a3l#5Vhi$TPTIypMSBcX<O8Bx$Q=_&-WEoD)4
zXP3n^>DgNdDWe?PZ_jGa*15@v-~~da)!z=nc(}Ok&b@(<)^KKyBFy0qD_H-CKXGbO
z(!A=dr$p61XCm@yl1ic8ZVv<&-v652Upp9`qFC4!NgJOb)n!_%MFi8L!tfYYx~uTM
z8SUtok?AV`_WyW$ZZ!109#ZG<!QJyGeM&6e)o&xop+bQ5!%J~ks@pdGZNEO{ezv4~
z9u#hfOeHI~!CijYQY%(voP%1Ytc3uoSb!G(3cYyEgQ)w!L>-h0M0lYOq*3iOVfKM|
z`XfxeXGyZG|J(ohX8%(7ZbqC}g0|v-PLR!fOSAA-7_B-JZq?t|_Pw?UEZPspx2J1t
zcUtUb&jDWnlA)F<a(qjsMxHK4kJ4uRHcgyW@tIg05oI*i?_RAW$;6%3F&SHfbR$Bf
zV3)AK%rORLb|?>m*f-TH_}w_xh?p2ZqAu*SSVCD}F2S4vOz2EwGkb=&%(QVpPztuU
znZ5v-<KoT3rJG-$g-sN(L}jngN>d!Xca>#L%E&0>mSDbON|cHkg>1R9+&KsY`m|YV
zb+T}mR*?2ON?Xn}Ib{S$uJfv&ZO!#YC%3-mIFMV7LBI5^;e%ApBdF07@nODa<>i*+
zii}<B><}|L@9pmwx7e?HbC2r69gwRItZiQ+w?l2zi30c^h3Twr^nTkbQkpg^J37|!
zdtwpVT`T%L#VYo9_rUBfW{j3ezbcc3{z47_33(v7s@epp*6;1&7tCM<eYAg|$i+So
z^Rb=!fUmF-Y&i|()4U7jQE$E}+snIps4k%_$fH7}DRu&zAhW==`{RA3+2;3mkFO_;
zi4ybEb(9g769xB+6^;dSf9^u+5(z6TP2!vu;;u*;C`Q6DC`muxA2*c)6;OO<=mgg?
z<<tni+67;!2s5HK;CCfwW_o)c&EzZJ`pI1V^cQ$Bs3bZSRG;yzE()sP336kQx##Nj
zTJrw+R0WSt`u3F^zTL^{Qsj4WodA?Wxi*tJ4)Pw6nv}#DSAo5ql7fOQcpnTF9>W}R
z6RP2QAKqN)+9Q?N(1}vp5x6vpo4)^wjMk+h+?Sw72C=Y>CQ9Ytxk1X5;G6Hhh>NPd
zg~`Oi>4WXZXa$;+O3KR9@XH5zvjg8Llhk3m?=Je=Rosx_2c^gyTs1ZS-PYIFQ$A%|
zT)qLir#Fta85#ihSRX#-RY*S|vgL}aW@IrbaVC_VY|a4bbC;@>_eX7KGx^Z|B@nVf
ziNSDCT`YWbzUPSA%Tz`46H`<EIqwe$Lysdo{ZRr!caAvp63nJGOyl3qGa@yK_E+ta
z5TK@!jeNew?k+q@Z~sdt*F441Vo8L)t@Ir}*xI%u3JFV5gp&IOQ&{mf<++;{;{~57
z<+&q3h5hozn|&}S>Z1NPz}VOU0nX*D`3>ty;c6K_!3?adlF>P#S>=gdk!J;mu`U6>
zR@q|e)4+@&p`i(FqyfR!D%^DfH(g%@zBDDdq4%wGG{2#0{NBplb~{jg9UIcnE5^^3
zBUI$DsTOZ1lbvlakQ!zP`SHi5{bUu+ZRGQOq7ViAbV>wgB7U)glS7-}G#eT?8&%O9
zCL1eT4KIVf_q$(Qu5&PZn7@m|;_DZ`_UaZrf>m6AE#bzU<0a8zEOvDC^u;Z@XVu91
z>=%=uoQgEWgFhLK@J(pSoKxE=z&ydLdo65-q%FpBC2-_`2!mZvkcGvbH=wsXaqg-=
zHV#1*t-V$=#ZO*>^Vh=W+4x0g?z6uS*9DBr?kB7ws!&H*n>)DjKbwPB)3G0g+0`(7
zi#ycfg9`9O0t;y*<f?4_vEa0dKDm4<6M-;zW`zg8(NztEJwgq*LK{7Q{DOumd>u<U
zo-p`k?mrwC=^eGg>NQtujCu?~n`i0#ZVdi3#MH1-qX|GuhZ(0|>l?@A3|AUBQLu`R
z<}n^j)Qnm+f0&t>Cyy2?7ZvmKz2SWp;m(caRxwmu_o0Xdb5F13v=IHp08Q^g1TRnt
zq}kOi+r9Rzomc%mxnK{cA~4|iI9e?pNGGULeWPQl@-&hZALN$OJps;k^;!89OW3cr
zoNs)*zbb#>2P{;_Ju<r`t$e?VKKDBN>9HY93SaRJ-6M-ZF(y7Uv%S@*$KNQ}HhgZ|
zt0;}I)x=Z9qo0fl0iEAH@Zz@H2wd+!<kMKrk5_-!P6bMHQVzd{ERoM*7f0AEuuwv;
z#hO|ky>MTBOm^=3d$ue>&wfSc95nJiE<Pml+zN67uHrSJ^Q91KyihgrY`rQE5!yx-
zfN4RI*v?%}PCmZpmhFKsWv&KA0Dh44>z?_wmGZ)JZIHQ$05s)}l*pr<oZR>gIEhsa
zm4Q#kB`5M4F1$iSdP;LD_e3eGt&+kBW8RF62!it+1kcjC-A_AF=&naICS}#ZT37{4
zKncF@m_vXg?tl=083@%B$VQ=5G^{m|%KVCDZY8S0Km{jYpRy@~iu<7iV33^|2tA>|
zge{h9<uLl3<k>v)n-+ZhFW-k{Bd-RD2|Ho$(f;!tp)0~JsHiL)9~KrC{)*9b5aAQG
z$uIyf!;7>3J(CzAfEEGvJU^UDR2H*Jfhdqkqdz=mHefuN{u2eA$8nyKSL`gQ7OgfE
zmDb&-XEP!!=wii$*?T~cWJD~?yV~wTOIO!BQzj}DEYE$q#}~sY;^dP`sh4VtuQ`kb
zm9fC&=LK68tc04I?9#|&hC6gW(>Q^#@Ef8k;R-)uBD5?>ZT~mugjvIzE1?)Rv9Lgt
zBQh##`t51}ed40?R*6_6J2uJ(uIVcSl~i*)AyWmBD4+@>u1G|KQ9q-$^iLRzLA$HD
zn3$NUt7}tzty<sM&KCxq*k2QF4wHf*XsXp3YMfDZ&pGjd74xwq0{@gVIT6F6ilGw<
z$zumaSaGOf?^!e%)uq9vm&<}#7~~atI@x}aMpdy*ufuG6urw_Xj;Y$2ey5cjyP1gC
zq$<COA}cqcBfvx?P|>AoIr_fnC}-*WDRZ@#q+AdqD*dI1w4Ct|hkUd(IhVG&7Dz=!
zR!oDH3RVu2bI+!JuH&M;^0_chh`${i+o1%f7;FRPgCXUxInR#gwbq7@QYFQSsA02L
zg29=Tx$^SzO~KngU+Dh}IyuU(ql!=>kg#RS#aI_B5#+aHg@7<&&oPs!I5Cwq>e#+V
zvZus@Nu;}UUZ<V9*49?TX6t2PZxXrWfx#K+exT0Gk+AR7LXa#f9U_0?aGVrZB2>go
z!XE*SEz$$|@87?_xA;EaD1tLG&itcPc_F;Df4+?cg_4N1tY8KglmJ3tZ3<Ozn6xt}
zL>-ITRoXx1l!ZwoY*YNfp~54z1QR2Ic+Rxs`gRYOpTaAAwDMC&|F|gAcFu!06wO`e
zIq25x%Z*_u=%>KV0?8U!g^vyRxXslQNkzaPH4|Vn_;z3wSUVgKl2oKZ0G-zbQ6WMo
z!WLTND>jzSQXiF<=2-iHJ8IPMh=^ldRsA8ngxuT!HUR;F-Hyxd)d#Q#?FVRWYdHbg
zf$kgk&E(@%rRtu@ygEqbN-(Po>1QbB&j(4womA)z@6&1)Xn3?UViJ<|R6t2(^*pX}
zAz1Zot*dhsrq9UYw&NEGkD)*&;^C?~K7_7uoJhu=Z@J1U67$F}!3u#-p-X17oxvCr
z7c`c^B<w2XRx}3ZNKce<zP3$*!(0MfRApdi^Z*<xVUs(a6B~R*SsC5q+w-jj0Bm{|
zssrcSs-mM&P`3VFjGv8Ul?~=~J=M^Mx-B%kE_$ZJu*3NnMI&IrWLp26Fv;^8VS+nE
zY~76&DClrKp1rB<`9K0Y&7>8;kxdfv7;Sxh{RW54?ke48>y-2Lj>kRl9Hso%?vMXc
zZ+UXw3Fhh+J$*DnU+x4<I!rx$XO~!nXqqZWWp<u}_vb;RNrd`CeW2N64!8b`o7Mxe
z{M(_d<p>8=pW6&ph<}bA%r~_q*d*YC_}0O)*g`c#@cZ)l5jnEyL*wB`qk{*xwg+_d
z=34;!(CDqX%|-|$RF?syFi3Tv0QHTvZv8fb@RN?KP8A-M^EFmKtwM&U_eow}DzT4B
z6vtQ&@HmhvxJ&nE_!2f9=9)?0sYg*QoegZp*|IUa&1BpD_J4)*pFSZWAU;1|8ovS7
Uw;|=he;@!ME2$(=BW4WxA7O8|tpET3

literal 0
HcmV?d00001

diff --git a/plinth/modules/shadowsocksserver/static/icons/shadowsocks.svg b/plinth/modules/shadowsocksserver/static/icons/shadowsocks.svg
new file mode 100644
index 000000000..8a94454f4
--- /dev/null
+++ b/plinth/modules/shadowsocksserver/static/icons/shadowsocks.svg
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="512"
+   height="512"
+   viewBox="0 0 384 384"
+   class="mozwebext"
+   version="1.1"
+   id="svg74980"
+   sodipodi:docname="shadowsocks.svg"
+   inkscape:version="0.92.4 (5da689c313, 2019-01-14)">
+  <metadata
+     id="metadata74986">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <defs
+     id="defs74984" />
+  <sodipodi:namedview
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1"
+     objecttolerance="10"
+     gridtolerance="10"
+     guidetolerance="10"
+     inkscape:pageopacity="0"
+     inkscape:pageshadow="2"
+     inkscape:window-width="1756"
+     inkscape:window-height="1255"
+     id="namedview74982"
+     showgrid="false"
+     units="px"
+     fit-margin-top="0"
+     fit-margin-left="0"
+     fit-margin-right="0"
+     fit-margin-bottom="0"
+     inkscape:zoom="1.0858896"
+     inkscape:cx="90"
+     inkscape:cy="84.666667"
+     inkscape:window-x="1287"
+     inkscape:window-y="397"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="svg74980" />
+  <path
+     d="M 384,9.0045385 314.28744,301.79727 c 0,0 -107.47352,-30.49924 -146.68683,-43.57034 L 295.40696,102.53555 118.22088,242.5416 0,203.61876 Z M 168.47201,291.63086 l 44.73223,14.52345 -46.18457,68.84115 z"
+     id="path74978"
+     inkscape:connector-curvature="0"
+     style="fill:#1a7dc0;stroke-width:2.90468979" />
+</svg>
diff --git a/plinth/modules/shadowsocksserver/tests/__init__.py b/plinth/modules/shadowsocksserver/tests/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/plinth/modules/shadowsocksserver/tests/test_functional.py b/plinth/modules/shadowsocksserver/tests/test_functional.py
new file mode 100644
index 000000000..c270bc163
--- /dev/null
+++ b/plinth/modules/shadowsocksserver/tests/test_functional.py
@@ -0,0 +1,52 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""
+Functional, browser based tests for Shadowsocks Server app.
+"""
+
+import pytest
+
+from plinth.tests import functional
+
+pytestmark = [pytest.mark.apps, pytest.mark.shadowsocksserver]
+
+
+class TestShadowsocksServerApp(functional.BaseAppTests):
+    app_name = 'shadowsocksserver'
+    has_service = True
+    has_web = False
+
+    @pytest.fixture(scope='class', autouse=True)
+    def fixture_setup(self, session_browser):
+        """Setup the app."""
+        functional.login(session_browser)
+        functional.install(session_browser, 'shadowsocksserver')
+        _configure(session_browser, 'fakepassword')
+
+    @pytest.mark.backups
+    def test_backup_restore(self, session_browser):
+        """Test backup and restore of configuration."""
+        _configure(session_browser, 'beforebackup123')
+        functional.backup_create(session_browser, 'shadowsocksserver',
+                                 'test_shadowsocksserver')
+
+        _configure(session_browser, 'afterbackup123')
+        functional.backup_restore(session_browser, 'shadowsocksserver',
+                                  'test_shadowsocksserver')
+
+        assert functional.service_is_running(session_browser,
+                                             'shadowsocksserver')
+        assert _get_configuration(session_browser) == 'beforebackup123'
+
+
+def _configure(browser, password):
+    """Configure Shadowsocks Server with given details."""
+    functional.visit(browser, '/plinth/apps/shadowsocksserver/')
+    browser.find_by_id('id_password').fill(password)
+    functional.submit(browser, form_class='form-configuration')
+
+
+def _get_configuration(browser):
+    """Return the password currently configured in Shadowsocks Server."""
+    functional.visit(browser, '/plinth/apps/shadowsocksserver/')
+    password = browser.find_by_id('id_password').value
+    return password
diff --git a/plinth/modules/shadowsocksserver/urls.py b/plinth/modules/shadowsocksserver/urls.py
new file mode 100644
index 000000000..68da326f4
--- /dev/null
+++ b/plinth/modules/shadowsocksserver/urls.py
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""
+URLs for the Shadowsocks Server module.
+"""
+
+from django.urls import re_path
+
+from .views import ShadowsocksServerAppView
+
+urlpatterns = [
+    re_path(r'^apps/shadowsocksserver/$', ShadowsocksServerAppView.as_view(),
+            name='index'),
+]
diff --git a/plinth/modules/shadowsocksserver/views.py b/plinth/modules/shadowsocksserver/views.py
new file mode 100644
index 000000000..7265eaa8b
--- /dev/null
+++ b/plinth/modules/shadowsocksserver/views.py
@@ -0,0 +1,54 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""FreedomBox app for configuring Shadowsocks Server."""
+
+import random
+import string
+
+from django.contrib import messages
+from django.utils.translation import gettext_lazy as _
+
+from plinth import views
+
+from . import privileged
+from .forms import ShadowsocksServerForm
+
+
+class ShadowsocksServerAppView(views.AppView):
+    """Configuration view for Shadowsocks Server."""
+
+    app_id = 'shadowsocksserver'
+    form_class = ShadowsocksServerForm
+
+    def get_initial(self, *args, **kwargs):
+        """Get initial values for form."""
+        status = super().get_initial()
+        try:
+            status.update(privileged.get_config())
+        except Exception:
+            # If we cannot read the configuration for some reason, generate a
+            # new random password.
+            password = ''.join(
+                random.choice(string.ascii_letters) for _ in range(12))
+            status.update({
+                'password': password,
+                'method': 'chacha20-ietf-poly1305',
+            })
+
+        return status
+
+    def form_valid(self, form):
+        """Configure Shadowsocks Server."""
+        old_status = form.initial
+        new_status = form.cleaned_data
+
+        if old_status['password'] != new_status['password'] or \
+           old_status['method'] != new_status['method']:
+            new_config = {
+                'password': new_status['password'],
+                'method': new_status['method'],
+            }
+
+            privileged.merge_config(new_config)
+            messages.success(self.request, _('Configuration updated'))
+
+        return super().form_valid(form)
diff --git a/pyproject.toml b/pyproject.toml
index 0af5e8616..fb28b3f97 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -57,6 +57,7 @@ markers = [
     "security",
     "shaarli",
     "shadowsocks",
+    "shadowsocksserver",
     "sharing",
     "snapshot",
     "ssh",