From 71a04844314480d68eba89c8406d73fc00c278b3 Mon Sep 17 00:00:00 2001
From: Petra Vankova <petravankova.pv@gmail.com>
Date: Tue, 11 Feb 2025 10:22:53 +0100
Subject: [PATCH] cloudflare

---
 apps/docs/content/elasticsearch/overview.mdx  |   2 +-
 apps/docs/content/features/access.mdx         |   9 +-
 apps/docs/content/features/dns.mdx            | 176 ++++++++++++++++++
 apps/docs/content/features/pricing.mdx        |   4 +-
 apps/docs/content/help/faq.mdx                |  11 ++
 apps/docs/sidebars.js                         |  17 +-
 apps/docs/static/img/screenshots/add_user.png | Bin 0 -> 8394 bytes
 7 files changed, 208 insertions(+), 11 deletions(-)
 create mode 100644 apps/docs/content/features/dns.mdx
 create mode 100644 apps/docs/static/img/screenshots/add_user.png

diff --git a/apps/docs/content/elasticsearch/overview.mdx b/apps/docs/content/elasticsearch/overview.mdx
index f39cfd9f..0b504f4f 100644
--- a/apps/docs/content/elasticsearch/overview.mdx
+++ b/apps/docs/content/elasticsearch/overview.mdx
@@ -2,7 +2,7 @@
 title: Elasticsearch
 ---
 
-Zerops provides Elasticsearch as a service, supporting both standalone and high-availability deployments.
+Deploy [Elasticsearch] instances in Zerops with flexible scaling options, from standalone to highly available clusters.
 
 ## Connection
 
diff --git a/apps/docs/content/features/access.mdx b/apps/docs/content/features/access.mdx
index 6dc2aa6e..0b53d980 100644
--- a/apps/docs/content/features/access.mdx
+++ b/apps/docs/content/features/access.mdx
@@ -144,12 +144,9 @@ All settings can be modified later as your needs change.
 
 ### DNS Configuration
 
-After setting up domain access in Zerops, update your DNS records with your domain registrar:
+After setting up domain access in Zerops, you'll need to configure your DNS records with your domain registrar.
 
-1. Add an A record pointing to your project's public IPv4 address
-2. Add an AAAA record pointing to your project's public IPv6 address
-
-Your application will become accessible through your domain after DNS propagation (depends on your TTL settings).
+For detailed instructions on DNS configuration, including specific implementation details for Cloudflare, please refer to the [DNS and Proxy Setup](/features/dns) guide.
 
 ### HTTPS Configuration
 
@@ -186,7 +183,7 @@ For applications requiring direct port access or non-HTTP protocols, Zerops prov
 
 ### Port Configuration
 
-1. Navigate to service detail page in Zerops GUI, select **Public access & internal ports** and click **Setup first access through IPv6** or activate **Unique IPv4**
+1. Navigate to service detail page in Zerops GUI, select **Public access & internal ports** and click **Setup first access through IPv6** or activate **Unique IPv4 add-on**
 2. Configure your port settings:
    - Choose any port from 10-65435 (except 80 and 443)
    - Select destination service and internal port
diff --git a/apps/docs/content/features/dns.mdx b/apps/docs/content/features/dns.mdx
new file mode 100644
index 00000000..d5471153
--- /dev/null
+++ b/apps/docs/content/features/dns.mdx
@@ -0,0 +1,176 @@
+---
+title: DNS and Proxy Configuration Guide
+desc: A comprehensive guide for configuring DNS records and proxy settings with Zerops applications, including shared and dedicated IPv4 setups, security measures, and troubleshooting tips.
+---
+
+This guide will show you how to configure DNS records and proxy settings to work with your Zerops applications, with specific implementation details for Cloudflare.
+
+## DNS Configuration
+
+DNS records for Zerops services can be configured in two main ways:
+* **With Proxy**: Routes traffic through proxy services, providing additional security and performance features
+* **Without Proxy (DNS Only)**: Direct connection to your Zerops service's IP address
+
+DNS allows you to set two records based on IP address type:
+* **A** record for **IPv4** - Zerops offers either a free **shared** IPv4 or a paid **dedicated** IPv4
+* **AAAA** record for **IPv6** - Zerops provides a free **dedicated** IPv6
+
+### With Proxy
+
+#### IPv6 only
+```bash
+Type    Name      Content                Proxy status   TTL
+AAAA    <name>    <your-project-ipv6>    Proxied        Auto
+```
+
+:::note
+Make sure your proxy service supports IPv4 to IPv6 translation for this configuration to work for **both IPv4 and IPv6** users.
+
+Do not add a proxied A record with shared IPv4 - doing so would prevent the proxy from properly routing IPv4 traffic to your service.
+:::
+
+#### Dedicated IPv4
+```bash
+Type    Name      Content                Proxy status   TTL
+A       <name>    <your-dedicated-ipv4>  Proxied        Auto
+# Optional
+AAAA    <name>    <your-project-ipv6>    Proxied        Auto
+```
+
+:::tip
+Adding also AAAA record can be beneficial as visitors with IPv6 support will connect directly via IPv6.
+:::
+
+#### Shared IPv4 *(valid but NOT recommended)*
+```bash
+Type    Name      Content                Proxy status  TTL
+AAAA    <name>    <your-project-ipv6>    DNS only      Auto
+A       <name>    <zerops-shared-ipv4>   Proxied       Auto
+```
+
+:::tip Why not?
+It does not make sense to expose your IPv6 address while proxying the shared IPv4. Use [IPv6 only](#ipv6-only) setup instead.
+:::
+
+### Without Proxy
+
+#### Shared IPv4
+```bash
+Type    Name      Content                Proxy status   TTL
+AAAA    <name>    <your-project-ipv6>    DNS only       Auto
+A       <name>    <zerops-shared-ipv4>   DNS only       Auto
+```
+
+:::note Both A + AAAA Required
+Adding AAAA record is essential for shared IPv4 configuration as it serves as a [security measure](#understand-shared-ipv4) to prevent unauthorized domain claims.
+:::
+
+#### Dedicated IPv4
+```bash
+Type    Name      Content                Proxy status   TTL
+A       <name>    <your-dedicated-ipv4>  DNS only       Auto
+# Optional
+AAAA    <name>    <your-project-ipv6>    DNS only       Auto
+```
+
+:::tip
+Adding also AAAA record can be beneficial as visitors with IPv6 support will connect directly via IPv6.
+:::
+
+#### IPv6 only
+```bash
+Type    Name      Content                Proxy status   TTL
+AAAA    <name>    <your-project-ipv6>    DNS only       Auto
+```
+
+:::note
+This configuration will only work for users with IPv6 connectivity, which may limit your service accessibility.
+:::
+
+### Understanding Shared IPv4 Addresses {#understand-shared-ipv4}
+
+Shared IPv4 allows multiple Zerops projects to use the same IPv4 address while maintaining separate routing for each project. Here's how it works:
+
+1. When a visitor makes a request, it first arrives at the shared IPv4 address
+2. The system looks at the domain name in the request (using SNI - Server Name Indication)
+3. For security, it checks if this domain properly resolves to your project's IPv6 address
+4. Only if IPv6 address matches your project will the traffic be routed correctly
+
+This is why configuring both A (IPv4) and AAAA (IPv6) records is crucial when using shared IPv4 addresses - the IPv6 record acts as a security key that helps prevent unauthorized use of the shared IPv4 address.
+
+### Best Practices
+
+#### Security
+- Enable proxy protection for DDoS mitigation when available
+- Review firewall rules regularly
+
+#### Performance
+- Enable Auto Minify and Brotli Compression
+- Configure appropriate cache rules
+- Monitor analytics and metrics
+- Review bandwidth usage patterns
+
+## General Troubleshooting Guide
+
+### Common Issues
+
+1. **DNS Resolution Issues**
+   - Confirm correct record configuration
+   - Verify proxy status settings
+   - Check IPv6 address accuracy
+   - Allow time for DNS propagation (typically 5-10 minutes)
+   - Verify DNS resolver settings
+
+2. **Connection Problems**
+   - Test both IPv4 and IPv6 connectivity
+   - Verify firewall rules
+   - Check proxy server status if applicable
+   - Confirm port configurations
+
+### Validation Steps
+
+Test your configuration:
+```bash
+# Check DNS resolution
+dig AAAA yourdomain.com
+
+# Verify connectivity
+curl -vI https://yourdomain.com
+
+# Test IPv4 access
+curl -4 -v https://yourdomain.com
+
+# Test IPv6 access
+curl -6 -v https://yourdomain.com
+```
+
+## Cloudflare Configuration
+
+### SSL/TLS Mode
+Set encryption mode to `Full (strict)` or `Full`
+   - Ensures end-to-end encryption
+   - *Full* mode requires any SSL certificate (even if self-signed/expired), while *Full (strict)* requires a valid certificate
+
+### Certificate Management
+1. Enable Edge Certificates to allow Cloudflare to manage SSL/TLS certificates
+2. During initial setup, handle HTTPS settings in one of two ways:
+   - **Option A (Simple but Limited)**:
+     - Disable `Always Use HTTPS`
+     - *This approach will interfere with automatic certificate renewal*
+   - **Option B (Recommended for Production)**:
+     - Keep `Always Use HTTPS` enabled
+     - Create and enable a Configuration Rule, which disables Automatic HTTPS Rewrites for this specific path:
+       ```
+       Field: URI Path
+       Operator: starts with
+       Value: /.well-known/acme-challenge/
+       ```
+       This rule disables Automatic HTTPS Rewrites for the certificate validation path.
+
+### Cloudflare Troubleshooting
+
+#### SSL Certificate Problems
+   - Verify `Always Use HTTPS` is disabled
+   - If you encounter **too many redirects** or similar SSL errors:
+       - Double-check that SSL/TLS encryption mode is set to *Full* or *Full (strict)*, not *Flexible*
+       - SSL mode might show incorrectly for newly added domains, try refreshing the page if settings appear incorrect
\ No newline at end of file
diff --git a/apps/docs/content/features/pricing.mdx b/apps/docs/content/features/pricing.mdx
index 29118f71..8bc8f90f 100644
--- a/apps/docs/content/features/pricing.mdx
+++ b/apps/docs/content/features/pricing.mdx
@@ -16,7 +16,7 @@ A Zerops project represents a private network where services can communicate int
 - Host multiple small websites within a single project
 - Create separate projects for different environments (production, development, local) of a larger application
 
-The total cost of deploying an application includes your project's **core package cost** + the **cost of the resources** of the services inside a project **(+ extra costs like Unique IPv4, Extra Egress, Object Storage, Backup Space, Build Time, etc)**.
+The total cost of deploying an application includes your project's **core package cost** + the **cost of the resources** of the services inside a project **(+ extra costs like Dedicated IPv4, Extra Egress, Object Storage, Backup Space, Build Time, etc)**.
 
 ## Project Plans
 
@@ -177,7 +177,7 @@ The following costs may apply if you opt for additional features:
   </thead>
   <tbody>
     <tr>
-      <td className="w-fit whitespace-nowrap"><strong>Unique IPv4 address</strong></td>
+      <td className="w-fit whitespace-nowrap"><strong>Dedicated IPv4 address</strong></td>
       <td className="w-fit"><strong>$3.00</strong> / 30 days</td>
     </tr>
     <tr>
diff --git a/apps/docs/content/help/faq.mdx b/apps/docs/content/help/faq.mdx
index 0d859da8..b671da13 100644
--- a/apps/docs/content/help/faq.mdx
+++ b/apps/docs/content/help/faq.mdx
@@ -5,6 +5,7 @@ description: Get quick answers to your related questions about Zerops from frequ
 
 import Accordion from '/src/components/Accordion';
 import { FAQ, FAQItem } from '/src/components/Faq';
+import Image from '/src/components/Image';
 
 Get quick answers to your related questions about Zerops from frequently asked questions we get asked.
 
@@ -18,6 +19,16 @@ Get quick answers to your related questions about Zerops from frequently asked q
     It's free to get started, and no credit card is required! However, we
     recommend visiting our <a href="https://zerops.io/#pricing">pricing page</a> to explore the options that best suit your needs.
   </FAQItem>
+  <FAQItem question="How do I change my email?">
+    Navigate to the main menu in the Zerop GUI (with your icon) and add a new user with the selected email to your team.
+    <p align="center">
+        <Image
+        lightImage="/img/screenshots/add_user.png"
+        darkImage="/img/screenshots/add_user.png"
+        alt="Runtime Secret Variables"
+        />
+    </p>
+  </FAQItem>
   <FAQItem question="I have more questions. Where can I reach out to get help?">
     You can reach us on our <a href="https://docs.zerops.io/discord" target="_blank">Discord server</a> for support. For additional contact options, please visit our <a href="http://localhost:3001/help/contacts">contacts page</a>.
   </FAQItem>
diff --git a/apps/docs/sidebars.js b/apps/docs/sidebars.js
index 148135cb..ab62c5b8 100644
--- a/apps/docs/sidebars.js
+++ b/apps/docs/sidebars.js
@@ -96,13 +96,26 @@ module.exports = {
       className: 'homepage-sidebar-item',
     },
     {
-      type: 'doc',
-      id: 'features/access',
+      type: 'category',
+      link: {
+        type: 'doc',
+        id: 'features/access',
+      },
       label: 'Custom Domains & IP Access',
       customProps: {
         sidebar_icon: 'globe-europe',
       },
       className: 'homepage-sidebar-item',
+      items: [
+        {
+          type: 'doc',
+          id: 'features/dns',
+          label: 'DNS & Proxy Setup',
+          customProps: {
+            exclude_from_doc_list: false,
+          },
+        },
+      ],
     },
     {
       type: 'doc',
diff --git a/apps/docs/static/img/screenshots/add_user.png b/apps/docs/static/img/screenshots/add_user.png
new file mode 100644
index 0000000000000000000000000000000000000000..4e60670a54e9b86e6fb20e45e4633eec9c0ad14e
GIT binary patch
literal 8394
zcmbt)cQjm4_x4B;HH09D7NP{vdrOGk6214{CVC%&ghY$pOOzmb^d3ZXGJ0pUA$lJS
zzGJ=XTi;sm`u_N>^_zv6>z;e=x%=$BpJzXNKEG9w#mAw*fj}Vm@^Wv~AP@`*@HrR@
z6a2lLe)<T!-E)<c*T4cVKP-zda7^wdt>dN+wQ}<`b+Lq4J3$>S*<H<DEG?Z}ZJ=&@
zciY6lpcl7;q+Bdb-E5&wv>LXKmJk^iTUt&5S{X|-T5e8mK3XmwVerGlPb(#@QFOlw
z1%c2)<lns3@JipA_w>_nZ@oE~jCUKwru#_y0n#9+BezkQo%1XwrzAY^rBTI_^d!l)
z(bc(YDRUz&&eYU>mcAUFR~WW;a9`wL@Z*NWs^Fw3{j>OYW$qCb!obOsVi7xlJoiFz
z3LytrjAK1p*V6aiQAwnjS4}(QF`T`^qVxMWGs{F9LbyPSU<%onCxS_0WikBEKF-vN
zCJ$QW78ZuZ#uEM8+B!HpV-gll{r&sRn4RxK8o~FFxZZn#3i*=7<3yySGHPl>7#J83
zaEXhnD}2*UhmF)y0vj8<5B9Wswk<#c;(vMioSR!s*AtC$9?BF`bZ}r3^F7r_6p4~>
znBsKcr<6eN--W?oc?AWot38i?{P>aDTr2K>K}bT9@0XR4p{%P*?(FP*ykQ#P#>vWx
z+hVl1isYlfm->W<*hh3~XlwJlUwRc36a@LZ>Gt^X<G1?y;d-Tv&z=SC&Ns2HAq0`}
z@sD$Ib1@1_OP}-b#QpvI_Tp@BZ(AaUP&`+;lY@gJx}!r9Tpt!0ncvu$3J&lv@A_XH
z+g3PAO5TBtkB_H|`6f0t3XhD8R7^WqSX#bQSC{hg5~QP})6mjVd;2!9*W#IwknVJM
z!)tXlwGmqMkl{kUBAKL=6o=2XVUx#mQBi~Q1ryG<T3VQYmyWEeQVtJYAbov(ataEP
z`D%QEDlnKh1U#e-FNMYn&A9H8!osDgN^@{%W@g4o5gDJ5@J>@xT2GIHB2s4h^mubL
zBs4U4ymnKfn2<^>?J99>a#CGGBc!cOBFWH$oFWo4ZSYSFy(}{aN5RjZu@x1ZmY1&f
z&JP|w&91E_4ett4DNqmM;Nv5ynB0$|68QwT`E6Cj@>)$zEl45%83RMemoGRGGW6Hi
z*Z4#IR#ndb##k`%p8R!y2>t&3n-?{Q=nQ>Vq;b46OC}*9VQC0<NUJyj7#3_ExFv9x
z#&)ElqGC~bITIZnBFNMoSQG4YQBhGyNC@O>T%6RqcaNl{r5P9*U(BW|F&-WsQjA%A
zBviJq5^wA4QvhQhJ$j_zD4nmyqTF?q7K|B;5#0XD)|Lg>E-(->X2%D%1=5FPBgG{R
z|7g_W18?$#KL4e}NGzNY1s->Kc^Pb#0{e~u91b6wm{8Nv*%&!lU0+uNTUX~a9~Ks7
zQ&Co3{Wwxas@$mMZIMQNVq#-8H1y)a2kicb4<8ivg@(u}l62kNc%MIiKFB}#k+99S
zDmAOi48!KFl<=8v)%2W+x0TiR!y1{~Z_vfoLX8)eBC?K~tG#i+U$mzA>FMv5YAFKS
z@TWx<7BWAhr-$3{#>dAK($Fj}33739B`Y!F;NZl+ZAb>@9!eLIl9R)dmzT$%7#|yZ
z3)Y$R(hv&|kAaO1uf<5!-@j!<7Fn|1H{iU3Owx^}7Aq_%Ssg1<KmIq~pKp$hu%9Ve
zM;7h~Ve&kEx|p?iyfxocr`Cjvi%TykSl{juWsD99xd$Gf@_tAzBN-7<5Zs1=nHdY1
z)zZ>3*VUDmST#e~9lizJEnU$0PL1At_V>;A>jUI#^_amQzJ4Wi;7`-9X<P5xMoT~*
z>Xjzu<uTaV+q1lQ;d1UJiHhaNZ37;l@qz@r6e9lsf4X}Y`H&&7MK>)rR?@^Idt?|n
zMUd_HQcy5?e}5k{w^>tDQ^Dk^xL>j{>|EORWm0@RuW(&<Htq7t3ViD%GHBfZSdN%U
z#e_R$1D+eoO|fNCqnGftzqc2WWDI*JSr7IvZE#)b9m}0NcYvjSn{YBu5-{`4ANAvH
z^G$=BFs7j-!xpP`s{}YXzt-0a;^5*6`Jp(0Z-KO-ZfK~ip`j7n{_sJ9f;0$qCYAK;
z?CikX+(SjB?Ci|t(~?Oq8$}4RoWH-AOzxu^y-0<8wL33CIwQBJ&?~jDwpKSXS}1J5
zI;F@n*JuzbP{~lcn0~5k85$Ob1&o6ce=Qyw$E2!eY#eP=4jq&5;u7;Yz71`VMIKR6
zMfO_cG&iRMj|L8#idGuV6zd%r_-$9y=*C9pC!e-JjHuTx2dS9HdT0rWlr=NUanV;)
zZ*<#~eEk|@ZEbCAY>beINU{xf)iXR?P*M^BvRAbp`@47V`e1$i{Rvi^4Rt}cNeZMT
zi&D9KHF%Y^>d&7)Q%k>P=-UtU_uE&f6pz2)`w9FKlMacs0CIj(CkHoo?AVwFh)QO5
zcIi?rVq#(`Fhj7th_;CdElBQ>L+`K-C=;4HrLYj;s|WmaA*!+a#F8imY>EHv$GY{S
z*;vEg4`@A{V;QzGWfis%!k6$uTDrNc<KHHKPMkzHE1L{(+D0gdY0zGYb2z!(Dgf|a
z{x%Dq!=Y~=k$Jc}$?Yn~%S8txyIGR1e+-LSQv9-y`~*YfdEoz6^+$Nl<IufPOfKR7
zsetEzuFC|M-Oj}H$Ibo#ma%(#`=Wb`bF60aTcix_Od&SzFgp_4`JiN9X*T&s*Q;7j
zreo((>=9)y!sv&qv&KWNQf=?C#pvFo9jO=Bf6Kax{1_!_hh5NF{tCK>RNSGMS`Nmc
z3lVvGzS5JM_+A+OG`CT0i&)YtoIXI*IqCBp^1mS3Nelso4`>w%1jEg4W@cVzK2$4y
zRg4*cf6r#e*jG}PoxrnNi@Y`@B+JI#igoNsyUFQkN`1Fo)q{BWopBkgG0CvD%eG%s
zEuwRXP444+*b?v`|CHY9?(J0VvjtCI8|y&sHK5`(t=Ygtd3a*^R2t&a)|%$qb8Q<5
zC#UvqTGku{p7na4GFNL-jR7{DpPwt2Q3}4N1pzrQFu*v;#K;(%oII6Uz@%3=WC2}p
z^B9-$4VdV%<7ic*-hE$-CpK7&s0+BcW}M8=%L8GXW=H_Gf`x?z@PoBWkPgdQPW3YV
z4&?zzW=L$h`rTZe4P=U?t@S6x#l#>c#D!U_#_Q|^6Hb;2Y+G;oCi^<6$XGikmQKXm
zu!$K7sht9h_Wpj8dMfNz*nWX=7n9TE7X;!aOqIs(=&~i4WaPu*Ip_QU(j84>J($V|
zBDKn6M^EF$WR~9Nu&`|Ha-)!sHGZ(l&C!CmgoLgScOU3Am!JO9AAF+Sd~uVNQ=OMQ
zxp<uoZ``ai>UJk~LJXx;Wh@v+KI%yGKCGgTm-T)BjoSg=XzwUIA_BnJr{v@(LBYY4
zrP@Urh2wT>5}sY%-LAu8XYax9{)~OO^Qf}G!KkW)^ZwH7x>EtLT7HMAS6SlzbK(U<
zJr0iN%vKW!V-|Lyl?iLbFX73YjKR-wk#*Y)1{R#N<yU^}?9tIl9OmPPmM{JP*pygz
zB;$!2*Y#c9t^0dX!zy?jZXYm^1`M=(vfq?EFrcJWX3*Q0z<PeMRW4S$$XZr^Cvbb)
z!NtWzPDN$C0hzhdxK(C;alF}A8E|vCI9hHjArtkqx8oyj<@C0Ix#L1}%Ic~`KBHZY
zp7+t90J*RmGeGZwbfLKAWwSM}(1%oJ%fCM#Z%sy5ns*;=7G&Kyy&i1wJ<A#0yuCp|
z7VM76T3<p0l}IA&>VnI(<DSRP%vz;ARQZIu-hZVsbQjSCoxiMGs9d9jcsS0^Wf$kN
z^SbY_vqUG*yfg)m>2yE4uGF|GR*9^WK=kNng{@q`H;tHxsH4KPGt~h3xjkxRL@f~0
zAI7RxVglBJN6C+uq0(*WIp6g>$)KZ?KtjpNiV@m!LJD{qSa=ouI`O4pUygKmvZyyV
zz*)azxa?fO&6VHjwDn^$G9Jsm$3#R#sH3c#fuRf$Z}dU;=jdqUyyv23$7yb~c#dk8
z`1V3enst_cVs9K1kI%79BD?;dma~O^F#L05q~k$N9i#c|x-$K2os(Gyd))bY|F9rx
z6vq82^4@kp`htFQpktcAh}foD2|ue{4JM?eHAuk7CozC#$YP_XpKGFN^0jsKD>>r+
zxyr-N=Ox#dmkRdCm79>oG4iv<=5lXWD<TRC1w%usY1t|{8vfYg@}`(G(zXvq1?Goi
z5-yk3P3LRB2t>usFq|44aYX81QWkDx)Tw89{x@6PkXBST1%HXYva&K?r>tSGKfxe9
zGjsCoq)&;0b{)uV+xkuVzjG886<GoEKPFk_+S?>c7oYszS5Z?vyN~<up%rQ$K|O11
zYg@$K=m#hrczzkcS#o6}B@0GbX0J}l1MV+ncrJVcoRdHT{k1*#!Cg+<5r#xI-4SMV
zi56=(8HZKRSGwl?peq_-Ufy_QRzN23%GQg2tpEP~(`okN0vTe?8<}C?I>@&@-;^Xv
z;~x)rY%B=T1Z^YisY?co?@B2hOYOm%vvnLz9y=Wt+}<UkdW!n|`a_<}sCO=^S*w*d
z{xLz#2DQ-X!jQ#N_B7NojeUyHrRp0Q>7$GA8^wQ?cQH^ly^>LuRETe~S#%N{p*#9>
zTiQ-#(_24I?6oT{_V!%oL-d(@`d^pA31``(K;+S{#=dpR^b763L?g1Ay!{VCSCQ-c
z6UD<-zTH|2hS%7$bq;1-5B9j7(8_(amif<{kJpJ70+8%Rz6jfeOB4@mrY$Kyd|_$#
zlA1xBF2-}ghh(P-HsHM~4|%w~*gr5$5O><-=9J;W<f%+Oe4BFG_5ynHj~x25Xv#wu
zCyfIlwd^G#Q&TA{&p%=c3{l;4o;X<PPWb+E>XL$tUGI&KPBIZJj!{`{f=0~eF(Brc
z_!N0;lw4-_6cgFLm6VjUx8ma9fGTLMn<jvPkFTb^5smiySygpg;XQwTzv98=LW^&j
z*yL7uTV}pu61U?F?`=*vnKT}*wjE8~CU%52pNCCEm8ONMZm0|!u|%{UQrvoVW1}9Z
zpUx3ki*Y`>6m{3_M*Xm>uABS?6Ub6%0BkrU4TQ@8AEX4eWLOuqI9Ai7PE9Wpo&UWt
zRm6H|{d4G^RH@d{{>tzp^6`&|+%mV7fo-Ok8Hvc&qND?0;y8Zh;5@}Ra<O$g@pBZt
z!k6&)(!F${v^;9D^UmWY?`6bg&#>6wDLdt+gb8ijUOjGLN06wvQL7TR#48s4z@9>z
z9P>sO`9k}<L5}A~D>b*y%qT2OQ8Aeg0V~JC!I8{`1DXlw&U0pFx$}I1w84#&3rxCA
zwo<MBS!f&Jea}EeSzXNws3wI&Tzvf4hU-woJ<7;aL^GH9pZ%p^0)CyO^z?y7_bmg8
zlF#Ac=35h`4pS8$K>c?xz%yLobzs(tTE>lzcv;7E>nmH|IVjnx^c)?o)>$7?p-YG5
zO5YuIpzG4+qXB+2LEEeb_$JMHC*rsq7@!<pp95fR8O3E8fn{j6`Q>Fwzwd>#1jXZD
zS|w#Cot!gUDoDc=<s4k{&ZE!J(Y_+puP*}ZenoxgG|k;6!RQ{Yn?~zfr{!`Jkz3we
zmHbUm*K_&g<c!_NKfg@GIWd_#sSV-unDaUt8VqkHh1uHL=H=(}H7&rIk`fcY^9F!o
zPPeA7<x$BusZf`lnn~dne*j&m!+wr);2z|He-}hA5TP_-U%uohCcVV3Z8;uM#QqN>
z=aViT?}O*cViOP)0N8bytB(PUI5s^!qSwL<R6PdHT_j3r{P+n9`DhFX3bhj5+uy(P
znJLp`rrNedzb>kq+BX7-2n}xd3)x!U1*e`HNm+ljH>N6__$VhzwGyF=KR*M*yt2^X
zZ9J^P7bhm3#jnv*_IhKH>%MDamuU=5kiGkY#MBg_0yQ#*mOn~*JS#g#pOf=>b0%_R
zc~J)N!|;6qELu^~j@*KoMAzqavrMARj{nAr*z{{7LaBYiY)8L4qxMZ<*XP!Nv-HZ$
z+VN6Y4W@Ph&ludEt|Axn;hn8@Tmfkb9EFPP)(4+0_(ngV_6h_@QDr?$?Xf#ogy;4~
zRyKEX>lRNNc4}uqp#|p0i|hUUl};+Y>_gOh{Yb4HJ*Jx}=M~Cv3PvNoc>A)p7#2@{
zY8|_%+$^Vdk^TfrW2jCyaCCS=mgPoRzpmiT{Zrr=6*uUPPX=Z*+Z4jfF8t8BR~LU{
z(#4(U&f_Fh)de;h^{98+bIv)q-T$<d=(WbzhwL(V?6rd%d0+R+>a=;>pI;_EM~`Y6
z`0s>RojoEX?17hbrVBf#XSS%Ni`S~ot@>30o3Mkzz<q1tU`$=L(xm+k2njC$lPP@m
zT5+>Co2miNKyBA{wFBLrYlv(0zx)Y&KA)w{=fp14d!2lJI7`*fPZZjGfC<VsAxM?g
z;4%<!*bE!vfu6u){s#}p2Rc<&_{CbKKu$@K4kvZq%ulK{#jfu*9zAW_mN6Ie^>DNv
z*%?iUkq<1JU!H2Uq!($sOiXi1>o~~0SuQVcd1c`DjJ#6@C^Y!L=FcR4Zv}XNDxgjo
zT%zmzthli|;f=CSHCk8l)+yD>^s(Sy`J=k}Z_BB9sdmx-l0={1zn2xt?!G0;!6;rS
zf(x*DzlWJR;8Yq24pOoPLstZYD@Ur@VD_&4ciP-XA41dSyGsL-hYrt3kD~bkJZ-D%
zintxvf2=UMf^s=BewCVRZvVruD~1;`@z0gn?o=I==JIS0dWanjn5TJ-o^FjDN#`eg
z`>|~?&y>2`;1F_MudwKi^;mrDsA$ES?uZDlxpf6w&qbu#V7XY>Lni}Q=UUMct>UXj
z>p5TetnSmZYyXy&0@8Fx^C*48TdY~0N8kOcrksE{7fp~hqS<j5ZAYLk{M_B$)5Yxf
zqCs`-=;Jh~+XfRW)}Fmg5SDZ-VYeMWZJ6=1EfcOVc6A*zvhJtnWbT2P?@K$`458N`
zuc=H{7c~bHOzjVRQ2r<5+GGY<DJj$2+b<V>nswm-7)jx=Rten*wYR6cX2)%tByE*V
zD%-iV+CBP+GWMG9>H|5R$MKK9U$ft)Gz~5;9*)aq!%Eb$q~#O^NI7Ia3P7lMk~TQ;
zL)EMLH(*)o<12NZdNuyB3ZB;7&U1cq??Uby)c;v_@SeK}-JCnTEK;GWdOqABfb`sy
z5?hG(nCR-O;Pc``za%wV*qtQa#XYQAT!v30E1G^UHh6EOvqw*0)tnAZb070Avf9F}
zB+)woaFOB)$YiQr#%--+NA43ld5M05Bwe-6%KORFQc>`nV{tQL4e`+XL(D$*?PB`A
zKD_uLquS<CnVS?UvO1p7QD8fseFAM_37-*RA=tBfaLyV+=&0JEiiL<{K!*^D_ipZw
zqLIBk>ejmnB$CzkQE0fA$v@VDP7b;`7>|n9=WlDWB$8MHf`{EPvg`;qR6f%TP2K_u
z+A?+xW*V}nsXSOb?Nxs2Jw~Jwx>&zp${>x3(>Gm>H0-j-EQ%w1ELklaH!icDBD^rA
zspRxACJ!qB6w2pYPt!Ap39_sI{C*&j`MfSCPNIS(#3m{B89GIXAvO7Hq6FTy8cN8a
zw`}zljQze3J!ugdn@%rA#&T~(Q5El0E^@fNlu7i@G1l_on;T4y`A3pr6FFMNa2rvP
z?iNLab=7oXd3n-bV##V2fJEbVU1pVpgoI0Dtd<;q^3&3vqksTyQKMH>?&+F1cO*y!
zV~mpz0(NoNDkh2R9b3Kv{~}d<;Co(3m@|6#hFXXUc3T)%lV$eMr%b*2zXp{5f3}og
zK+wH;U{+bgsXLzRXvfA+!Y|5MX-N6jR4Vu9H%;9Gb$xhY^Nm4CNERVgVAuDYg&$ou
zJIRrJlrIMONvzT+f=SThT6e~*%0Fd;Av@{tAKxZM8ep1{T6{9a673W`*LHhzQgd84
z5m*R%yu=|gKje=Z8!jDD5z`M<U^{IJBDC-^?UDH64}vwr;WMWgQ=5vX?GI=y000b@
z8CRO!4}L)4)X77%yv)Y0Sx|P6Q9h9)oohGy;j72H#+sTMG(focq$FZ0szH$V0rglm
zzPTWijiz?27|^_>Zyh@TQXec0iR>}(^OFVw)o$1@jF4Jw5yQ^!=;jdbmRnv-T1HOH
z^LdL-F1+U%y}5)HoM}VHiArqGL+%e9`e3IGT1}MSYEDeFw1GeqIy^dRxH_G^#o&sH
zigxbOi5m6Re?N-j%UxYv&sXDA>o0ek684F6S}LbB*r~?{h0&~BmGc`!D;LAw^3IQ{
zzAtoy=);En35M+9-t`?en#9>!HM%>)TmG<yhK7w3pOMi~fCHqPo0}VM!r*q4_u|cU
z?F)gB4VR^{1f)OW30IJ|k@x*v_;n^xcvlA~HOU2>o(5y$n*pQ+dKkugATtALei(gz
zl)`0>3C=8^&O(vDKNB|}_Oaqo3C9DbRpE2;PfG|27fKO*FVY_u(3%Bms>YM)4E?tI
zCTCHlj^b%?Ol9-BMg$U7(|E7s<m7^HfHgn@2dWypHuH4KJi5|-OY0idE#U%?xXNWs
zfs|eE-mj5-Mcqa>mX+>kBq(PYB_y&yCgw$b(`oe+5?J)(Ia(iF0W##A+o&=S506F^
zIUdo_4EJ-iDFNZWIK64ZZ-9UAT5lJ%OZjKfjdffz0qwH%z_J05xt1>6`jvHiukCi-
z_{U@{TQ68o&}~dK>rrWCR_*=6rreEZu~oIr9-zW)^4wDa8XI_9M;)wyvXuDo<2Pnz
z&#Z?tHNTfRvmI3fMX~}giruyw*lq)o8uBGP{2YBWoFd}+5}e8dnu~$=S^{KsZSCOt
za!>v3+w5(6QPFhyI7W;L+fl}c)S^8{!xGUlx$PF*T+jtkp#L)}J0c#35BjP)rVGO2
zo72??d@t^Q!8x3+bSK`Fl7&>5ZwdG{TodoM?!A7No1?pb=$dE5PZ+qSNal=QyfGV^
zD`4&!w(OpO&I!ZxjhZIyVXt4mR!SF)DKl(R)6$XwJs+UsG5`@aJ^d*fjSdSBS5New
z0n!0P=cffWh#0H=rFI7(I)KIq(BH2vPF6s{V>yy1A3?$Q<!mv4Cc9l@1^}gc>q9Io
z$Xlb@<vnOXm7k_&Liezto63Tph2vx`^mDjso^|<S86z0UrN>@gSs7^{&Djp)$xmL!
zdGScDNdtnwZ)GaF0<h)Mh{i)Zr!0@U*=}gR{h7}oLAL#5*__9$V`QSWg~ivH82FEF
zkK>)e43VVc<73P%uxc;BMo`D2s@^~_=<Vsb)i)w9_I=KF=a())LqSW-nr^7()>LPM
z+W3jOrTn$9Ba+aE)Nd1u`0O$R+)b-4EA>hpW}9PJ%Nj{@D>IM3(R(3FwWsQQADDN~
z-!l8k`DF^fbtO}AkRkm)MwKB;?f06gVW8^)f*7b<K#BkL>lJ7v$jiySwNnMn4p0x8
znVTOR*`N1+86GcCrGWtZ-F+}qybsiCaFUk--}h`cAGn25rYL##Ygg^CiR_N`gqcNz
zF+q0u--ES_8ovfu=}$kfeNRMoF~J5G{Y?-+DJeM!fT%${iiw<Pkorh4ht$^A?gp$*
z&|_OC?k+j#0DuE-Kh%3b1E;F22|j-Oc)UBG2Fi7x5^PbMzqBAF=z`q^GCvT=eggRo
zh}=3L#6Exij0PU-u-KY0GouG|q5D&^9}HV|WU#DlH24Qz9{Wc&to!7X|9jtG|H#1g
zD)J@YYpN@^BQpPNw%Ow~9}kE55MV2*Ptof;0!FJ@O`e1lqz_;9JpTs4BNtB{q!i#}
zHWw6Ps>%>wKNr4I9s*Y5v!4KsK}DeQgXSXxpt1kyR)Lmbx~O+72prIq>WpVmf5K}+
zC?q5V(osxS)-Y(aQAXUW`@P&1?hPo<En#|*@FgMwFVkxo8)5`Iw_G2}=%<esl?2Lt
z3b!SW{Y1$(&_V#xS@cumFjrg634WRbK8mgBDti$D)l7xOn?@zwg&O^*BDGFtleL3N
z%_jsFH2r1>bQ@vT-;4;;Tp+(-n*8x6__>sC?QOMi!|B!YzOk!GK(I)&X1*y%qg!=-
z3be;qdc|JWn>sp{c0cq1X_Mb+E=;Sq#pFguTKYcl7D{My3}}BI?KbVb*kV*kms3-V
z?H-a3JMA!2e`k3Lg^N3p3j`JM>^j1if(1hCB2^}@fqbd&##TOt{!atp*T=<<$E2j+
z9m+v(Z}=B9w@A{BpCSQ2pr)pCXde0UhCg$4jFnG<?)S%<>eI>C?%C$91U(wJzo}V-
z%N@KgDBCHjW_g+foy2#UgZLaJimRaG#UD3bp~p$@jF%qCS^E+do(?$-f!=hr`3DNz
z_S7NDKmfoWDE5@hIR=gBW`qK2?nm~`d^0w269@c@u!H4P{1q{Vows{_fgB1O{sDLk
zF9q&W#&<L85uty7C9x3C{<{GIG<s3K;4g%d)$vS+J)2@ZZ|+C}D-e6Hx}kuoEx&V1
zN9<~5=y@8O;;ld@n<!8ctNa}(Srt3<`T&X1d_e-bfuL2#M%sTLxlAmHr3%i1&TMpR
zXE$I+ATNksKck}yu~8iPMDpJ)kjXSRBk&CZireo3{C_$lc{g`SLfJFpBNv*%D2TkY
L%9}Dtlc4_tvZ2Qq

literal 0
HcmV?d00001