minifirewall: tail template follows symlinks

Note : Files in that folder require the ".options" prefix
Fixes a2f73bb7df

CHANGELOG.md

@@ -4,58 +4,369 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 This project does not follow semantic versioning.
-The **major** part of the version is aligned with the stable version of Debian.
-The **minor** part changes with big changes (probably incompatible).
-The **patch** part changes incrementally at each release.
+The **major** part of the version is the year
+The **minor** part changes is the month
+The **patch** part changes is incremented if multiple releases happen the same month
 
 ## [Unreleased]
 
 ### Added
 
-* certbot: detect HAProxy cert directory
-* haproxy: add deny_ips file to reject connections
-* haproxy: add some comments to default config
-* haproxy: enable stats frontend with access lists
-* haproxy: preconfigure SSL with defaults
-* lxc-php: Install php-sqlite by default
-* lxc-php: Don't disable putenv() by default in PHP settings
-* mysql: activate binary logs by specifying log_bin path
-* mysql: specify a custom server_id
-* mysql: option to define as read only
-* nginx: make default vhost configurable
-* packweb-apache: Install zip & unzip by default
-* php: Install php-sqlite by default
-* php: Don't disable putenv() by default in PHP settings
-
 ### Changed
 
-* lxc-php: Do --no-install-recommends for ssmtp/opensmtpd
-* packweb-apache: Don't turn on mod-evasive emails by default
-* haproxy: deport SSL tuning to Mozilla SSL generator
-* haproxy: chroot and socket path are configurable
-* haproxy: adapt backports installed package list to distibution
-* haproxy: split stats variables
-* haproxy: rotate logs with date extension and immediate compression
-* nginx: read server-status values before changing the config
-* redis: create sudoers file if missing
-* redis: new syntax for match filter
-* redis: raise an error is port 6379 is used in "instance" mode
-* evoacme: upstream release 20.06.1
-* evoacme: read values from environment before defaults file
-* certbot: install certbot dependencies non-interactively for jessie
+* minifirewall: tail template follows symlinks
 
 ### Fixed
 
-* certbot: restore compatibility with old Nginx
-* lxc-php: Install opensmtpd as intended
-* mongodb: fix logrotate patterm on Debian buster
-* evobackup-client: fixed the ssh connection test
-* varnish: fix start command when multiple addresses are present
-
 ### Removed
 
 ### Security
 
+## [22.03] 2022-03-02
+
+### Added
+
+* apt: apt_hold_packages: broadcast message with wall, if present
+* evolinux-base: option to bypass raid-related tasks
+* Explicit permissions for systemd overrides
+* generate-ldif: Add support for php-fpm in containers
+* kvm-host: add missing default value
+* lxc-php: preliminary support for PHP 8.1 container
+* openvpn: now check that openvpn has been restarted since last certificates renewal
+* redis: always install check_redis_instances
+* redis: check_redis_instances tolerates absence of instances
+
+### Changed
+
+* elasticsearch: Use `/etc/elasticsearch/jvm.options.d/evolinux` instead of default `/etc/elasticsearch/jvm.options`
+* evolinux-users: check permissions for /etc/sudoers.d
+* evolinux-users: optimize sudo configuration
+* lxc: Fail if /var is nosuid
+* openvpn: make it compatible with OpenBSD and add some improvements
+
+
+
+## [22.01.3] 2022-01-31
+
+### Changed
+
+* rbenv: install Ruby 3.1.0 by default
+* evolinux-base: backup-server-state: add "force" mode
+
+### Fixed
+
+* evolinux-base: backup-server-state: fix systemctl invocation
+* varnish: update munin plugin to work with recent varnish versions
+
+## [22.01.2] 2022-01-27
+
+### Changed
+
+* evolinux-base: many improvements for backup-server-state script
+* remount-usr: use findmnt to find if usr is a readonly partition
+
+## [22.01] 2022-01-25
+
+### Added
+
+* Support for Debian 11 « Bullseye » (with possible remaining blind spots)
+* apache: new variable for MPM mode (+ updated default config accordingly)
+* apache: prevent accessing Git or "env" related files
+* certbot: add script for manual deploy hooks execution
+* docker-host: install additional dependencies
+* dovecot: switch to TLS 1.2+ and external DH params
+* etc-git: centralize cron jobs in dedicated crontab
+* etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
+* evolinux-base: add script backup-server-state
+* evolinux-base: configure top and htop to display the swap column
+* evolinux-base: install molly-guard by default
+* generate-ldif: detect RAID controller
+* generate-ldif: detect mdadm
+* listupgrade: crontab is configurable
+* logstash: logging to syslog is configurable (default: True)
+* mongodb: create munin plugins directory if missing
+* munin: systemd override to unprotect home directory
+* mysql: add evomariabackup 21.11
+* mysql: improve Bullseye compatibility
+* mysql: script "mysql_connections" to display a compact list of connections
+* mysql: script "mysql-queries-killer.sh" to kill MySQL queries
+* nagios-nrpe + evolinux-users: new check for ipmi
+* nagios-nrpe + evolinux-users: new check for RAID (soft + hard)
+* nagios-nrpe + evolinux-users: new checks for bkctld
+* nagios-nrpe: new check influxdb
+* openvpn: new role (beta)
+* redis: instance service for Debian 11
+* squid: add *.o.lencr.org to default whitelist
+
+### Changed
+
+* Change version pattern
+* Install python 2 or 3 libraries according to running python version
+* Remove embedded GPG keys only if legacy keyring is present
+* apt: remove workaround for Evolix public repositories with Debian 11
+* apt: upgrade packages after all the configuration is done
+* apt: use the new security repository for Bullseye
+* certbot: silence letsencrypt deprecation warnings
+* elasticsearch: elastic_stack_version = 7.x
+* evoacme: exclude renewal-hooks directory from cron
+* evoadmin-web: simpler PHP packages lists
+* evocheck: upstream release 21.10.4
+* evolinux-base: alert5 comes after the network
+* evolinux-base: force Debian version to buster for Evolix repository (temporary)
+* evolinux-base: install freeipmi by default on dedicated hw
+* evolinux-base: logs are rotated with dateext by default
+* evolinux-base: split dpkg logrotate configuration
+* evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
+* evomaintenance: extract a config.yml tasks file
+* evomaintenance: upstream release 22.01
+* filebeat/metricbeat: elastic_stack_version = 7.x
+* kibana: elastic_stack_version = 7.x
+* listupgrade: old-kernel-removal version 21.10
+* listupgrade: upstream release 21.06.3
+* logstash: elastic_stack_version = 7.x
+* mongodb: Allow to specify a mongodb version for buster & bullseye
+* mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
+* mongodb: Support version 5.0 (for buster)
+* mysql: use python3 and mariadb-client-10.5 with Debian 11 and later
+* nodejs: default to version 16 LTS
+* php: enforce Debian version with assert instead of fail
+* squid: improve default whitelist (more specific patterns)
+* squid: must be started in foreground mode for systemd
+* squid: remove obsolete variable on Squid 4
+
+### Fixed
+
+* evolinux-base: fix alert5.service dependency syntax
+* certbot: sync_remote excludes itself
+* lxc-php: fix config for opensmtpd on bullseye containers
+* mysql : Create a default ~root/.my.cnf for compatibility reasons
+* nginx : fix variable name and debug to actually use nginx-light
+* packweb-apache : Support php 8.0
+* nagios-nrpe: Fix check_nfsserver for buster and bullseye
+
+### Removed
+
+* evocheck: package install is not supported anymore
+* logstash: no more dependency on Java
+* php: remove php-gettext for 7.4
+
+## [10.6.0] 2021-06-28
+
+### Added
+
+* Add Elastic GPG key to kibana, filebeat, logstash, metricbeat roles
+* apache: new variable for mpm mode (+ updated default config accordingly)
+* evolinux-base: add default motd template
+* kvm-host: add migrate-vm script
+* mysql: variable to disable myadd script overwrite (default: True)
+* nodejs: update apt cache before installing the package
+* squid: add Yarn apt repository in default whitelist
+
+### Changed
+
+* Update Galaxy metadata (company, platforms and galaxy_tags)
+* Use 'loop' syntax instead of 'with_first_found/with_items/with_dict/with_nested/with_list'
+* Use Ansible syntax used in Ansible 2.8+
+* apt: store keys in /etc/apt/trusted.gpg.d in ascii format
+* certbot: sync_remote.sh is configurable
+* evolinux-base: copy GPG key instead of using apt-key
+* evomaintenance: upstream release 0.6.4
+* kvm-host: replace the "kvm-tools" package with scripts deployed by Ansible
+* listupgrade: upstream release 21.06.2
+* nodejs: change GPG key name
+* ntpd: Add leapfile configuration setting to ntpd on debian 10+
+* packweb-apache: install phpMyAdmin from buster-backports
+* spamassassin: change dependency on evomaintenance
+* squid: remove obsolete variable on Squid 4
+
+### Fixed
+
+* add default (useless) value for file lookup (first_found)
+* fix pipefail option for shell invocations
+* elasticsearch: inline YAML formatting of seed_hosts and initial_master_nodes
+* evolinux-base: fix motd lookup path
+* ldap: fix edge cases where passwords were not set/get properly
+* listupgrade: fix wget error + shellcheck cleanup
+
+### Removed
+
+* elasticsearch: recent versiond don't depend on external JRE
+
+## [10.5.1] 2021-04-13
+
+### Added
+
+* haproxy: dedicated internal address/binding (without SSL)
+
+### Changed
+
+* etc-git: commit in /usr/share/scripts when there's an active repository
+
+## [10.5.0] 2021-04-01
+
+### Added
+
+* apache: new variables for logrotate + server-status
+* filebeat: package can be upgraded to latest (default: False)
+* haproxy: possible admin access with login/pass
+* lxc-php: Add PHP 7.4 support
+* metricbeat: package can be upgraded to latest (default: False)
+* metricbeat: new variables to configure SSL mode
+* nagios-nrpe: new script check_phpfpm_multi
+* nginx: add access to server status on default VHost
+* postfix: add smtpd_relay_restrictions in configuration
+
+### Changed
+
+* apache: rotate logs daily instead of weekly
+* apache: deny requests to ^/evolinux_fpm_status-.*
+* certbot: use a fixed 1.9.0 version of the certbot-auto script (renamed "letsencrypt-auto")
+* certbot: use the legacy script on Debian 8 and 9
+* elasticsearch: log rotation is more readable/maintainable
+* evoacme: upstream release 21.01
+* evolinux-users: Add sudo rights for nagios for multi-php lxc
+* listupgrade: update script from upstream
+* minifirewall: change some defaults
+* nagios-nrpe: update check_phpfpm_status.pl & install perl dependencies
+* redis: use /run instead or /var/run
+* redis: escape password in Munin configuration
+
+### Fixed
+
+* bind9: added log files to apparmor definition so bind can run
+* filebeat: fix Ansible syntax error
+* nagios-nrpe: libfcgi-client-perl is not available before Debian 10
+* redis: socket/pid directories have the correct permissions
+
+### Removed
+
+* nginx: no more "minimal" mode, but the package remains customizable.
+
+## [10.4.0] 2020-12-24
+
+### Added
+
+* certbot: detect domains if missing
+* certbot: new "sync_remote.sh" hook to sync certificates and execute hooks on remote servers
+* varnish: variable for jail configuration
+
+### Changed
+
+* certbot: disable auth for Let's Encrypt challenge
+* nginx: change from "nginx_status-XXX" to "server-status-XXX"
+
+## [10.3.0] 2020-12-21
+
+### Added
+
+* dovecot: Update munin plugin & configure it
+* dovecot: vmail uid/gid are configurable
+* evoacme: variable to disable Debian version check (default: False)
+* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
+* minifirewall: upstream release 20.12
+* minifirewall: add variables to force upgrade the script and the config (default: False)
+* mysql: install save_mysql_processlist script
+* nextcloud: New role to setup a nextcloud instance
+* redis: variable to force use of port 6379 in instances mode
+* redis: check maxmemory in NRPE check
+* lxc-php: Allow php containers to contact local MySQL with localhost
+* varnish: config file name is configurable
+
+### Changed
+
+* Create system users for vmail (dovecot) and evoadmin
+* apt: disable APT Periodic
+* evoacme: upstream release 20.12
+* evocheck: upstream release 20.12
+* evolinux-users: improve uid/login checks
+* tomcat-instance: fail if uid already exists
+* varnish: change template name for better readability
+* varnish: no threadpool delay by default
+* varnish: no custom reload script for Debian 10 and later
+
+### Fixed
+
+* cerbot: parse HAProxy config file only if HAProxy is found
+
+## [10.2.0] 2020-09-17
+
+### Added
+
+* evoacme: remount /usr if necessary
+* evolinux-base: swappiness is customizable
+* evolinux-base: install wget
+* tomcat: root directory owner/group are configurable
+
+### Changed
+
+* Change default public SSH/SFTP port from 2222 to 22222
+
+### Fixed
+
+* certbot: an empty change shouldn't raise an exception
+* certbot: fix "no-self-upgrade" option
+
+### Removed
+
+* evoacme: remove Debian 9 support
+
+## [10.1.0] 2020-08-21
+
+### Added
+
+* certbot: detect HAProxy cert directory
+* filebeat: allow using a template
+* generate-ldif: add NVMe disk support
+* haproxy: add deny_ips file to reject connections
+* haproxy: add some comments to default config
+* haproxy: enable stats frontend with access lists
+* haproxy: preconfigure SSL with defaults
+* lxc-php: Don't disable putenv() by default in PHP settings
+* lxc-php: Install php-sqlite by default
+* metricbeat: allow using a template
+* mysql: activate binary logs by specifying log_bin path
+* mysql: option to define as read only
+* mysql: specify a custom server_id
+* nagios-nrpe/evolinux-base: brand new check for hardware raid on HP servers gen 10
+* nginx: make default vhost configurable
+* packweb-apache: Install zip & unzip by default
+* php: Don't disable putenv() by default in PHP settings
+* php: Install php-sqlite by default
+
+### Changed
+
+* certbot: fix haproxy hook (ssl cert directory detection)
+* certbot: install certbot dependencies non-interactively for jessie
+* elasticsearch: configure cluster with seed hosts and initial masters
+* elasticsearch: set tmpdir before datadir
+* evoacme: read values from environment before defaults file
+* evoacme: update for new certbot role
+* evoacme: upstream release 20.08
+* haproxy: adapt backports installed package list to distibution
+* haproxy: chroot and socket path are configurable
+* haproxy: deport SSL tuning to Mozilla SSL generator
+* haproxy: rotate logs with date extension and immediate compression
+* haproxy: split stats variables
+* lxc-php: Do --no-install-recommends for ssmtp/opensmtpd
+* mongodb: install custom munin plugins
+* nginx: read server-status values before changing the config
+* packweb-apache: Don't turn on mod-evasive emails by default
+* redis: create sudoers file if missing
+* redis: new syntax for match filter
+* redis: raise an error is port 6379 is used in "instance" mode
+
+### Fixed
+
+* certbot: restore compatibility with old Nginx
+* evobackup-client: fixed the ssh connection test
+* generate-ldif: better detection of computerOS field
+* generate-ldif: skip some odd ethernet devices
+* lxc-php: Install opensmtpd as intended
+* mongodb: fix logrotate patterm on Debian buster
+* nagios-nrpe: check_amavis: updated regex
+* squid: better regex to match sa-update domains
+* varnish: fix start command when multiple addresses are present
+
 ## [10.0.0] - 2020-05-13
 
 ### Added

README.md

@@ -50,6 +50,8 @@ Before starting anything of importance, we suggest contacting us to discuss what
 
 Our conventions are available in the "ansible-public":https://gitea.evolix.org/evolix/ansible-public repository, in the CONVENTIONS.md file.
 
+All modifications should be documented in the CHANGELOG file, to help review releases. We encourage atomic commits, on a single role, and with the CHANGELOG in the same commit.
+
 ## Workflow
 
 The ideal and most typical workflow is to create a branch, based on the "unstable" branch. The branch should have a descriptive name (a ticket/issue number is great). The branch can be treated as a pull-request or merge-request. It should be propery tested and reviewed before merging into "unstable".

amazon-ec2/defaults/main.yml

@@ -122,6 +122,10 @@ ec2_evolinux_security_group:
       from_port: 2222
       to_port: 2222
       cidr_ip: 0.0.0.0/0
+    - proto: tcp
+      from_port: 22222
+      to_port: 22222
+      cidr_ip: 0.0.0.0/0
     - proto: tcp
       from_port: 2223
       to_port: 2223

amazon-ec2/tasks/create-instance.yml

@@ -21,11 +21,11 @@
     groupname: launched-instances
     ansible_user: admin
     ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
-  with_items: "{{ec2.instances}}"
+  loop: "{{ec2.instances}}"
 
 - debug:
     msg: "Your newly created instance is reachable at: {{item.public_dns_name}}"
-  with_items: "{{ec2.instances}}"
+  loop: "{{ec2.instances}}"
 
 - name: Wait for SSH to come up on all instances (give up after 2m)
   wait_for:
@@ -33,4 +33,4 @@
     host: "{{item.public_dns_name}}"
     port: 22
     timeout: 120
-  with_items: "{{ec2.instances}}"
+  loop: "{{ec2.instances}}"

apache/defaults/main.yml

@@ -11,6 +11,7 @@ apache_evolinux_default_enabled: True
 apache_evolinux_default_ssl_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
 apache_evolinux_default_ssl_key: /etc/ssl/private/ssl-cert-snakeoil.key
 
+apache_serverstatus_host: 127.0.0.1
 apache_serverstatus_suffix: ""
 apache_serverstatus_suffix_file: "/etc/evolinux/apache_serverstatus_suffix"
 
@@ -20,4 +21,7 @@ apache_munin_include: True
 general_alert_email: "root@localhost"
 log2mail_alert_email: Null
 
-apache_serverstatus_host: 127.0.0.1
+apache_logrotate_frequency: daily
+apache_logrotate_rotate: 365
+
+apache_mpm: "itk"

apache/files/evolinux-custom.conf

@@ -24,3 +24,6 @@ SetEnvIf User-Agent "ApacheBench" GoAway=1
 #<FilesMatch ".(eot|ttf|otf|woff)">
 #    Header set Access-Control-Allow-Origin "*"
 #</FilesMatch>
+
+# you need disable EnableCapabilities to use data on NFS mounts
+#EnableCapabilities off

apache/files/evolinux-defaults.conf

@@ -3,34 +3,68 @@ Timeout 10
 KeepAliveTimeout 2
 MaxKeepAliveRequests 10
 #MaxClients 250
-MaxRequestWorkers 250
-ServerLimit 250
-StartServers 50
-MinSpareServers 20
-MaxSpareServers 30
-MaxRequestsPerChild 0
+
+<IfModule mpm_prefork_module>
+    MaxRequestWorkers 250
+    ServerLimit 250
+    StartServers 50
+    MinSpareServers 20
+    MaxSpareServers 30
+    MaxRequestsPerChild 0
+</IfModule>
+
+<IfModule mpm_worker_module>
+    StartServers         3
+    MinSpareThreads      25
+    MaxSpareThreads      75
+    ThreadLimit          64
+    ThreadsPerChild      25
+    MaxRequestWorkers     150
+    MaxConnectionsPerChild   0
+</IfModule>
+
+<IfModule mpm_itk_module>
+    LimitUIDRange       0 6000
+    LimitGIDRange       0 6000
+</IfModule>
+
+<IfModule ssl_module>
+    SSLProtocol all -SSLv2 -SSLv3
+    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
+</IfModule>
+
+<IfModule status_module>
+    ExtendedStatus On
+    <IfModule proxy_module>
+        ProxyStatus On
+    </IfModule>
+</IfModule>
+
+
 <Directory /home/>
     AllowOverride None
     Require all granted
     # "Require not env XXX" is not supported :(
     Deny from env=GoAway
 </Directory>
-<IfModule mod_ssl.c>
-SSLProtocol all -SSLv2 -SSLv3
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
-</IfModule>
-<Files ~ "\.(inc|bak)$">
+
+<DirectoryMatch "/\.git">
+    # We don't want to let the client know a file exist on the server,
+    # so we return 404 "Not found" instead of 403 "Forbidden".
+    Redirect 404
+</DirectoryMatch>
+
+# File names starting with
+<FilesMatch "^\.(git|env)">
+    Redirect 404
+</FilesMatch>
+
+# File names ending with
+<FilesMatch "\.(inc|bak)$">
+    Redirect 404
+</FilesMatch>
+
+<LocationMatch "^/evolinux_fpm_status-.*">
     Require all denied
-</Files>
+</LocationMatch>
 
-<IfModule mod_status.c>
-    ExtendedStatus On
-    <IfModule mod_proxy.c>
-        ProxyStatus On
-    </IfModule>
-</IfModule>
-
-<IfModule mpm_itk.c>
-LimitUIDRange       0 6000
-LimitGIDRange       0 6000
-</IfModule>

apache/files/save_apache_status.sh

@@ -4,7 +4,7 @@ set -e
 
 DIR="/var/log/apache-status"
 URL="http://127.0.0.1/server-status"
-TS=`date +%Y%m%d%H%M%S`
+TS=$(date +%Y%m%d%H%M%S)
 FILE="${DIR}/${TS}.html"
 
 if [ ! -d "${DIR}" ]; then

apache/meta/main.yml

@@ -1,18 +1,24 @@
+---
 galaxy_info:
-  author: Evolix
+  company: Evolix
   description: Installation and basic configuration of Apache
 
   issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
 
   license: GPLv2
 
-  min_ansible_version: 2.2
+  min_ansible_version: "2.2"
 
   platforms:
-  - name: Debian
-    versions:
-    - jessie
-    - stretch
+    - name: Debian
+      versions:
+        - jessie
+        - stretch
+        - buster
+
+  galaxy_tags: []
+    # Be sure to remove the '[]' above if you add dependencies
+    # to this list.
 
 dependencies: []
   # List your role dependencies here, one per line.

apache/tasks/auth.yml

@@ -10,7 +10,7 @@
     force: no
   tags:
     - apache
-    
+
 - name: Load IP whitelist task
   include: ip_whitelist.yml
 
@@ -40,7 +40,7 @@
     dest: /etc/apache2/private_htpasswd
     line: "{{ item }}"
     state: present
-  with_items: "{{ apache_private_htpasswd_present }}"
+  loop: "{{ apache_private_htpasswd_present }}"
   notify: reload apache
   tags:
     - apache
@@ -50,7 +50,7 @@
     dest: /etc/apache2/private_htpasswd
     line: "{{ item }}"
     state: absent
-  with_items: "{{ apache_private_htpasswd_absent }}"
+  loop: "{{ apache_private_htpasswd_absent }}"
   notify: reload apache
   tags:
     - apache

apache/tasks/ip_whitelist.yml

@@ -5,7 +5,7 @@
     dest: /etc/apache2/ipaddr_whitelist.conf
     line: "Require ip {{ item }}"
     state: present
-  with_items: "{{ apache_ipaddr_whitelist_present }}"
+  loop: "{{ apache_ipaddr_whitelist_present }}"
   notify: reload apache
   tags:
     - apache
@@ -16,7 +16,7 @@
     dest: /etc/apache2/ipaddr_whitelist.conf
     line: "Require ip {{ item }}"
     state: absent
-  with_items: "{{ apache_ipaddr_whitelist_absent }}"
+  loop: "{{ apache_ipaddr_whitelist_absent }}"
   notify: reload apache
   tags:
     - apache

apache/tasks/main.yml

@@ -4,7 +4,6 @@
   apt:
     name:
       - apache2
-      - libapache2-mpm-itk
       - libapache2-mod-evasive
       - apachetop
       - libwww-perl
@@ -14,6 +13,18 @@
     - packages
   when: ansible_distribution_major_version is version('9', '>=')
 
+- name: itk package is installed if required (Debian 9 or later)
+  apt:
+    name:
+      - libapache2-mpm-itk
+    state: present
+  tags:
+    - apache
+    - packages
+  when:
+    - ansible_distribution_major_version is version('9', '>=')
+    - apache_mpm == "itk"
+
 - name: packages are installed (jessie)
   apt:
     name:
@@ -31,11 +42,10 @@
   apache2_module:
     name: '{{ item }}'
     state: present
-  with_items:
+  loop:
     - rewrite
     - expires
     - headers
-    - cgi
     - ssl
     - include
     - negotiation
@@ -44,6 +54,18 @@
   tags:
     - apache
 
+- name: basic modules are enabled
+  apache2_module:
+    name: '{{ item }}'
+    state: present
+  loop:
+    - cgi
+  notify: reload apache
+  when: apache_mpm == "prefork" or apache_mpm == "itk"
+  tags:
+    - apache
+
+
 - name: Copy Apache defaults config file
   copy:
     src: evolinux-defaults.conf
@@ -80,7 +102,7 @@
   command: "a2enconf {{ item }}"
   register: command_result
   changed_when: "'Enabling' in command_result.stderr"
-  with_items:
+  loop:
     - z-evolinux-defaults.conf
     - zzz-evolinux-custom.conf
   notify: reload apache
@@ -108,7 +130,7 @@
     state: link
     force: yes
   notify: reload apache
-  when: apache_evolinux_default_enabled
+  when: apache_evolinux_default_enabled | bool
   tags:
     - apache
 
@@ -161,19 +183,19 @@
   tags:
     - apache
 
-- name: "logrotate: rotate weekly"
+- name: "logrotate: {{ apache_logrotate_frequency }}"
   replace:
     dest: /etc/logrotate.d/apache2
     regexp: "(daily|weekly|monthly)"
-    replace: "weekly"
+    replace: "{{ apache_logrotate_frequency }}"
   tags:
     - apache
 
-- name: "logrotate: keep 52 files"
+- name: "logrotate: rotate {{ apache_logrotate_rotate }}"
   replace:
     dest: /etc/logrotate.d/apache2
     regexp: '^(\s+rotate) \d+$'
-    replace: '\1 52'
+    replace: '\1 {{ apache_logrotate_rotate }}'
   tags:
     - apache
 
@@ -183,6 +205,6 @@
     - apache
 
 - include: munin.yml
-  when: apache_munin_include
+  when: apache_munin_include | bool
   tags:
     - apache

apache/tasks/munin.yml

@@ -15,7 +15,7 @@
     src: "/usr/share/munin/plugins/{{ item }}"
     dest: "/etc/munin/plugins/{{ item }}"
     state: link
-  with_items:
+  loop:
     - apache_accesses
     - apache_processes
     - apache_volume

apache/tasks/server_status.yml

@@ -14,7 +14,7 @@
     # The last character "\u000A" is a line feed (LF), it's better to keep it
     content: "{{ apache_serverstatus_suffix }}\u000A"
     force: yes
-  when: apache_serverstatus_suffix != ""
+  when: apache_serverstatus_suffix | length > 0
 
 - name: generate random string for server-status suffix
   shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
@@ -33,6 +33,7 @@
 
 - debug:
     var: apache_serverstatus_suffix
+    verbosity: 1
 
 - name: replace server-status suffix in default site index
   replace:

apt/files/bullseye_backports_preferences

@@ -0,0 +1,3 @@
+Package: *
+Pin: release a=bullseye-backports
+Pin-Priority: 50

apt/files/check_held_packages.sh

@@ -21,7 +21,12 @@ if [ -f ${config_file} ]; then
             if [ -n "${package}" ]; then
                 if is_installed ${package} && ! is_held ${package}; then
                     apt-mark hold ${package}
-                    >&2 echo "Package \`${package}' has been marked \`hold'."
+                    msg="Package \`${package}' has been marked \`hold'."
+                    >&2 echo "${msg}"
+                    wall_bin=$(command -v wall)
+                    if [ -n "${wall_bin}" ]; then
+                        "${wall_bin}" --timeout 5 "${msg}"
+                    fi
                     return_code=1
                 fi
             fi

apt/files/reg.asc

@@ -0,0 +1,920 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: SKS 1.1.6
+Comment: Hostname: keyserver.ubuntu.com
+
+mQINBEoHZ5kBEAC680PjynWTcP3ZtVfWWL6zQAcD8JoC+c5MbnpFScqtBc2MdlVZu6zED+B5
+sw2SSLf1EZlfbTPc3GcWTwdiXj2GQKzjMra1MZKUnVOD/uMVkj0ZTszUQziW01O9sWPhxbMu
+Qr7OD04jQ7TjtBBEJD+yf0HJsDVC7TCbpcNNtmhXByXqw7bgo0rzxeOB3hL88I7AcC7ve5iR
+xwXoXJYs1hgJMPmZXJmhKb0a3pVk075yMsXnxlOqM7XBk++zodDR03Ym21GLFOu+3DLTX9aC
+aU/AjXb/udtEBAHv+iVxZChzka/KkYMY+KX8A7niE/UN2PIfhWDTmLLcTyBAOuis6cUqDm2a
+w0IbXh359dfBbgV4/QLoafcM841W47Menp9tb0Qz1uHYwV6jjDEmbpGgEJRGIqd143j/zGBP
+xffmtPq1zn/QFVBQNltLiMyclAR1Yb4fksDkt8JGmvI+FwaHdx3dn1VU0hbdYR/5CHtsxN4V
+P/juUOrjbagp5zBBXLlVIVceGoD0mNkNWPyZh8C3SHg2Y+Q7t+cz4xysQN5BUHL4DX6nEIJA
+u0cZdBtr8dtkJToYlhSFaLFwZh/XmOgOndSNmeJz4ll29Xc3V2/hCQlllHXux5E79rRNRKK/
+rSydUzYir755udPWw18+6mPUzT6NDaVDDAwSOLOn99OUJt6bBQARAQABtB9HcmVnb3J5IENv
+bHBhcnQgPHJlZ0Bldm9saXguY2E+iQI3BBMBCAAhBQJWEagEAhsDBQsJCAcDBRUKCQgLBRYC
+AwEAAh4BAheAAAoJEESXUni4YStdYDAQAKuwOHT+wDS6vL6Xqp/59eKLaB02lTQuTDFq55K4
+dK9TNYOTmPoxvgeJigT3pHHfKQFS/wwigkOfv8VebBZAcjY03N+Joau1Vi+Er2VNR5Pt0jAf
+ApwZqe+8NMAfefculZvO0g91g2lcqJoMUIaUemAqOD/CoAMMXGQSNlX4BLsI7dbvkLLjbPSa
+wEODAMvuSLilI38dj7wBC30IAOQkOdkB34I/eL/sGruOxYSK7UFJfNU1aD2oQhTkYEQ5cgNK
+vE325fOx7m/sZ5aAlNvtZ3jS4ym45feT9xrbG2qHTbJiVAhdtfHMXGOU6/0UHJ3+YHHdzZhu
+0NCWinu18nDVeDWLmkqkZd77QtTpC/zw5s3+t8lpyqUAF+bN80ZHbB47bFphIupmWGDP2ihM
+NBWBwwFZb7ry27mLyyXKVOFWrYZPrdlNheEjUP7x0GzEO0kuxYO4fyTic5lu594hxwt/LWV1
+s48SV95dXqpQIRroV8ePZoJxlD4hXh1x23AgkWgG+SS3perIGypmouOdl9CQ3yAYSCfcTKw2
+dOWOxGubseyBWw3EDlWKZLkrqbBGxfBz8XJ92iCJ27rRhtpd6XEbqhRfPR9TGTliIfaruTLp
+MPrKZh74Hs7LAhHo0nkwcOoE/iYHhQpNXHMnj0hqMcwzzf6MlSrgJ/VPgQ721d5nTwrjtCBH
+cmVnb3J5IENvbHBhcnQgPHJlZ0BkZWJpYW4ub3JnPohGBBARAgAGBQJMa+/FAAoJENXKmwTy
+xCO8ggsAnAzhqo1IQ+3qwCWD9ifx4niyPiAFAKCo1ou0sB38EuQXnWCyp1ajblx37ohGBBAR
+AgAGBQJQn+UPAAoJEHDzXiRtUx5z2B0An3U1rm/gCkoWtAcsC/IYQ2hMVaMDAJ9ddV8IywsM
+vnKJ35rfg1PLT4KNFohGBBARCAAGBQJKB3HmAAoJEDIXXA3BAnoOiOgAn2tHyIuAGEY2ctJC
+yM+C7hmyMNMKAJ9asA/uRkG4wiJwEP8DCnNB7Obfq4hGBBARCAAGBQJMXHEgAAoJEOFVF/Ir
+CSDAnq0An2xcCMh6H6vIT9rmbxHgGbc8VfTEAKCopbM+QMAGQvOROMfqWJhiCB0fHIhGBBAR
+CAAGBQJMXT8rAAoJENTl7azAFD0tTz4AmwaE8zBHaUWbUnsYwWXqxavmf8BCAKC1hL9GKk60
+yXTEW1W1QUm8jIYILIhGBBARCAAGBQJMXzSgAAoJEPmF40AK/HR2eqoAni/Hvg2M4e4vrju5
+wPT+dONsA9/vAKC1X1c4YL1XiJ0fXpT02U13r9e8AIhGBBARCAAGBQJMZ0yhAAoJEJ94+Dzo
+xDRhLFYAnihJShfS/zRoG7iTNhgwqyLxGqczAJ0WIP7yfVZbP1N5oe6LwhQsZ1BdVohGBBAR
+CgAGBQJMXlHCAAoJENoZYjcCOz9Pjd8AoMdNUjbpkScdndClI4EqT7tn6PI/AJ9Luiw8fIEs
+iD5yM8NOkdykX1LPyYkBHAQTAQgABgUCSttnewAKCRAtDVq4fCU9UlJJCACTQKre8pA3ud/V
+esa7/TmJI1S1cVWj8FlS/gatvLJndd90i50p9uGm1yA4g8iwMnGdcIWCuRfBlhjUnUJnTX4B
+QdnUU6HCv9RQ/OlJ99k7vNhswtgoEGQWq1mH1opSviZ3xhMwFTiXISQ12i4TiGSiUfbXItzq
+yxOf/gtjAMGrfnNB4MUYPrHL/lSMs24evYFR5DgOKDwVE3vVY2Wf2ytWKZJQNvKcm7sxIxKq
+W3OlW4wzG2IMxMSTl6SHYOqIhRGS9xAj9hpIfD5XzZjl/iHmMZMcuRA1LPxQjqdZ5CeF391P
+p6vEobkSyX0LyDvqcvy//VHn0l8cRuyEmgrTpdmTiQGcBBABCAAGBQJMdo7oAAoJECI64FW9
+lOFUIpkMAJ/obi1HblArRgKmxiCIMD2/nTcj/ML3tL9HfZ8bpWZ6YJIUsFRcmHCVWaOaCBMJ
+omiICZbcot3v7/1p0D/AE57i0IFPZpXXu4utC8B70JjWaMJT22kVi3hvhrChxlZYNZlkXr8G
+mKhGJpzEfVlg3hp26jbj3jEEGmjJlii7uuSrV1VJjyZaDfTNbgXMbUL/3sISsKODINCLlgCG
+iVqa6Xc8bIo54zQ1Rx30Ijn/6ElFvBMSdZPu4wQ9hKrJGhrqY9FZ/U0xfaawEzxbmdZKDxVO
+Xdd/qD3lNAi8Jg6m6qQO9/A4c/Ln80ll8St6MrfLwJ58QRWawTQcl8wSTxouC/ag85VwW1lX
+FfnulWVjqRAY41gVY2SaBb78A8pwuwy+ixBWGqAyGRVjahNj/uznD3kwQh1DUwjyDe9lV0TV
+5IpQy4YfXjkukwt8kVvQUL/p9w3/gmPZ2lXBuEgMT/NKZWKszgp/JZ45qDUD8hgPlK9bICRm
+iQ1KjcAV3mh6dYLwJ4kBnAQTAQIABgUCUipIgwAKCRDvc+baWDa4Gqa8C/9aWvMONUnoDGjS
+H6gIsnJn0pGQ4zx/SU+Bt8MG0SPbtv8Zu1twofiX7xSV8p7/RmESaQyjbzOD9mMvXwl5mF2N
+q8IbDhvJmEcCCgVolhM1g1YtF8uM/Az74tNLmI8gsIiX/Er8045jMANp+UozOLvrzx9NpVBj
+InDRhXt5ZF4YeMdB44cZL2OH8juSbpZAPFAi3Lm39gSMj3eUiUavT6r0Ok7AC3qMiaTvvtb1
+VU5vl/CcevaFE0DfZQ3+1iXsshnUu6ql2NvFPSn0tR1S8Ekk8NfItbAGComC4BF71MXxY9Af
+RW21ROLzRR5Szm93E5DirjTC+vfxQYwEmemn9v8KWxMlmFTu08GbBhi54bBb0iuaRc9lf5E2
+dixJqLU4JVUPxjOk6tFvQHtZQRj7e5fu/lusZ++WKXnZsH0AiRekbN/j1Qh65aDi17w0ebXX
+lsKc1kqryHNTq4PBrhrKbNBa+tlFDcmn3yUReIxfcZ1Bm3N6PxNiQSxx9Wf6LL/1rPuJAhwE
+EAECAAYFAkxccZ8ACgkQ8aab5CnA/+7HvQ//dhkVGegUq2TyePOTWBxK7EyLVEZEBr2HXa+y
+Xqg2i8Fdou5smHNEd0q8dz9oMBEWcZtRYmGKzinGcmxzArdmVyXV4fEkUab9zfL8g6dGxo+N
+wqoHt9DteuJEURwakSJ7oDW+DlfzxMJ924sg5cuUtqcnZwy73a58Y5fkPaZVf+/HrkadZT3f
+7fM8pb7JgJSRhgmdi3MfbUQcDgbZ604MifdEVIbXX56ex/9OuthbQ3lp6jHsvHcXPG5qt9th
+RXkztoyKcArSimHcOFrLqWAQsF8u8PIYNaTKyJO8uRDYjMGcJQv6B8HqV2eiLCZtIEdcoWev
+Y/oeflGDh0PbGpswAiQzoSxjvVdPgPUTqNnsl/eWvup4govByKV4y8dxgyM5a68a2N2t4ki2
+TwVu8LpCRzuiin0EvgkM4jKSFU/KPiZemdLq31D6o0dQorx+Im31XWv/H8XoI2jGbNeMVWHq
+5WumzPhTfgFVajQEc94Te29vea9OV+mlgIDuTzqLD2Je5G6BDqu5EmTlO5sPDJAwM1c2ckJb
+fHjtUih3Vw2B339NqF+aneOX9MH4blAlX2V5vuz0xtmEcd7Dy6wKjzmX1Tcec4VjDDgtCoH7
+vWzCeQmlWLzf1tF9keUvRn7eUktyAqozvNdE4fs6+3igdFKoI1RHNkFO45AuFe1goN+uDFOJ
+AhwEEAECAAYFAkxgK4sACgkQHnWacmqf3XRTUBAAtb4DXxkzn14Qo9JME9KfZ3QA1ZfoNffR
+PgxHkLX3q/KzGvbQYQc86kh6b/19aV1ahcUBrpABOkV/0k6tASrs9N6V6KBcIQbJwRETyWU6
+G/rG47h+4fWIMew5XwCzUzvqAD5GDp2XfivDQuVt1Ta2WcEAmKVYNlHYowpnEqxvLNSSbXuX
+Afe+OK4XxaFr7i4zr8zS6S7NRigAdENCt2Mr4slo0ldnRn6uQ57ixfs23g8LO4/89zW+GxKG
+PPUQbo9epE4hCewTAyWwrpVz9NxrodvDL6D1W7kY6caiOd5tArNKpwF/GCH/vsGPU3NsFISI
++P8GJUwtmM/47xgcteHthx2yC0HUArTV0w4+PnAaelpxzAyqd3KxLLUNJ3vjv3xpwV3eGWSG
+zd3UZ4AYTJmSlbgzuJzQIwwyxHsA7ypUUsbdrsoQaTkACUOsHO1l/oT4P+z3/tWPuXqUmO+D
+Ly/pBiCRrV7c4cHMzud/dKBXuAK/gS7VD4Is+K8/srdEJTrPB88zleiLOdffymHtCAmZPn93
+bvPXUcJk1PiNQYRwQIuIjHJbbZL8rxqVo4NCmi2HwjqMaow4GLEPSEdqEu83LpSU0Ts0BJvF
+/6UTUEs04zDjSXpAGrPhWoom2jxUllAJq5Aek+f662dZpxVLxzMHWrLly7Fb1WPLbCrWhqIl
+k+SJAhwEEAECAAYFAkxgNzgACgkQ14hMRxjhj0QJqg/+LKFGM1orBnYv+DZeVGbcPrBJVkeK
+nAVgX+HpIo9uY7F6rRMZU8BHmxqM66k/tPwwrVzrgrLScK6spQTUjxKbjGkktT+LPVdFdB9F
+2QdEYCwX1AB+0InLVtrXF/yFFTqlxxgLCRamRziO6w/1QDFMsDdNbIgxErjMb7d0MqRFNlvR
+fO/ElovAPWlf+4zA0xiCRVbV3tbNl1/ILh41C8gc1VoTYdmUP7W3F6xCpy4MirSkY8LLDcax
+wF9blsfc+gj8mW5yegBZnEoZchasl1thZ7Jt05tMkcEFTVYMfeReo/5Ww/dEpSfhjhryq5MH
+0sSBT/1YGwbdgBRVzmocrWtQJ9i22MY3RboKNeAFs/wx9L38z570rOdemtfuXzKmI8jlcfQI
+BIrE0p1zHE0OzgdfAI/uiJMZ3dRZJXsr8iVWuER97QqYZZkgDMaSHxvuKcNKQol9AbnDWbpl
+q0J7CBo5si41rXpUIb/18FydC3k2KzjkCAaZs7VUCguWU/YKVw68kfrksJB0gIGqh66wYda9
+dpJVmjVNTR5bWbo8//ZHQXFfGccWoRImEZ7dD4xKTl1B1ihmgad0H7Bynd0IiORVs5zbdbIE
+FCwnMjjB5nr4teU0wq20H8CaR36Rw38KgRrcJdSrJVDrmg+A4PPsW3aA1K3oCvREoR2+p322
+8j2c0pyJAhwEEAECAAYFAkxljxgACgkQE8C1Zno4sLCijQ//VodIvktCD/rmvxmbby+tjTFp
+yNPRgiIdLyXU0Wfoi0TqzLsATfOluWVpJqSqIQ36g0wYc9T8BemqcBepDhj5e9NpYe4oq5kF
+IxIJHzH5jHSM32vPVxJU4PzYcZzAMEVWCEBx0CHgW2cYc/Sq+YNq8Y/c69R8WNjse0qOZP7g
+zTInr4JqL181TVvGHt9Ak4KNakxEVLXGIXVSV9QDDGCpYMkfpEy7pwvtV68DFVj2nHHetzCp
+3gYi90nsVvk3t8iowNUTlKkxnj4dZ2lFMJfZBBeNev31JLkhyqExUoBzZMDmW+c58nye8Ode
+hXnvZ9nc0pe2Z6XWLuraYDqNDKGMWsOTG8gCPVrZL5BtHr4Qh5uuAwT44PzkdPCdw9NaHw1n
+0s47Uuailgg+ZuZgFXxNcRD5A93Ovl6/skln7KyTr+kJ6BsDcdWzcXpgQ62/3ayxgaOEZlKE
+VLJsngKhcjlINiIXc6t0AVZhAlgLrLAvi1G19ISqNPNBRGUWeCYjC++RCaC7i/vAFWIQOTLA
+NfCtzwhF+kopF2tmmt0ubapaH2CycmWLr0EIvPUIJ7GAW6tkjjv8tfkn2VtT59+gE1WmwR4q
+55XkJ8zbX9tJx62w84zkQA6nMnbBQ9nfWY1eThRk5IOXKElyk8cNIZlqIPPH8RVP/Ng9Pjj4
++vSOAjkT8LyJAhwEEAECAAYFAkxmx/gACgkQHAH0Q8nJPFo1uw/+Nu1AJqt6ifpA/EaWoDnU
+9hSYcpVq3mGivwEE08U5/2trXl5fcAe8qvdPB8JIYRROTLSUIsTkERftzxMzsCIb+iMj7bKx
+5Ip18GSmTOcJU32hin/l/DZlDxB9/bo8LqCurbpEDeZ84zV//F6AqMc0mUyxhdVA/y8gEp6x
+YNnVHU+AmIxzHkE4n+Rrc6JdGUODOL4iZcewBl2IKcYzRzcELIFMzjnSNbA/uxKE9g1kTa0F
+QUTTpy/y5f36ykfWWdrz9OZFR81/UlZ//gv+sr1UHs6uMs0QayF2QJW4iF0KX4IQWCcbSRyn
+iHuOzpmJuTFu0KNmU2cfRFLgyer80glsqicj0MwI9shdtpp2+ulfi2itC/gGM00cynt2WP3d
+arrohFDOwCuAVWjp5dtENk8LNCK2aYEXlHiW10kaGi9k67AVfrV55p8WVTWcpT9oQ76wafnp
+jUb6XPou4DM0Z5ItJqvDQv8823b5BCnMeyG61x9qCTMhGMEzDLFFkXalViQtIjsS0tzF+S1I
+B+dVVvCC0tMnPWoyyqYNqtC0rIS0I+89uQuDD/4jAf6hL7sKLUzdLs8NByjQoV9nIaXEHzp7
+jBlgAZgx2SX+eK8wF/Lo4d0a0jddX8PRZEjkx0HOhaYcW59tui/ZXr2UDwlTTuyfsSpo35K0
++VdJ+mtz8gHZ2lCJAhwEEAECAAYFAkx25QoACgkQryKDqnbirHtS6w//Xt2HPPu9r9Lp4Z7C
+U1EtWEDzBHZoiYrX8GBjfx7XJqX0kJWAXTHoN9HtGDwCil2bTb3WwopNrFUShR2yEs2Tbo8I
+j1n4veQxx5japTb9b3gwh/8lRRPCfF++jn9q6927D+0jJde7hx3G/o0OoJP2H04kEM5wrzup
+1nOkH/L5+bFerw4eYir+hl0oVfrnK40RKSnzy+6sD+FCFwLipOofDX+qVp1VguzwkfAwLTSD
+PVxsjfvxKdRCj49RbI0Q1svMu8iS0Hu+i6e+pPVgvy2Bh9iPQiPNaGG9IeHy5mnq9T8yxKd3
+KY0mj6ipuHm3c1HPJln5bFlt1K6mrysbZtxafo+O6XeIUoRNqKi9eyA9udgIdHPuMAypsYFq
+M1Pn7TLdSnRCyuhG0UFlr/nx3VVH7PLOerxMCZf7ApfcWA/s/iBG2DLpeB698UKOSfogcbWO
+JW7Dteg4ZCL9zLxRiTZHLsMHnW/aZAAwoh/zV2Kpd6qbrZSyqgn3Pys8kwiFnnf9aWdqXmls
+oNswHZeh3JvMOgs2QyY9X/+Bz3k1vf4a2aU2gINvL55aRmtgd3VDvWVk41WcRAvOfBPCC9TL
+0UKbIBT+/rxuse6UiS/lVRNngvOpuUBmd0Zo/PiXxsxq+aKX6FQzZs0HsqAR/Ov7bmbh7Z+c
+WwE0ZEogPivsD97qv2aJAhwEEAECAAYFAlVxpVAACgkQ2oKDDjzMOjq1exAAo41+8W0VSibl
+OmQWDesxI8T+Qlw1v3Luf1CexMx9UsEktH5yP+guCeVpADMupSeKis8q0ayOgqXim6gyRjHS
+1HklDGwUnhUyfDu5VNqy7BOrbUKq32TOqudwtq5PEyohof89/hR0UwfC18hBkumW7NfCmEY+
+kUkvlAVzVwbSAm1bjkFu3DLD3RKN4d4UG3kFc4tqY0BweC85UvJaFFnY362RLCBV4gTjXVgl
+UIHXpDSt863NBTtbNJUTIf1tt5sFqknZh2N5UzgtkTz6t4N47+k0VZfxuk/f9MmuDEHAEBBp
+lj4X+ofPXbxbr2iaAZjT/LjU76tYq7thkbU2NRB6RtDv+Tqfib5z5ecwNEKIgQ6BelCh7pRI
+wnMYhx3wj2aeY28vJ9vE76NizPWiZpYzD3MHyWfN+kIuSDRZPBhSNLnfA5uUuBQNjS1Ad+QR
+Xo6CtWZ1cE/7Xv6DCKmk0ThbGrvwkHKJGrpJeaaf8lP0fo0L9cIipqx3NSSKHGe+B7zhQZO0
+QBlTfXRlErjuZ/j+V8MTZqsmlhdVi+hElTioj24MQJiXfB956RuOM+g4P9v2QT5RRD0C4XaS
++KSC3eejZGYEeJAmB0uRztsRntyryw2LF6WxcSyEg0pY+/SLFxMfRIPlcAxMM0SB7HSAFZ5V
+nQJHc7bBkNpw179YqexsIKaJAhwEEAEIAAYFAkxccTMACgkQ8RQITAhhERF8zQ//R2Bls2xP
+vxotETrAPF5MOjDqlK6aeOnSyI7shiWWXL+7ds52SWsmD7IL+7XW0t+fwvfEVOb+qNWIiVaS
+Yg4nvZQnTkCqTnDxTzdxipEaiK0MC0bXmAikBQjZ0iiveOMYOeRx2PWuUOHrymcvJ+atlkq6
+pk/mycZGpVitnO9crTb17SLsm71k5aV2u7EBCEUcbakmrx1mDvBoi/tSns5y9YEPTc6JcKtz
+VqbyiSAY5dZSaLc8IW9Aqn533kPyIwYXnbxd8cPFDxDLhIeBmZnVTLURE3517RXZu1ngZEFh
+pSoT3w0Xg0cgh7eJ4Vmo8MnW3p33+dSHbWRlgrNZcB0PBWZrByS/iS1b9REgFTyU4UeI7lH5
+zLgPdxPKBvCNObRhKg/dAmqSDq5EHYgWxn50p3TCfhrDrkoD+3seeee+mNARjLP4EDyBF4/k
+57SqT7ytj9TWQoQuGAodQqNXwMKNcldz4FRZ3rMFrUpJj3uD9x2tlT/3bCVKQ1QcPSzKcEcq
+zq9AZzjH7cVEbgpKI5zBJlejWB6aGvHLIhYZb4EYuO03OgEDDj9AUvIBFBxKdRvCzeTZOCTM
+/8oAgSSVmFewEI4E0yNxvZu7wjSV5LI0AiyhwnCWlfYM9Hgxbai3cv2osIK2p5GXbaRykhwc
+jc4lPrIsEE3At2UzlzO4TTI202GJAhwEEAEIAAYFAkxdPzMACgkQhy9wLE1uJahHJA//a9iV
+wDsx+OxFu8+vPEXmJCKt1o17+PyhskIvNSXlVPvpYIpqNKUJQXpqBkiNASrCOQSHrQtw6p28
+9i011TMqmMZsUkjqk/Y3Yzx+SPT6KUfny7qQzGW2DpHL1qILDFMywzvt9djzWT6hmH5LCLSB
+3aWMHIwPDvtvylzHPIN2XIABSBxnHgeEi+2ZZoLZE7HlQbwsAU7Xguj0K1DHe+urOBYvU0rq
+ceqiJhnY8b71bwQRhFqVhoFkW/IPp7dujQxeJVvHZQLLNkB4RMqG+kR2Ku04U1Fxbh7oc0vr
+e8EAYdMfutU3ZRWZ4D8Ltr+q/hxy6dm/bHrpFu6NIxox6KrR8zewcoGDQKI9BlQn8mrIof0W
+YWNUusb//Vbz58iOh3POcjs7VkD7aPo9R/TaruBIWv77kbjszlQaKKHWV4aIVS9EXW0cPpeF
+OQUaq91aAxB8Tw0Clx1TfVc/QZJB7/l6k8deXgo/+4JCU/BBmsplR6mG5mhY1Iq5PnuutU+W
++sHQRYSiq0EKdwmAaq3AIz7D+rWafv83Ea1cZaMph23ChqVX/e+YVI7rxxYCY1bubd7TtYWb
+VG2W8ufTwemZBxWFq8HXc9d+Qm3LHV20Qxp5fAoYr6O67XYgQicIFW7f0lJ54igqH67wFjOf
+zOTHfWK0izIeLVtp8xmj7hbFrXXd46+JAhwEEAEIAAYFAkxdRNoACgkQU5RHndNSTFGQ7Q//
+YTQ8KFH7n9MYRpb83fTRfkyreyQyTdbcBsQw7R8Tksx/qbidiZZfI2cILweIqsumN2bF+ibQ
+VYx/PpKEStaW1VQI5Crx/kSRmBaOlipbbfO+A3sbp98hpKMmaIxvV7IhN9qKhjcQR0YGXcam
+5oVVwjIb2n89nqiS0qnGIUSTLzK5IR8Chob6tpnD3jQAnxE96wyhADedhCVMf799HSoQiiAH
+TUarSv/HMIws34LRgZ2voFXADq+CE1Q2rBEapwrcDSkEQEZ79LImeuS/S1Be2ritRO+TFLzc
+982LuHBxUa4MlcwWtWaQQ6PW/c5J7QJz0RiqaaL0DZxCw/Cr2e3MIfTCdK0zPg4A9BrNsQkR
+/zYmePPTejvbsYpsWbpOknwZNqoYRc4cEaukAtdhZhFUDfL7jfh5HppCIM6EN3ovmTsRhauv
+LeAI3J7JqrPp2yLDbL43U+1ejsD22+l2rmJQcQpRsdD8KlJX8bD3J0fCRhhIFNABjMmy3e4T
+bij7ZM3ovNZLCgjHmNa5ASMyS3l/T2Rqu9rh/pZbPWS2hPTlmYTStpb2T+Ax/anpXSW3ZiAW
+fHGOSjNrl9+LFqCdjyzvk/u2kbgd9VtjjFfpPS8xS1dGk7iIHHQQ1GZXc8s2WB9XkGGpD/j3
+8bvLJG9EXtqVWwJLo6t/PMOgnHK9dneq4I+JAhwEEAEIAAYFAkxfI2cACgkQeo9J6LY0gL4z
+KQ//YgbbsU+C4e9A4L+b9lOTh4ICrmYg0jD86oBtjTsomMO+UP3T+mVH/meHWTzr+6ib1vsu
+Nz85E5OWHeHL1Mzj60gbZSn/PMcfL++kKVCMhJs/HN6z4t/hY+GkafkeZgglnqItkZGK85ME
+SmpoecuYsExEj9fQaNjHuCOrp3c+B0PJ3PSQ3qTknsOnUwkOgAhgeni1RusUqckryre1pPrb
+Oy9RrTroHGsbvzfbYEYS8IVoaMP1AJj6o1kb6vomTmWlh7r5UM5iZRcFrKK3qjQaTYr9f8vf
+vpJZ0GlWT6T4szOmekTnYuZJGOumkLScn66qSihvxXXlurPP0XzVObz7YrZ+GEDNJxXwPJpw
+fpYZHsuSXv9Pu8S1wjbvL1xq8WEjwd9q4kgch6r5SD4+syLydwLHiBXTc5dfVO5Xs6KzWtXE
+MNsFBrDO3pgHtWvS2V6peL/yG7RJJztzZUc/IYZWuEJIU76rzU4YK/SC2Vse9lVA3I4s0knw
+5TCFvZHTV9KIjqT95xOgdlZKmQc0uXSPNrVfoi28JOfcAGnSnRX52KFt6yBrhCBCWuVTZTgk
+hKSIktI9PPC/C3xyLwxJjz1jPwEomhtnNx9B04W17G5c8nW1yCjxPxY4Q9LCYpMYXGB2Nena
+YydDbgfA6ua1exRQ+ZkWpnHqsmCLL7B0C/7oTOeJAhwEEAEIAAYFAkxfNK8ACgkQ0V0xOIIA
+QXMoXhAAs79q+JHo7ulKZvKDkh+OVOXrSh5eKGUmuqK4RJuxrHmthUFkNTsyNBEZc2+QWw4B
+8q8ka0x2/1eIDqwsKwHOfcQdyMepGiKnGWm58vL5CeoV/pZW/Yzrs6Q13o6/mm02bcxiVlqs
+ZGFiRaueY2QJ66viPY0TJPlK3CavKKgZQ4xQtfQ/MDg8sdEnu3G/1PWyyHfMVsq7fG6MXCdY
+TisgHAEyQJXgpCnk1YIuwxZQPKbMhcjiGbkKBMeQi9uZDiDUtY6s6S5MZGsG5v0KTuoBt2Kw
+XHbTgkFT9wKaQnK4rfMjGtZFuwiZw8MPsFgz2QAR+1s4mIkCbLPPl+jwL+F4UkEUJvpKWcPI
+AHnDe2q82vOc5ToWfm/C1cSf7cuLi2hGuSKw8JHuJ4hBF5NaMhmsrBOxjS9BC1OrutNvjoa/
+bBihJxX6pyz6Fhd3wnjtF8f+H2pxu9/9M6bv6lkHZDQxfnt2+muwsRncx/wU5JJcxzxUzcLl
+wctSMFHmNU2egx6Kw+vPgPdkthrOZjkLQZZj9DZxHK2j2ENAm4jVF2Z6cUHHm5tVTsR7XF5t
+CeFRNPUlhoEz4zdJiN2qflMY0pm9MjBpF44O8usWrEpUiPN53bIOpbPM08zYZ+BBGPOgxZbh
+6Y68YUAq9XfVn9okE73HeyLLS/bpBj1QSe6QapV7sg+JAhwEEAEIAAYFAkxh7k8ACgkQcDc8
+8SkNuc7NWg/+It0T/mHuye7+PG1kQbutyVw69/C7yyZkoICrcQQ+Oh81Ba+DENSKrPVkmt2o
+U3HR1bL+QbFDjUa+hnLHXh4N9hlREDbsaYdYz3xLbXeGOPDt0QrLn3mdZ2cZrZwLjcqsu+bz
+5sRZMbKKTXqKkMQaDcJa2CU60aEoH9d+QJkIhOHiqkNvVyrKbiMoGnJoKDppwG1e3+Ri/oXA
+6Sx3cWwmdVrNlwNAKraTFlw5Xh0RUQ5NJstxX56PN7tMm+PEnY94bPTJHiyzG1obm2Ona7sg
++P3DIvqMFIkldhNz/DdeCjSN4qrB2u71tC7xwAneqqLpPuYhpMpFtD/JX2lOhoOvo43n+atM
+jqIU7xhZ2W0L7n64Ym31+wqqz6NEx+aVp+OgYVJPH6MA6jel3/KFhHoWpdnLJIL3XLq3Op4U
+tCio5JfouHfuHVdslmKlH/6rO8SFY4VZGF+RZURMze0I6b3HN3WQb9Qv78hg0ZrI4E7JIbhc
+oQQDIXgASS575vjK63/WRuMDxEpLEUflESKBsG02GJWe6knx5lACdIyD/8kZ6MIV9mE31Nqd
+zVKv+i7BBomu+ci/4B4LXn5LcPphmGPAvL1aabC7D/9lxLPA5Ur6LHDU08LA7S3j5Z7Iob4m
+KbS7pKaBdYPLm+kfAlw88bDnPioZwkWSggD5/6iwEN2XseeJAhwEEAEIAAYFAkxh9TkACgkQ
+dzH8zGPk4neH6A/+PTNKtYOQmFxM+1QJEqK8+4ZOyeIB74wHGI0VyFWRb6Bt6K7OIYAfp8Vr
+F4kH3DYPqRYWZLyG8Krkff3HUwdgBdrsRRQKN5Q1YwpwpofCcdDY9l3fmlUNx4MQN4Cx9uBT
+XY1OGTOMHHCog2eIOIkc3sT4xZ/zIcgFKM245lXl+fLvbJId8jZjYFwefNerUX1bucNoaloC
+drmbUN2OItXISlczLhSZlXcOyxU2Q1DICK4EksZy0y6XRnYA4/7JK209AS5jIZb6UvV4kMGU
+y0/CBTW9fJx1jZthN4bLxHMSVFHvG8oqRPmr7bO6KyvnxeGY/0bd30nA0hoVyDtKuIAuBYXL
+nrnjHogjF5sl4LCXLNDmIqbYoXMCAuYrlGaGsLzqGqjPX22yb+5B3zYCB17nCP4/l84auAJL
+6/EOrkOjTRPWIqsRO+dK8QENfp2zYfWmr0G7xBQPdeDvyFHbY6LO+PwzVfzESGranmiliTDq
+fGUGT/F6F3eBhKb392zDllJgfeKLt8V00vqaY8jqXS4AB6ze7XkcEXKsshN2atVsstUmjLKZ
+iSO73irt1X/Cg6SrKkjDgUhwTmOxywkHBYjsot2NSYcrdkYEfK3nPpesB19dgJYzPn0Mborc
+vJ3ixf5c2mjT1GHIdrp6XEjqLs2zu8dKLDiTJPSV/Q1H1nEasMKJAhwEEAEIAAYFAkxi3k8A
+CgkQd8b7Q+PTCCRE8A/+OY2000flzIxhqxc23BzEOXWxwZ+tH2r0UQTq8kwZiSsva+NIjN5G
+bx3MMcT4IyGF3VaxKZRJDPGcK3ByJS8HnCv58OE2iF9sUT2BZJEIfgniHgDA6iLyyQDmM9N6
+9UVoYYqIWff6Ve+4gPYebafy3UAgUJLHdrknfhE2fseE3jEtdsn9AizP7hc46xPkeuaAD474
+4jtM8h0zVk36l3gdRwFZEWMsxATskct3hLjKv4R/EFdEgIo8x7hK0uxvc6JyyguOznrwAgP4
+0LgXv+Ci2BWrf0awhOyuDJ+BiViKtEuzcqgwPR4GgOKkvzti8jkPNAvjCEIHTpWJwkIZ+SNW
+aaIZVfbZdSTMf3tfVkUJ8tLImtfHwJ9b+BPxpiP1DENZtxmbOsKPKeH1SIGO2BUt/Y+i0KYM
+rJmhQiL4k62PIRRhMKuYjQ5sasa9oyAACxg6nJMJoeJalJtcE0ZynCwdCFIkhYLXVPAgHCUo
+/c5Wq20YMW0sqerdf/oLwTHe8Gyru8JfcRS1mLBuTPWQUGIt2h37WMysv4hCHT29N98w6zJL
+jIGHH6Sd8PBw+WBxg6rpeGH8VVuLfHerB6XEMxoQM7FVAefDUCrHzWUrNHgSl5qG14HQ+46y
+xxegb5XNGM+ku721W/t7YsA15ASgZi8ehaQ7iSl56TGu8vQCTaDqPmqJAhwEEAEIAAYFAkxn
+Ti8ACgkQs0ZPiWqhWUgz+BAArOWNP1VqUSh1LpZ2mgjMLCW8cPChtEKI4/RHUElI9r6BVMGR
+/35Ww1HMcayD+H7WZDXXiBqG/yPJJtmMfBW0xWH3dbo1pEn8IUZd6mWSlbhzxRkVr6AFhDKo
+4T6QVQQ6nwJg9aBveBAXGnsr9/PieQNsp9IyACxZCvjoEh+2TV6xE4r0WaPKGLai5qPuvzSN
+2efP1Fl6gtmoxgI0yiLDyMlQZPi+/jXC7qcae74qYFUqih1hAq3EaCfiUNCVCulAEYnzhu+Y
+qJorF+Xl3vV/i/NT09k7GwvxLy1waPAi93yekg/QwkJMSrvehxXJlPdkUXUKCsgE9o+1CztW
+iIK37utWFTnkApQaKUyHJA8T++ReyRXDCEq3Mu82ZMQDzsWRhJuWmX7/5MAw/1H6yG0HLxC8
+sGH64oduKWZIlWwjkox0pUrA/ZkEDaznUxUK0ay0exYtcPJ9uUcmXsFvxCe0SOGwarNKbEjs
+FkZ/lelB2LZprKk/10BqRg3AzPEix8IK9hRRM5jXK1ZDEYRGYw/c9VoQPf7eMpF52zAZ45h8
+UjL/q6oAg3egW+ddbsEEXzsAgpcfNKhN/edoUKhQd5d2h0S8IpmPMrwvqrRaRSlOrqMhbqro
+GQhFOV4+fO6zwkV0P6Y9QSIKibjZDS+QUZPXCLfpKRSYVQlkFwGVeVUcZzqJAhwEEAEIAAYF
+Akxsv4oACgkQ5E+AFtNjD4l5ohAAtgotU7QYfbvY/6b2DKShrm0guTeROOi1imRMfMD5Nvy4
+CazA7qm07G9Jxo/yFYHMaXXeG02vx0pSb6Gbx9Z/jtwrOALmtIUAajTFmcC1Koshn1KAlqtV
+FriWzwAz/jYIK8BL8Db3LCgGP0SSyIaD86x3VXm4JE04AJeAtFUikQwBU6iNA8Mue0rmdIgz
+vQ2Fg7qk11Nafx4xT7XU/K4BAy8U+6Ai4F8VPxdh94zc+Z5qVd5lRZ9fYsdzztYoc8xtOzjJ
+YzDACo6j6covoSD56gQi9htJzraPtKaWu+gz4P0ijZ/naX/hsXlOnZ7IQzaByetVgXoU2Hg5
+D6UN7YCrQ75TB+Q7Mh702dvihXCr2smUkBOBnEqKoxrLqLtrDYPLw7ELuM+bRzZb2nfBYzh7
+/o5hEG3NO1rXIQ21cYvfPSggkI1fq8kOsWbd9uIXR4iHycohZ9DsSW4iQ7+IwVu1Giypf/R2
+Fpz+cL6aGI5DKFRBuz5ucjyhJrl9wes8v1hsTDNAPSbOyd3I4PHa3N4gxWbFvV6TZfSwHKm2
+fot2bglB+n9otZaPBVnHdsntQsRnS6K7Ptft/EZ1zJvWJcOnAjZEtj62mbrP2bQ48r+wkWy0
+LbOoQZ20auH/YaqOO8ZdA3QGpvK2GCfYB6JzD3bQomsQWMlaAkx1wfFQUBQ5xtOJAhwEEAEI
+AAYFAkxvKsUACgkQfFas/pR4l9iqyQ//el6hebIh5S7ekU/6R/msFAmuluGh03OAMYa+JwUm
+YqXR6iGf0Ftw7XgYJt2NiY5ZtaOULtZe3zOslFio4KRAwjKgEOzSzEDc0wFtZnj0/LlSTk9c
+zrrymcJQCAgKKV4WTffgiPpzDM1ajaHxY0WQfYJng/5pVxWb6QXjtB5mupf4T1Yv2blWAKpK
+Fw67Fz/iN4DlWil21vx3FgpAHY+7JVB/129BnbdHtbzP2CiQxZ9PoQt40bhrinI4cHyPHcHk
+EPKBD6GnyuyIoPGYRsILp76rH9vWQJWtY71DQwlB9+w/JTVP3TRinXJ0BSBvFGNcP4hqY5b+
+8tKmSBPJM0umER6Q16HosZtI+8rY+4yvaHjtEIqau/AdBnCW/EBeG1YyjDOQAQzVdOR84PLf
+Nyz+eqeZI17fZtokRjTg41J2b1+F0GbUOTQueqzlTK3spWYrPgDe54luHoYmgVqlsj71Zv7F
+cWEf7L9RdcA7sqCQXpDggcOTRDVg+eR6eCLGJetBfq4fsX0ae10TRh/pGut8Vu6NTcFGw5c8
+vt74h+WFIXPknpBeKl1HcKUXTLJxQP5CDrZF/HzUaLYI1SaKv1jVm36gV2YZvuZQyim4vBgg
+V1/9K1EMgUW7GRnQoOpQP6zxFWnpPXPY3TDvdleaqeET3xET75mGgD0WIUreBaKjp+CJAhwE
+EAEIAAYFAkxv+OAACgkQnQteWx7sjw4tUw/9FgAffwwit35JdS4S0LQqmkmGXlMvfZEkfezj
+GH6ITG/YWri9QE0ktGJqyCbP9tnL3WCno8bs90tmrQyagjbp7EsADz8L36vbYrOU72mNHaeL
+qbJcCoztUSWAe9aPJ4ESwTXbXCkl8xE0fm1zTF0MLq3T40Qqw67oMTBygYqhb8zeY43bKOzZ
+f0fBLqFE8+LTZDEk00Ucc72M+W+J87rdiHUuJDFdAZbuAvBGT9p1YNkcqaRWSmgRddJ9nBTD
+a/Qe9IBnAXBblouKiVvSTGpcyAyGKJ9cPtaviCLRXk17rGli43AymorBdGPpliZmMtrInMm4
+FAhSoU3nwB6b8oI5gMh46Dze05PYkVVZylO4Vo2AILUkeo6tagy3t+BEFAmonnpluJKZkfcY
+/FvvoaT8oej2U13tXStA0FXMOJd9fGLruJ+yZnAFPrVHZWA3ziyO/u9iprB7ZjqrT1OM1Nob
+ZP7NwGxdqED3AYJAb3H97s4dMGAJO3WzGgHOfuZEMsH0/vIc3nWAkj9jsFcDxJ8uTVM6uy2R
+oIfBM3/XspyZvm2MBTuEJvwhXW7JTnxsUEpZ7aJQVJLT9Z8PPj7rPLJCkDQsdwBw+e0heTl+
+BspMqppnKw0mXmrRfnqGGxgLtlIRn8bNEp4K3AVuNP2iWp9rMSVPg0qLGSFgEH1DtoN2DsiJ
+AhwEEAEIAAYFAlWS7hEACgkQ66DGxxwAJW8VIhAAtBkHOqKPOA4A5MKAzWSIYAfX6FiUfFaI
+Edwqm5ZmxHItPQk+Ze8VN8jUEzzArrvGOZnctSZy7dMgT4WY+CNy3FUtg4WbmuvflcvCHlSr
+ontSVeFjxL8qhkBgUzaxqohesB899mszzDyaM0GMD7FKt4UisOV4K9VqhXKHBhcKi0foQKgx
++VMD35N4+SqgSUF4+td913DNxdxvF5BKICwp9edYv6NpP/u9DMqG3lceVCy+rR3VEGTsFGNa
+HpJI0Sny797FR3w4k18wKQGaGwUtdMz6GcmhnDxgiV2V1StLloK6wbAVA4YY3BfE4l7XmJZS
+bStlL54h9tffDi0Dj1oJkSKXMdnI8FdpQEvGTGP9ARUz7MCxwiRzcJfOpfxATt3793o6fMLU
+2dOzrCCl+09bgG5+wls8nda2RB2RE1EHksoaNyz4OGpq9seYGe0qhNLN+lvIJsv1BaZNdD0s
+CaF+xbUGCoYQgvOh3DCiZbg+Ao138YEQw9eKE+Xifi8M36IeBTdq7S1OcRCwaDMmVchLFT5X
+AHmFeO3L3zCO1C95WmNsFg04+4avHqgOp5MolLSrOEvKTnFW1Ebv2BJizs45d28VAI/JhgPx
+T0w69M9Jpybd+Cbg93fHTXclLAPyQWXzhlfDPmKhukhSsG5JXIt0gyBUsq6lUygyWZcewBwa
+uy2JAhwEEAEKAAYFAkxdthEACgkQXTKNCCqqsUB3ZA//S25k6cAkZpIddDahnJxDIon8VWhe
+JzGmOMfb+hMbQ0y7xeCKRdNBa5yw3LKttLugofqcrGV3V6lmE9jWz5hK2we+ZAdCo/wXUWuL
+FJQW8WKY7hmDBwxROJ4jgC0LTgeRZhYEvhKpCH/rtSQuymstcTJd+5jkEE2FU1AOsoAOsaPx
+1DAb+uqSv2VefP/TG4sZ2vg0fdEuJd1+SiuTTLLEAnsG2yQT9brcXDvXPOckawFAM1KOwk7S
+fkYekg0iSA4Ii9RlXOhpxNcW/zZf3WuS/wrCCVYoY6OgH/+rp8LkBG7hdeAfRsMjozqtBYUE
+JwPSvLfRnG76neTa0DSi1bigpOMvHDIeATuS/hR7UdmTkSMwZ8AvQBOaSRHobjQwjfDY7WYM
+kvErANQkevWiWA4WshsS/MpEKxiUe6SGlLVeJZfX1dy6Jmh1WzswqoQ9eXQXX8zBltPAfKFs
+KRmf+OpHT94qYZsMhqAXOd51joUtCBmqeuzvdp9KM+R8cmuoPVqmZ8ZMdMbD2dQUap5yVxw5
+yO3CfGMXGPGfvA/8fOav/3MwWXUL5Zqv/ZhdjpP/ZNEB4txLJk1rIg4kjKrZxz2PggbMcCGQ
+0uf3SBZa6qXPVT0KbMjzvRKao473eNX2OPqk+K2hIYuZTVhAcKKuvN8qQu+o003Kzw1SWlLj
+1zrwaX+JAhwEEAEKAAYFAkxeUcQACgkQORS1MvTfvpmBNg//eJFnqXakbedse6wPpmk56CxU
+47abeG6ZCu/0FTwhwnagYfGXUKGTCepVjI/wLpevVeoXDbYmrUOT9zxqIL2Xssp/wz3Qb+HX
+deft/drFmb4XMrdUGwi+N1nhvPCXjWOtyUrzuYXnpCz8e0vjSfn6RpJ6qdgTs3Psyca9kPPo
+1Zgx29sumQMx7b0hcmRbSxNOmm/vGCpJKb43sHsYN2ESMCNzazQtpbt/HZ/xA/HqJCfEiKJm
+GUQ5rboqvhpruhbUFnuLIpGRvLJqE3kRm2iq1XfnfjXqUVbX2aHxNXcNKa601Yla3HGisEAB
+ILGvCRa12hrmh43EPpwLCnTOIB3Sejndl+8waKd0smV7Ox0oT1nSo5MHl/VtVLJzPnCX+EfB
+bzOepXJ5HRRsX5sHOTPHjJTOUuQvzfKen5nAu6iKsQnawpwQvIN1C7/OtEhqDAjWFr+eqG49
+bqN9a+EKu53bnXqM46N0/kRWXJAsHKfllki9e0bRKV5rIH0grsCN8P8qq5003cp/owAyySX+
+Pu9jFs9Hw4nGmEkuZPYXkjg3wTYClaPjrmbKfWXgVl2BjW+N7xU1yJZaAJSpd8vqGtLK4qz4
+wk0CrGr59EHPeAE9fAxNg+oonDQ7YcuDnHkVY7LNpIGXQkChrv1YgBzzAN6CFBI8GgG3C5Gv
+bYCj+NsHFyaJAhwEEAEKAAYFAkxlr5QACgkQMiR/u0CtH6b0ZA//atTqqwPfQWupcXoA/doN
+nXnBZDHUePFkCBan7YHitR0kPBVPP10dRfyd9ShKs25+DgAFTr2JKKk4ofc8ib+2SB4rTPIf
+gvc1h3GgtI7CXzuwKdcHojmOYXQQsLaxcQDNqEJqS6oGh1oHd8DQJTn/OiARVUvxi6LkioOp
+eE0KAkUOfZfnROz5E7ox2ImvMNvhy6VcD6q2q4E4nuWXaSVw13/MqZ8lGHRhytdrVLvVndSK
+U9EP79Tm+nIRwgqeJ0CttcSESoKLngTAvHSwVpiMcO9rLfWqYZB6FmhEjCyPl7hV1e9jXf80
+PLDihKscVEroxww4nflbIFOPsKP12vXuQs7cQr3BFE9yCowLz0X961WM2V4Cc6o6txY1MzU7
+FY7mFrwIy9b/WNLBXJUB+dpnKzmY38ECLJQ+gTxahgumxaNe0wQclIrkrnGLszOrIgLyVAL6
+/qD2qUywoNb3WWOHg6fOabKfTF3zBdzSYPNRXbhWNxt05EXARXRwYR/mkwpAdT3TUgbGlOcU
+hNAqmtzEvT/Q/Cu0nPvwXnJ1Foix6S+zrFAM8gs6zeUc8Q3k0EQvi8m54jILnt5QqYFSGM40
+FLgryKBF9hjwcPN1Hu1Qij8Z3H9MllV6Df36YSgKN1XpG3Jy9ktJcHvQPgHYVmXNsmQlmQxE
+ei/ZYehdgLeU0Q+JAhwEEAEKAAYFAkxsD/QACgkQeFPaTUmIGtMxgw//TrRErKK8vl8VnvHO
+8TK8KAMFi/GaRM0RKze4nJp72CGSrY5/bg2jAlS0hEKmSirlbLD8+U5/wWa5SrQT36AcyXYm
+I3weWgzNSvbCS3N1WnefhlUhkaC1PRMX3AI7EqwyTUX7o8Q8A/HVTgbgHnIKxO1y1EhcfY1I
+WEvA1wTR29928n63dmy03rKB2cJvQupGd/xRPXBx55h79NlLOJOadlYsUrk3B+RWBZHsn7xp
+wWXn+38fwuIFs7DJye3Eh1ceDootTd6wlI7Km8Nh0+bCCVbeInxp3THavrz1ohGhQ8O6AmPx
+wX7TN2EakX5mrwePFgHasLpgciOVRpDsaoQPF7taQg+d7knrrgbD9Xf6JkDl9/sxnlZ//t72
+eQR3X+CGQFmfhl5rw+h28FkPxrFO+n6nk6opm1z1n8FFjQnTzFxp2taqVs3s58ondUiPWb2p
+E8HOHQX9b4iYY5x6hrZehkSwoJOlwGssiJZSa9eCWs+yvJoJOG8yHunh48o91gY7kaqxGT9o
+K+2MzW/uwh7ztZ/ElJj4Vg4XTOqHgSDmUKZjA6e8Z1xuXoVT7D7axP0NvgIj1jjeCD1ncQsf
+Ay6tynZm/+Mz/PLwfe9uYGt5ZncwY9aKZRr8a9sUnaaIjeq7ywugKfQyxr1v4sjcQqELKfsM
+NLrvOMjw2eLg+3UC9p6JAiIEEAEKAAwFAkxi3T4FgwlmAYAACgkQzNLtlNIXOemGQhAAo5Zp
+Oa83tEIyfPOcj7HkQPTutAs8H+kgxzPMLYFhXSYKLPMsoH1TGMFC1JH6PjrzRdk6g7jmoUEK
+2F6EL5QpFFKFNVWahRWY49F67jryslVdeZKvFMEY0qjqsJ9nEBIZW8wJ/7BNvYmZxBlWq7PU
+0SKbbGNVexMagwctygY+mdnknS6vI3aom/yFByVcVXIdF52GJiAWA9nIx/poKS0ecCd4UuZr
+eQd+d+x/z4Bww5E62k2mB9d+VDik1kjzL7bXfPV3+bWoyBmfl9zEYgNnQ3ICurKztkRmu1/k
+1+68wHfU/0MR/1nJ9DkEfBi9Z7T3shtCiU+993wSHPeKgurkQwn+wzkthCNRNs3kOwee5Whs
+/zD/dyZgH+lrJDHmW6C8zaa/K6Om9+AacXLId1xjQpmmkO83Tkf9qQvtC/UlocllGxHo3hAJ
+dfxONF/jwY6Zs8NvRWPuswTEQOLCLeww5AhVfapOLBhcG7xZEye6VLArPNq4OsD2b8NyCd39
+GxtBdxR6/8OQbGoEmrYf7aGS+ga6oygj/+ut1M6w4YkQCbLd+OjL2ZUG85tALP/1KdCp1pTg
+YW/TmF0BeT7ICa/MmZeYyO0DUKqvsbH7Dyk0aiYgu+Gm3ob6JNC7MGadUkWIyjLUHkPNmnXV
+rGT4KAkRtX+cQl/R+rR+ewB6RErUtCmJAjcEEwEIACECGwMCHgECF4AFAkoHaOQFCwkIBwMF
+FQoJCAsFFgIDAQAACgkQRJdSeLhhK13PHBAAiyiTX8GMp3CgLyIiieHJnBIQS5fxBICbsSrO
+j8OHWnNAVwkiRbtXZQ2g4D4NvyGBuPN2hskjuGOj7aCsqpE4Ln23RfBTAI3fF3JgMGwkqWh3
+9a7Sjnw8DwxqaHB3zfs2AvPnolSUNyzc45VslNsE2j359UmvwZAGpqN0A1GfobFMWjmt3QoD
+q58C8EyFOWx/Mzcl0qUrvGRbQjQ8najAYugpBjdRZ0MzGfro/pmoETJnTgrZimHNXvDtSTmZ
+HTVYYbxj/99Iw5DeYschcK0yvbPFXGo12ndRrEs270LpOMmBpdBaW8bCj2uzATQLZbuaM/je
+py3bzEFcCHUMkF+ekIf9zp6IUkSc2B3kkbQmVJKxOeiKWzCXvuu6pU1nRqrG/565CRkwWWol
+p4TvlktQgHSZ6CoIxzDnYRE0eiGpsLxA10nE9VrUCjME5a+AYLQxj7ztDdDfb5r9Lq+1/bUN
+gtiiQ0fbaNVXXe14+daezFw0sCGB14MWSPQz62rkG6piKB4ZMilRijiicWg/k/Rvlbi+QzH3
+PGhqaVOV0JpCTfh3rolf54x3JN3bdlW8wcev0DLPJOAuhv8nXoBBdilH999RH0lGv1NzbAIy
+7goaG+XOe/fmxiZwhUQhmTdfFnXEtR8UL9/7+dv9nfVY+kIZIdSN+Sa5+pGs7bik8dfi1xy0
+IkdyZWdvcnkgQ29scGFydCA8cmVnQGdjb2xwYXJ0LmNvbT6IRgQQEQIABgUCTGvvxQAKCRDV
+ypsE8sQjvNDlAKC18LdtboThQEnkx1lTvZZSZfApWgCfdj0UAdJxB9OLNqm3L8ukPYl8DW6I
+RgQQEQIABgUCUJ/lDwAKCRBw814kbVMecylQAKCzW0oYdLbYjN2+VkMFlr9WWoeWugCfTyfX
+Czqy8U9NJX0KMsEsVBmwB7yIRgQQEQgABgUCSgdx3wAKCRAyF1wNwQJ6DvPzAKCBblkNp8NA
+k+lQwKAeqyjGAr+kawCfXlAQCvjXpRb6fYYu9X0S4r3gdfiIRgQQEQgABgUCTFxxIAAKCRDh
+VRfyKwkgwGBWAKCXP+R5VvROrrh366WPoeX552dN6QCbB8aK562QKVhd4OGwbqhHAJzpE7KI
+RgQQEQgABgUCTF0/KwAKCRDU5e2swBQ9LSl6AKCpl0Sd/zaVE+rXCmCg9lF4Z/DyJACfVE+x
+FXdayyRPKh6cy6g1x+KeMQCIRgQQEQgABgUCTF80oAAKCRD5heNACvx0dlAxAJ9JA62AWyTp
+1xpVLyxGchSp7G1I3ACeIJGHywtqpfbJfG6YiFjt2C5uVVeIRgQQEQgABgUCTGdMoQAKCRCf
+ePg86MQ0YfqTAJ9hOim0VRfs5+pf6rsMNStUWZXksACeODXRe1BY90f2o28VOFpxoDQMhZmI
+RgQQEQoABgUCTF5RwgAKCRDaGWI3Ajs/T8IZAKDCaii1ecrI+HP8NT7zero94/RE5QCdH9zl
+k7ui4NR8EuEegYPvqFw7cI+JARwEEwEIAAYFAkrbZ3sACgkQLQ1auHwlPVLxQgf/Y5PQaqBd
+FXEs9QkD2Ei7WaD1AZkGwpICpVmV1kA724sJ0uXgLavd1E9NtjhMVKWYwdjEl2556oZL2i/H
+XfRz+VgRcysjLM/ICcGDxy6OygziguJRpwBWk0xMowNgWFGIDvTt+Hlc7f5UnBrSE4hGmWHQ
+9Vxc4qFiADKL5IuiLssYgJY31xkwSyWcEnUe8WolOb4BOX7SLuuTIO6u/Ud+Zh+N3o2amWBn
+3l/OBfi2lM/TTrjFEiJ0KOfyutiGV6a6/SkfGKBzhgdzWj4M8vIMthxFAapU++3WXF7qNQAX
+f50EN2TKXKHgmidfpWFqmbPhIkEaoheUYYOCaiaXY/IKgIkBnAQQAQgABgUCTHaO6AAKCRAi
+OuBVvZThVI98DACKydotmw0GE4sNu7CHhGMZJqvSu2MSMK7IyjoShr/JU9PO9yXEB6TQpfLw
+E5b9bso87SouahOJV+bYvBaLx7JTT0awNSMRxlGnf4il8F0FOcl3RgXpgv14YxXxs8KJHLV4
+GhHRwVxzJu8hdNltsTJ7JjJQS3kUYjBpIfJlyp4yNvZvUeRQJWTs1l31CkPwU6fXP6pxCP7s
+loh/zL1zVGY2q0GrTkFlrCJIxceiPNll44Rl4PrIMTmBQHVipToRinsrFbyD5QTAjiorVol2
+il078fK2IeavCxtRUR6jTiHx4/IWqt+kPycq11EK4bFMKQIAJeF0aBoAX4fWOoSPIFWI/Nz4
+m+EecHCk5frctfxNV6VAB5Lf4XwjEho9HFZwqmSQ9snMi3zrEZnhnrCJ1/Gs/ALt9vu0Z6d2
+ZoLFgxW2hdOyaXrE54rMKillYoTLZ5d8+uTQVoN8XFz5SliSNb1tu1//i8U9Y1tpSUUTD87G
+SuNV6q49gYSeDqZ54EZEiHeJAZwEEwECAAYFAlIqSIMACgkQ73Pm2lg2uBpHzAv/dOSlPdQx
+6o4MrM1lB6imRf4KPTmjkIwnO4N5iFrsZch+BNJ64PdGukhuAi1EXY7LBJlXRO9BPxdJI6IF
+R91ELvM5VzNzZDdwZVPDV8wJwkpBTQTgNJXCjETePf6adpQ1ORMm6Kg40WIH67BLBN993Bfz
+dQbskas89BxmEdqaz1eGDaBTHO2N39jOG4vTNouatsTsUlDxCxNW/razg0uLgMPpL8dJpZ0B
+4cCi7z/+r+OYrV2DQlJo6Cc/vieROA2ElFa3p9unYRcuY4Mcn6Hl4gA3QnuQDsn00GPDTqBG
+OEvhjcrHghhB0WzxAu+lc6te4vOTS0OCVTWMNU/ROaG7x8vQSFqaNWxEigkVlRDofxsyGQw7
+CxNS1mwsYAc2kbA84N4OxMZ4sHkLnheoVjUYaXz3JmLMnlA0AerkZVQRfzm/+rlEwLW79G1G
+tsVaRP0WmG9/nNZXAr2wfD8menJAIV1lB/pCSkNlHmEM4uGFAb1lA/EENQS8sz8NvvdvLNYs
+iQIcBBABAgAGBQJMXHGfAAoJEPGmm+QpwP/ujggP/1V5FTQ8rwB8uw4u7Zg5EEta/aM4E8Pb
+idUJ8KDr6p5Zad+hGWCPKT3nloPbN3iaYXblmxDuAYhHl1neH96tWYU6vygmiR2Xo53y06tY
+EKQbdIF3+pfOCSFh9NnFlAqw72cMWsL0VqSoZL+SgY4IojwupFWPNIJbB0JaOSW21kFf6/U1
+juAbtat4J8+l4j8mNgWCUeHBENN78lYD506VIuuJRlsWiUBhH0unzY33A1BoJwyXo0TmL3wd
+0g2JIGT5sJmpeMkMlKminVjZCcY7AzoTS60QrCj2FCGBtfbUOH9OQvBojWOPz7ALmKj/aOl7
+3UtGnvlscJPeilteNQFWEib1e85ufAG0Ry1AEDtR0GsdARJhqiG6jRn3v0lBxfG2dVWbHrFq
+a5FkUm73c9r+xjDC5NquWhd4GHyG3IgVPMvkw8sciL33o9A/XhNdjQiZmpok77nswvbuNOEX
+diQVnHcylh7bNaoXR6+3R8FVA/TThpW2EjxIg9TwAPfJFKWV0SWfyJSOZLFOiEYDEqBI190j
+3WSJNV+p0+lN8CDu8jFHxehsTGOAALCSQq0mZTKJJh0GH7d2YD5BV9isUvsfne52GLx/xmoJ
++cKJfszaWq2FoMhIPD/tnVYA/LPodylTRC6/8C0WIMR0eAaF+ByCoU7aEMWJDEJfX2MoyQHa
+fBV8iQIcBBABAgAGBQJMYCuLAAoJEB51mnJqn910WK8QAOJQVb/ihBQC0IsBpJwKyOH5B/XI
+jwE6BeErvO0rnmcYTr57AXwKNYxOvtIV8uS8gFzfaZJM4YHsF5BNToT3l2UIrWGK+O5nUL7S
+UM32plf7QPI/NSfyCtBxKWfXgbFQ8X/oNdwq7HMzCtRqZDoYv5btUajFsTP8gykqXqH9Ry4G
+hCFmnP0UNUWwTq4D2/bImt+iOOw4C7MXyROQ8aZd69aUsAln340L7rXz/yGTGvabdLXKuVDE
+QJtiZ1m/bewAw3A7zw3mKtMAA8Em8EJuTfmFvVQEpBBdacjwIn+ZpSzuY11arLIWNp78Yegp
+mFsuCANZDr/V33Xxo2Bb+4cbuOzSlXw+mOx1WYo1Fkj5Ga2IGkTbijqByIPwnCB03T/3nG/u
+hde1SS9YGGNL17Z2qDOlNtufKsbfPJf9xtiEN1vJ2cbOEDD+WbC2nvJQju4t4WaX06Kyok6b
+HPqupuGSOaa9VMYk6TzPAOG9hzcD8SBjO6S59z/qtGNqKZOcTWpeXWI/4qdvWtAPmafB4fVt
+2XS+vOwn1c4gNQFK+nCatlYywfuKxoQqGC+i/ld8wuniugtOjX4XbK2HzvuKMuCo0z6x/7Nx
+pOJAOf1jgWuQWruIt5VEULh56mhglEV1vL93aCUxOE7kKAcas7Ojbve/EQruWlFbzxJW6VgE
+1ncxHX5yiQIcBBABAgAGBQJMYDc4AAoJENeITEcY4Y9ExdYQANMHDBB1HSdVXEmkfVjMgW5O
+BF0AphUt1r9ptI6NvzcuJ5lFTIXHDa263UBRpHb65EgaHYqKC5LKLSXmUoKXcTU9fBLWFRYG
+N11qVpdoO1WSD7R7U7ZDbix76ujLCfOtPlqrh0TzHEzE3U22X3hxL+rHjDbvrLQuEhKbVYaB
+WaY1THCJjB4SA4YcWOXUNNA1i+baXlDw2XKqZrEriv+zARTxlF1GzpXBoh9ymH9TsyPg1dg9
+BbzzGy6r99LMMHmt/kB8BrOX6BfnzeLwSmg4VZ/aUWSAKK2cxbvmQFA5HkuFJ2sUc2VXmuPR
+DRY+vurz9PHMF5WZI8ait4/2m+W4zvsYZdgOPPkGr63+DVKssczpZWSq4zX5Ykmd9e+bsCUn
+E9jAI0iH4P4SKyFt1IkRWMAaUxQjN2v5/CIyydaavQGKM7AB0CjZL2835LwqiboOmptxzuWJ
+5HJM5JSqr1HMHP8vokNKcbrU0taV9IuTuBjPl198TR1vxPhHYcACIt6TP4wr1ApAsax3yoDd
+T/KrmCaczIeX6BmFFqXjDM/azhpQKIyFGgbDzrRAQ/CatG8Vy1baA5uJIsmiLxc7imwtUf5r
+uJOlXSi72uQd9eBx55mlt+zNHbrxULPYBIL4zOe3g1SXb0leZsvPjVAWcj21AgH2QJx1IoV0
+POwfFLEVCjTxiQIcBBABAgAGBQJMZY8YAAoJEBPAtWZ6OLCw8NEQALA9UfSTm/Zqc2pJn+nN
+q4sfhPUhYlTUxE1D49FzF4GmUHDYzMlU8VVZub5LahrITDINOIidmf49wXc3BcjcEKCUjND2
+aL/0JMtyMMORH+3g/Vz8HvktL3EnOiTw+Z9p1GNbEROI195VIWwNRjU/EYv78ErcrQ99MzJu
+O5yz+Qibp6JUSIzMGVTAiGIPzdJvnbd9JQXfg+fhanWKIIzj0dqNmH7tqYuld0K1nD/5cf5j
+o8Gc2L8GQgIStjUF5OwkElnO45iSYz4rgw2PfHVQBX8GsLBGRhKcxUK9psNBHIP0eWUk7sTG
+4/cbLgkQow+u0ryitmu+IJ/Q79NUiRNrw6a0rf2FUY3Nh/AbVqLVdQChKrxGtDQuJtpwh+uV
+RYTmc1rPmyPbsWj6xmgfvkLgX14E+5EPx8H1wyRsRpBPEW+Wb397I5eEt+gCEjfjrCprD/xX
+eNSRMdOT9NVG1HJ3wmeTEddkpbDNhtY09ydMzS1O3auJReh0L7ZRn8gPmnXk4EPamDNzY8N2
+OVByXKEPhb3bHD9RCHEaSe02BDcR1nbpbVAX3onquvK4ejZMuZIXXktbBcnqHz+zbRGRyoQO
+Jsgh6bv3qun3fer12w22PJ8Q8ifhAmcS+Lhadvq4hskVprr5tRmvxHRKPgZF0ZqGOmqvikyV
+YhFvZabdkKACAYCZiQIcBBABAgAGBQJMZsf4AAoJEBwB9EPJyTxaJbQP/1OgrWHtcJ39T7gf
+wh+3lbFvmcQ4ggc45PfnM7jM+OZbkPZOMnTmXgDXIz+0SKbPUVH86XPbeZAXHXavtIFvqbPC
+yC284oQeG0gzwS5yxygry5jj0fZmw2W0MfSQWEuUkj4HBkqEhgXGmbsYhCbbN6+O8XvBvIvY
+EIYO5a7wSzi/21NPuG3hcGMFV2yzr6p2FtvXfO5biWGcf0yvkj0YeBzaCwdty4F+1qGAIHcH
+oPhXCEggJKZtOYVZmsHz6/6RYghmRaSoGoG7Jj9+6udgZCycn6EKPVTE+p3tMiHxJzviEFRD
+Ov6iNBC55cFhSbMplkW7fH/M6rkW/e6+1zhxP1K11gwNTtoMJelrePLRpf/w12lNJl9jhe6h
+fw07mluEogjhXLVOQWSFjz3Y1Tfb0ez53ev/ooucvk9XT/svl2UM/K6RqyWYl1A8KCp5OgW5
+nXzRZ6fc4Ht9OY0sxMNLTLZ3enwrVa857n2VrnOgRTe8bFqNSMcR39QMAD6h9qmJR7cNbFKn
+IyQQiOtKCDFbZ7wyMroepw8wNLXPlvtMvS2zSBmMC/gJsdZVHK0u3O1Rpp1Jhq/qsve7D/fE
+NhHih8FBKPH1YXUOILdR0zDkyBUdXHBUpZlcRovaznkigKX6LL7f2SbXZo/jO0L1FHDhYQs7
+kl7OmWIXh8XW4m0ocB3IiQIcBBABAgAGBQJMduUKAAoJEK8ig6p24qx7z1gP/3wRRaEX7n5p
+oZUnpEcNy3ZRQPAfVAAX07aBSnTuHzuphX0smAfJu5fqEuYP1XzBUV/WSxuQ6nGtFoVSLEpg
+W3EX+KgLUGEv7Y4NI9LUNd47CNcZ3Fo26hQ1ur66c0asuLjseHbHl1aYwRgOarMy3X8JO1b8
+x3z9edPan11kBIeLpjlBnnScZVB9EB2ezptxaXvyvyq/+SAfRMnGKKO6qx5vG9uK2g7GOPJk
+dzS5LGeguixNjh7pN1ewiSHO/AqPyywVGYiYB9dnVWT0RwCZMXs3YmytZHfc58EpmKDoI19W
+MFA4Hsdgwp9ucXJMfZZ1Xw0i02fJQKs911aw0dF/hVjHSOQfVAiNvBFn8u5l4hgFG3JkZ6Yl
+rktrC6HThK3mo+KUNlynB70xSLXwxIHYkQUTxGr0HqZgRQJL03pPqk2Y+Lx4ndu4g0YwnInv
+1arb5Yfg/y4IJ6GDY6W6gvPP4wUrxue1w6BwqRwO0rD0vRMJtJqzoIRNCE8aqtQP96OmH5iy
+xAQo39Mvz5cntzaNMV9LOm7RgSaBvt/hLwxfhG2KX6Fca8hAXo0Q9dg5FbHSyLxF0mSZTRpO
+NPFzMz5zc2yUpjW3Holt9+5n9pzi8EUVwfNnFzijagzbL9bwuyc37M9wnPp5x2wLx3MF2o/3
+fNzpyo5Lh+IH7efZcG4XnUsYiQIcBBABAgAGBQJVcaVQAAoJENqCgw48zDo65e0P/2RDhlCL
+zEUuut3KmGhBmPbiTX7CnpwFhatNFIb+C1EJ2giPmmrwn0O25ED8dJFC0GhZrwNatuRzSefI
+yc75hGrTr/BFqRLAOD4xfMqOE5U4+z0frVTyuxB9Gdr31EmZ9miykKnfzcz1YY4MpQtzQOWj
+SiYFgjofwcpI+b5MjnqG3T8q1PzONnvvx7BrXt0lRNqL5MyByaV51CPbENyhWeJMu5tX3hAR
+rsuWoBP3kw6Df/ij5I71EfO4vD8C8F6AKWt8mBjyOfIpDmHkxNU0HYrmOnxzqXGqHTu+II83
+vgJOurjZ7TnqEe9jB4XMNF7w6+SPL6u3bNfzH0KPpEjzBV7jQKFUhllkRbcf2PeLnmzex3+U
+pEJjS5HLOkJt3B8wyANnZB358921snsv4LVJmgx1aVpeYWNo8vRgzKRMZT5Qk3ckXmuzHN3O
+FGKwLJnHmnha6rXG0ShlYjNY2wJjfmwaed4wU9k7T73tFbzoWJ1NXP37iQuEnOINVbNCQdfK
+cvL/82Q3LcpiapN1E/QYdfYjNju9NVpnSFICDEEYOfvodDlxbEQegZdd8zVHayYQJuc62sUd
+zPvMYLvQTq+x5tk1vJD+VSJ1sAbVZ3gzAANyMyYQ4670RK9H8z4ygxa09lAunkcJ3cUHRFat
+JyRM/u5NYxmCxxL5l0/UqOJg775tiQIcBBABCAAGBQJMXHEzAAoJEPEUCEwIYRERgesP/1xd
+2SPeYmC5X4OpUDsbqQoe79ojCbmd+2CoFHm+GM0WbtJHFi3BEJcVW//QNQJRSE5dKXCHtIDb
+jDhzlTKYT4q0f0p25mWMJFOXqb8sNiorXXdDz7k7GwrRZFsi/XlyiIrCwVHwLpyDGkY5IPBz
+p5JMXuxViM/TYn9BIX58rP7eVwAcazSBIs+QpAvUi4pfxNdPhrHh3Pczllxg6DamsEPBZsjM
+fz7pJxiddkJgAlDpIa8C3ZX4HdMnoPZhMh3JHxry4CIceMC8BOuX4c3GyXuFkKTMJSlRViKG
+57WyN7eQe17UZni23QLifLYD7V1r4cY7cWj1s/qsGtLsvtuVL2brOvHeHVEE7s6dWpQea6lo
+jLtlWjNXvb7WQ6XNFqpal5x7MG95QbBKWGHfifhVt7WrDSW6kbouXYYEgRhSZBkPPjSZXTEv
+54YkBVwCsb9fykKLOTy+wyJ5Ttj1kxtrMWsaofhDYOo9OtywwKL4AnfBMhE3NcrZ5Yf5MHHx
+NK/A95j9p8/HY1dKSHNDRub7PMM73Xp0fc/6cCyl9sTM9SFymKvvcMFChRcy1ZF9kVkXP3w4
+ZzoJz2YSTK4zIRY/Qqc+Z+BhX/rRuhwiILuCH9hXhhvBx9rKBxxKcTw1Gl5hZ8nP2CGXNkAV
+qSXL/0H8hschAtxw203KMvqbpSq7bYkniQIcBBABCAAGBQJMXT8zAAoJEIcvcCxNbiWo+oQP
+/2mKGGHKVA63SdyOkyAaz+mV2y9jIw+0hf2D6eoQ/OJ2l6vQqc4atQ9NsMBH5SKo+kPLhfof
+NcO6axy4ngb27YK1czUS0oyF+Vv618k+1WePw4Kh4afVZGrGsHBiv8DcKbeAoEn3gVORu5UY
+ElINIsW9ZIuIypyFXhV/zf30zR8MOd1uuJjif4ac7V+n+O0GpBgzCkKZoCdO7NJ3QH7RmpJ/
+TYAug0UMY9YvU1P2ffTvZuHxdY8adJGnieFnsLrO7yYHlva6Y2T47m0QwM6BXe673hj45H7s
+rZpbvNIEyRiXpucEm7YBCboiA8vBTjXOo8D27Aa5MoZUHF+znB9gRKWKUnkCyCT409yo8qJI
+5uSm5LWOa3Dsje3jlzfQh0BVLbq2f/g/kgm06Sb8jWzLYHUvA/+K774sOQu2gSG0FkV8BQJc
+M9RMdImzIMpNpV9JYOWZCzVbTe2ZzzZuNXQJFG7reuZ8SoB8JyrLEqNbfzJ4G+pNbXZbrSA3
+ybMgkaIvt5xDujQSwH/we/V3W296WHmVbU1U1W6lfW43KbOXriCrLl/j6qiy9ln/gkVc/Amx
+Mh2RC5bKOCTRJ2TgPms2+a4tSpOrqapcpa0OnZJJTG/sifz9/3eDGPTKoVkN1fYZqTp+0s8m
+NohYO6YMJsuqkYNr7UAHOTE1p8nhrq4RQlaIiQIcBBABCAAGBQJMXUTaAAoJEFOUR53TUkxR
+rf4P/jp1G3yjSGwglzqEbvu4rzO6LrC8ZqnxOSWjKd8xN/CIje6naB5P3gRFLphJaDUgnlpx
+nQYODkDZlMPsSmUY6+GrM+XDPIEnw2Yp2Vb6OVTSeDzgpjgNsdKptNGR2ENFpC5ReAKEKAUy
+7bLcraD04IV35hnuHNevjq86VO+Dev/SQ2NJf0NrOuC3iW2YA5SEXcJYGp1vXAZjRUprOnxK
+n/e04kTTA4b3cKzoEo/bQqk7C+7fLG1vHziDDPszsZ09G7eAhnhZmFVTk/jvBxJ9ra56Bo8l
+ArknJ7A/LHvGe2SEd9MVcoKIHGpM3IPhJldZiXNeyz/HuUA+xKAY2Ox+p0vDlKUAF/koME7u
+2wwx4ncMnRdbVOGNGDJTJhJGWk3VIUsicbQQ8M+wKnkJmLNI0ZGWdoNADdIR/xSIhL8bUaVu
+PC8amQwK3VD7iNRcbNnIw0+Xbzev892lbBvav1Y/V6G9lBeS4KrLu1s5h+cmCq84RlW3xCzY
+B3yZhWUeojvuplyNKPApJwkjWXGC1LK6VldZzYksXMb+9JxtoE6A/9F++NKqEmDilKl15YFV
+Dy/beTjoSK1+6T6RrTKOPt6kFu2460PTa9KOqjpQ60hxOn/YpyAeEK/MtRuBjAT+wBCIX+NY
+UIxHNX3mcl35l6Gb1nYtL4CxBG4h557CGM4s65IJiQIcBBABCAAGBQJMXyNnAAoJEHqPSei2
+NIC+Za4P+gLihkZlHwFEM0pNSR9GoL6OsaEnsUebefwcLSrX10Ee+5mpODki11Sf1flIWJ7J
+I+2Gj7U2NtFFXBvzNCUDN30Xb+QJBSU+pgJERtXThl8hKYuot79wg7FclsIo9P/NEQ60/tji
+2iSQ/w12NIApczn6FmX/xVaKafJyf/QRnI0mxQvd5w7JEoeIKvaUVjt5Zz9fUhTiM/9kDCv7
+E4a+PuVP7nyQdSCoduhFYQwLf+727mxtdLjK5OHXl1jYx5tcFdTyumZpB7bG/R6U2wb55kxd
+iAltk4U+59p7NG7JSu5Lnexq+p5/281vVH33PrIINuZUhmpPovFNeDz6lFqEICQvaiS2STte
+/BY6yBwIDx/1nUhiBF3yUU1TOQrtQUfRjox4QRj1g8YpGspsUXagBltN04l4tev6Hw8tCn7A
+/f/RkdQ/7U6N24ZP3BdBx1R9nKvksE+C+v5QwlqpufU8Zaj1YpmPBn/yfSzSCvd9cE8pa4zO
+KujACMEsPh0c/BDoiWsmxKLTzOoeKGwl15x6x1Y1yTKOLD0wXXvEM0TVF3x3RJgvpdnvonN6
+c7URWq31zKcISwLOKCK1c0UK7hyD8zFISiPChiUUdGicZ1Jo0me+xp7R9b2QQnwVj4kO94gY
+maw/3ouaDqOrU80N5pVC5vC8XSp/iGAY8wR0fc0qsPY6iQIcBBABCAAGBQJMXzSvAAoJENFd
+MTiCAEFz+XAQAJo4XauT6qsxxS3i4ADlzeesoE5g+QPzg5mpVP8NA+kEXqLuvW7ZZjDzMClh
+bpnhT9L6lgMdKOzODa8PzMMe8lMlQtGQsfby9Jy7c15wFwO3YLr0OesnS0gGMV0cxpu7XVmZ
+ROPqOn1eVk25eaZHO3dHrc4ve2OMP3ZG+df3+kwQpiMgrl5x+9UHOWfqEtyT590yzofK3FCj
+qHZwMUt2pYeCksErljI2hmrKDqp1zVcjE7OoQwc6M14i2HvhYwAtvEJTuqyIjFZL/XzGS4La
+2q43fiLlAJalwlvIBEtRH7E5qWJEiS8gs47+Qcwigw16RhVp0FxhD7kT1vHrCoqwMFh5ULQB
+fEYVQVbfVaXU9vL61LOvPfnE7QVCMnREwzCyYlD+FonI/LK1pqbzXgEJjh48rXEVuzic1G3Z
+zipxiAbJNattO5aWuQjlEQv1ykWGIwh5Fa+LEQ6Idcxi32CsD7FFCYI4dg9GpZwM0NjJYrYN
+sN+Nl8/o96LBGzCsminV+M+jXyGN7S08DoEyuuoAwmiY/48lAQJQChMH+M0M/UthALdcTooe
+epFC3AiHiIaKUouRyqo60vNbAixbv1olxZpu12KlgCAg/ra9VcYjvt48msQTtmDQLz8/aY2L
+eoFLm4L4NMqIQ5Dxywqen1MTKkk6GIx+7pAJH5Z3izmQJEYpiQIcBBABCAAGBQJMYe5MAAoJ
+EHA3PPEpDbnOyQgQAJcCcEi6GZBjFHjNE3N2iLVUMItWSEdx93NabuJi7FpuhorwaJphZiYY
+3ehgSa4t0/gNzkRkscCmbzjAr/auQsS+iSpINgCKUJ+dwOO7t03owH7ARXb4gmWY58poL+J5
+ZgkqDok7ZtW09G+OenTaAccIpmb1IaGHDASwZ74EuH5M2P3iP42h7Q7Slhxer1GVloLD4SPs
+8W/3Rslwh+/ccYfweNC3gLvU1q50bj6kvO6OWemcI1NAWtxEDTGjsS+BsXBPlYQRF3tqtoQF
+Ht3xUKlGjHBO0DYymOMAlQzXfW7uqUYenrOXmOV048rqZxRtSdQwlXUHyaGIuyCRWqzzqYip
+ArtquhHSSKedxe5wltdqeB9G/D/zwHR1fz4VFkECxRp0rWnnOnWJEp6+uxYPiIV/36qB7X9d
+NFxlt0Vu3vZZiXgo9RMLjdQdYuBBJrshlwKkOlYPDzpYjHWmXJjKUIhDTqD5Kr2CTw3TrRyu
+mHevt0nbqlnzoHd935ZssJdbYGDC+F9aUfcyzwJN+CH34zKz5gtteGP48DewptBF61Dyl0Pa
+rHthrkwMqdZBA6cHE4lGpvrGh3GXASqf/rtAHwLM4brOhtH/LYYjvO81wThRmtjyjmSsokSl
+0p496fHxPDuGr7kbBDMtdfVdty8zJ8IaWI11wTYExu/6VgY9dlhuiQIcBBABCAAGBQJMYfU5
+AAoJEHcx/Mxj5OJ3X+MQAIdfUJP5Pmxv6T+yNRYSZ44Kx6cJJVvPtWkV+h5gx2sY/uTAS4/y
+oiBrtnxilEr1D3MbWyElI6jZPlDXxl/Jx42kEEur5BkVOFmAmAJYRork7qCds2RAWGnhqlNH
+vuMIz1/PfJlcB2hS5qo+JZLxTFk4ltOTUT6W8ENacKzcpzWGeQvqG/dY8H8FL2hnvNLiGITY
+XZY6hWGvW5Ti5xzIBXj7QN1C3WZAmxTOt9C/t6PHHktfC+MNGN9zQEBAn9MLkE80oSwEX38q
+/ukX1RpXCUTZmxIbXOaLc6deaTcxjJbBOX+YE1dSXrg3KxhXg1IUsMVBhQx96p+yhTUwznfE
+F3pZQiWZhVP9/qGa56tR6pejRM8nfgZaLNcT7nVibIk/7Js+fXRYp5nWUKf3f0BoymQss9MU
+cQLFs2Dm/l6iX1gFUgqoiOVIAX8DRc7MfJ+UTlHBOMGDKVok9nVsZegQYe6P/C88vfFlI1Qy
+fV4KAdAb4YwD2HatpcjDcX5TRX49mD+pmK0bx4+L3toRG6W3OPvTcsaubE9peNfjwS5L6CF/
+M0Fq6IhIUobcDRjmUNtiXk77WmI0ZM1RiaaknHHCHXGQgS+QPd82Htox2ndOwP0ScgbqlL4D
+LT3ZJqRJVWgnWK/n2BrctT63KFAZa68Epm4v0GZtTjpJpL1DYnUd/J6OiQIcBBABCAAGBQJM
+Yt5PAAoJEHfG+0Pj0wgkbVQP/1NGXS+oar0Y3GuQZ+HwYq4t7Sh8CbCIZlei01oDcC95Fl65
+HtTZJcd8RTPCkTilZV4orC+gHppLVGi2GQdSJ6C4whlnliwDtgU6uJ9uuP6EKTsGh1jAoTlq
+eSDx1n8/F4JG6A1xVOekZ8NzTIfpfdFlAYANe+z674ZrRPi6tL5euQ9/iJpi//bZJMVvmttM
+2QJ+XxNn/CrGKGZbA1PjBYYol3s7DjZLhR3IhgK/rvmVCo+0waZzPqI0CD/axU2OXT8B4lIG
+WvDcccX/8p1tzIjlXNNsDV804c+VtUVX3jZMISmVMWLfkShhnUEhfwi5CUNtctL1SPlqwvbK
+q3bxZjol/OFu2KbW1IjhZ2dJ2e1hQ1V8jUjSYQ4xdDDwzS/Z6EWWn7cLycAR8xF4CQd92hCx
+o5AIgkQGG1R6iraztY5H/fdhXjzySby6q9Zvfa+rw0GkXpJzffKwrjZu27+QCqvNGX/3b1f2
+s0eZ3EkFam9cMD3df8PCPU7Wt/IN8Sxv7JQqkb6StQF3NjI/lnFLcb7qf4dhZItGZBbkWfwj
+M2PMEIbCl66bi8XqviJUUskn2XWfhaodv13VyXGeGzVEw4+N4auDM1w3WZ5SnSXWrFazIXCw
+IBWYFSyHlKawy+Rd3I9ueYyA7PqgwdczNxTwILXhB0+pBd0Z9FMxjL85C1N7iQIcBBABCAAG
+BQJMZ04vAAoJELNGT4lqoVlI9tEP/0yGcqKoQuNUIsuMasD3zVuh5j77i4wo/FCqQvMQIlzd
+PWl+gC9W0xDA7vILOcqZEErIi4PPGwqpQYGUgh9KynP4HQau+43qe2BrvdauFCIJPsmuwfER
+OwrgdSkKyvdXA08WG77v0a1V+u6nsnmbXg5/xZZdwCAKt+kILPVemxeIy+f1AAHj2zLnDGfy
+0JE1jN4w+JZrhdWtsYXWMnfRFQQqPbnVqi5BkFDeRalBn0R4mLTCCOZn/fGodA7EdmRL1dLN
+X9FbnfD8AWMDEPMDZ/h8HdK7dD16XxW7i5o6ZbVvftyf/yaF+bhtOyTHabkdSlMJXHzl5mnW
+mH8NVlTTQt05SJ86NhOjr98dhSvcQOxFT/fVajDcXAQbdKnylAWHEjnejGgt9QwpM99l/Mp4
+8j2rLgqfexF54y53km5ssTub3QJ19FG0FPLvRB5fnXfzOvn8iDhcC5V7dA7q08afUjaLDTVG
+6byCHe8TR9weCaCrV7vvGHzmEEPRNzu02C86SXGZw05eRMWFKJL0AG1avj6k24hsnatuoUke
+6IA5zcx81GbkqPDiOiiYJOEZFY1Eokm6MhIQ30HwUO0TQ93TdNgD0pJdAiElPyhs6csf6/Jr
+ijOSajEDcEOuKzqYnrmY2AmDgfyOrjoW44ADKOcRTnnhAF26ljBzwqa4xguz9HEUiQIcBBAB
+CAAGBQJMbL+KAAoJEORPgBbTYw+Jb74QAIQ2ADLJSvn+c5MBWYwc2NcFrRHIc0JXwmn+wzG+
+QLeFDGO9SV//LM9L0XIIbsFFn71Rv+/KqyFLn9SyeGdJakuL/AMC4qF1m6bCzwSMdoZeYBwK
+2r3bgPU4xW94O8zKOfRF9kwxP+QK2adfR1y7j3X70rICZYAua2ugkZcIDkN549PBze+2LYnR
+3CIhyOV6nYTArKhYuaDiNnS822l8VThOgk/Dmdof0+ExQfl7Nc2oAk7wljhmLX7nMonNZcDI
+ct+fDsVS856UYg3aJR8EuDCAayZHZvo24/bKPwroxl26+tEEfsqks7epWZZRGY0lH+IY2qoP
+oFhHPodpAw+faiafD5/06Vo3SzH2i/btYQEwwCCA21cRLwpv9432Ia4ekvjPQ2E3fjBWGyNs
+UA49MYhtllX/8jk6LE+AIU43PFit6ZB2BzVBunsy/LH4ZLxdi5sLTA1f0dO9jNkqf3xGbRIp
+PVXtQ6t/9PUXAy1evqWBQgRNHVScKL6pjuoLurSIenQCbcNQo1iNLB9DuenAHNUBP6Ny3cby
+hqMpazBoCIb4HqtdeUBmzdDZ3okIdjXQaxsHZhDsLNQM1ggj9mu0vJWSkXfdXpew2Z/J3Cco
+lOuTcTqfGi5kdoDHPLvFDEYyrGKiHTV6P7TxoIxml4A0rY6gHFYlF1b5SXmUiCt+cKMgiQIc
+BBABCAAGBQJMbyrFAAoJEHxWrP6UeJfYj6EP/0SlRe8esTX01wSot7D9mZfjK/yvpA3g2YQi
+3U86Nb2vvLvJAamLzV+Ka5GL34lPASAIgwfilQyVhmAsyTOQ1sIU+rPav4olOoUTBaORlzL6
+1AmhtI5N0HpjgnIDLmtKF5F/kRxm7JmcgnHgiKoSZCzZH2tomVVIGA9/aSDznr4N/uJZ0yWT
+6MxKbmS3udM8WAgKxNN8IB2Z/xVDJ2dXMt0a4IgHNAn7wgfaizOiOKaJ77c4c/LNRiyhomA3
+VgHDBTP+WgDwEcJupo6RiXWyvd1yDTEsHCApieODSIlniWUePiuwjBPNNKwH0/yRo1fkK6cY
+kqbCD8Dk10p7HUr1+BEGW2fns45mpwJH9PvbJ7e7VldPs7AKmEKC0HHKZ9BNa3AJiujwnaUj
+EYt6hq+/DRUQp6iqTPDAKE1bNTA4JD55zd1gGthsGHKfTSAydT/kdvxWH8fK6F0vOssQy7iD
+o+8VVoVpbl3qJ1MtvbJTxum4ElFhPYaG4Oh/JPK1vhWVXva9T1PX6sGskdC9DPgDLStCweq3
+RqzAhjPvcqgpx39mZGU/SQzwVUFN7aqASNl0ZFUMmnZ/4aNNYXY9yEAvx8GetdZm8s+0gw4O
+zecerDlVf6xykodTT9sK3qiiRF53P5A8HlgyXoewut6MyKGEwhItfUshFSp7MMMJcycl+I8Y
+iQIcBBABCAAGBQJMb/jgAAoJEJ0LXlse7I8OrucP/jRV886elnIly0yuYX3ALXDPgGKFwbRZ
+GWC1qjf3ESdrqjC+On7jMLnT3/A4l03F23bpHEAOnTl5Ounb1PrhDnvo7msJUH1ZdtqsoT16
+sAPbq14Rsg4+n7f72KYKwcQaNVkgizg/W6a8VJDOxQQgkrZh3Lp90O8krIp6MDgd+XKEQRjV
+HxyhzpHHyqAaY+/nhRY3VXATZ/5K4+pdyRt0aWlpvftYTvX/iZnGBrsfjgYkBZnix/+PfFtF
+A2p0AXfiFfFuU3BlE/kG35gGDgbYf9SouHuYeR6TLgEMOekxeqPacbTTpM051Mq4tewfFQHM
+raLLSMCucl+duu7kyDRXfwZ+zoQ7I74UT9gRkI/jSYecRKAoSYnoewDo2bNMEsnYjFwyf+Zt
+MEV3glEDcE7FXgm20YYjFb7uMQIVbiuXnFho9RQFyu6z67cfIcJzEn1pttMdV0vmMfi872Cr
+BKGHxYu4gP1a+yQWx6N4Xgm1eJVdAdzhmkX7mH5C2GKLPIWzwT+onyi3qCCUWp4NL+2QescH
+IVkc8daU0AH4IGp0A83dpRDb91vYWFImVW2brurAsBwNtKRhpd6yG+ufE8+9PBzQ+hZD4+C0
+jyR/T5HAsuMQNSfcDDEi70E6wRLEd/KYp0YePkoAKES5CB3n46XS+WESddBXfeK0OZpAbXye
+45lyiQIcBBABCAAGBQJVku4RAAoJEOugxsccACVvHtQP/1218tsrXF0nLofFs9edddWw4NLo
+ZYc3HvELTHfyq4/41ERGOQoevO5/3tMzSyAG5C2lmKOz8SDHjAwkLmbqiYI2EbwYxLg1lTzw
+1jZGpjzBfKm+dll3SWroKiyesv/iPrExc6fJ1mxLWtP6G7R4m6ibmz46uywwreT6WvhKRKzs
+IPQdf84W13y2ItpFe9n2U3/Sy50brOnqAiLj/zIP5PIaaHzrqUIevdINFgyIWee2s7tTDcNm
+zV8TV6+cMs4jT8nqguNy0lBGjMsSm4BviQRZJON7h/v3/yf67TctHMWJxeD62STnXS6wjEIk
+TTYSNSEZGvMw6Ti3lVB4nlx7WW8wLX9X5/1QdPc9jZyVpsh8QzqUtp+jDo6dfXPBYfUlwm1v
+Q84BVfcknpMkVMDLX9EMS8M2HLWBGCOEa2/n88ocUnjX2ZL5C2MGlK1TTyxSWCA8D9beVpKa
+PdYP8JfUiZpC5nLKKBvyEGJhUa2dOY6jdbPRZX+V2TWMIwGWq03kSv4VBHdErK+HUXXcFvue
+OdQBEOcN4H78RPd20CNTEIE4bsxgT+riXcjUDDrfIH4EQsA4oh1Z5fXpE47y3ZMMJuWfRzrg
+es5QTKNFKDfLsDwPvgyJV3iLbJeKp3G/Te+scm3UDYi9dCB0eu1MiKM6SIxrJIGzl068Xndh
+QNLOTpCjiQIcBBABCgAGBQJMXbYRAAoJEF0yjQgqqrFAvAsQALNsAqgOJrnudiKERxnGU8dD
+YlxWPADlESd/DfsoEFkyd87GXVzfOE3ZaGKW66PB/D8eEfiT3wWVNpmAfIoHePXkPsA7NSyD
+CORROlpxXE9zFaiRYMzY3EdCsvSjSn2F3K7pymCC5yuYFXTW1J6x+CS8YCEautV5h6oIsGsD
+4zqXyHLWM6Htm1J1Rk0vW9tJqtfO39CFD/McuOUC6QMNLeBlWri8VDFmdGixOmLNAtBoZkPv
+i7AE3BFa4utWcLLjm5gMDsPW2xag21LAwX+xiZ/G0xkDfwKM6w01KcIp03wVzWBwtaUApsmu
+6fsH6gFPFuqrAKadAJY/L/U0A5QI8Lw8joq152skYYwzwC0INYTw+gst4IJDWPtjd5sK80Q9
+NJpnqLJv91KAn5+Ya/i+K3jjFQLwII8x1rX+B+hxsbofh95VdfPJW7W2ZMFAc5kpiN6Vmw6O
+X5i0x407cMV2TslvGI5L0aQ1T9mnMipqMnQNX9sMjCUSRNVa1DTYPr4ANkPy4ssXxenRN6Y6
+J1Y2KORYgm93FfUpQaUUHOPzBT8PlfuTn1rNZpIABEl7RB2qpsJIWytQjZ8U/9epUiiChMXk
+1zmB8izRWAoX9NtLM7KttiFht1nRYgB+8Q9/Ta5mros/htAW4slcFzNwEqFFEYNpgdtfh+S5
+50o9SeOpmQQqiQIcBBABCgAGBQJMXlHEAAoJEDkUtTL0376Zk/AP/2NHH69E18cRAOuET57I
+oRZmJqa+a+cIdmXFIhWlxUtQfEBdXwSDDcCNVZCWWabiHieSEahXSbCQIpjsjfTLHVVmBBCY
+a1XFHixF3tnR8auN/KONFQ5tl5IViAw0tYBX1zbx3FqZf/XMqzOr/twpKrbI2VaslvjPpu1E
+sZ7KiXnqjWU1Dp9ydwK7sdb34V6w/N/uonaulFq6IZ4GzQzIaF7/SkOwm9am9TKON/OmE9HL
+hz4kGimtnvztfaGQANF/YxBdjXEvtUp76y8QwXrxOD8f7EFQmascGPIJqgR9KLYp1Tsw6EFJ
+eKpDGJjzevkBN8eeIDLOWfcG+qlhNHHtnbfXnv9Ojr8b1idvSsdqvwFBAjw2svZAK5f0wkrx
+KU3U5/hTIz89EQuT0o/oJWBj67ONQYHyh4CYMZi3oTiqFWQH10utKi4kGnM8jaDA2No4q4xk
+n6L99QIU+RClkamJVBQdmzoSYpjiFoAlXDIhwQGt+QmhbizZLp6NqxXJOOHJ8ictRpRlzHOq
+ERlLNkmaaf4YTyBeEIH+GYad/xiqDQqm5NQHFBira2dZskxKC3SND1e5sTd0nYIur09wbJG+
+z72oKoiPMCf4Lzawpi83Yz3Swks8hZ32fbObhuiAmfXqEfDlhbf6Hz9NqTxE57faXm8pWrRy
+o1QgHe7WNpM8vth/iQIcBBABCgAGBQJMZa+UAAoJEDIkf7tArR+mQ54P/j192Qx1SS9xW+Ao
+2V6IdWidRtV25Pkt4LckZAIJHfVEvjpM8z1uuY34YacjFeZWtfI3mpM9JUQ2Zx854oSX9z0S
+iQ0u5XnPNBavYZ+DKgGygOyDQdNdjvdzR13IT3RIu+OAnAFkBfwS2r8i2rrWpeZxltPR1Uc8
+J0ZtJ+DLgdbtWZxCGIl5eupdbf03oNQ0GHP/h4W9Ls2kvJOzILQx24+9tCZBIi6ZuHjlawhV
+uZwTvhuc9HNhl5knHeyOZCFfBcNTWFnxuHIzYq0AU/12+WYuZ+SLll7+yA1yHpP7tQrz6oSY
+rQGLzsBq0/kONM4WYmhMQVtgxuxjZV7DK8+1f1YlbKCGrk/R4lZ2JklJ2+qI2WMiiW4BdZ3o
+CkEi8z5Z2vISsbTe9LujYnEbiTyCiEZlrz5bkavOgMP8T/0NlA0GSUt1Jo4hkLG9eWUfYgq/
+7N9vMQd0ihpUVKciJyqaSixVZVX2OdUW0nCh2ftwOzfvjhBG3GydQDb6Q8tdiOeLL4kB/zpO
+VfZu3UydE7CAtqzvNj9DRR6hfyuELHULoxkP7DHCJIx2k4ZZwgUmLHYIyni8ITsRUnapzqwO
+Gy4wmQM9ZGvI1vFXINsV8FUKg55scO7baXwizGX6UQ4jwvCBkt7i/1lYhY5udn8vmQ0cRf9Z
+HjKhTYfZ05hp1dAc9Z7piQIcBBABCgAGBQJMbA/0AAoJEHhT2k1JiBrTtIEP+wRhrJcz3w7K
+y8F8xF7+ihU9k/lvDjqZLlYKuX6kJsTupTygmC7bNVw4uBfGzlujY5kroa375kGK0Q6Uh4PT
+ffiySDUmKj4ap29rlLT3JzFuu5CIH2jskPEAYhqgaf1NZUKAcIncDtVGZWi5J/Gi8faVyRnn
+tE86gVvHzlgsDoz4WLE/Wer/LUkotK66I9sn6t877lm948GIrJ0pknNHB1bCcR6YhNRS6fI5
+n9W3bkHBBs+ilCd1GlWKl+a/NmBnr3yMKEYrM8hdh8RVJlHW1puyLruumoxolSToGvhAIPV5
+E8D8dc92Pa5N0tELtw4a1Ao9zl4X980QQ9XPqp19LdgrN4ipqxgaxlVywzSq1fObqtSd5IYo
+NuLz3PvoFeoDyP0degy+4PxXX+hERcpe224No/Oo6cPvyxblgftFpMlRVuxLJx79m2B0db/A
+lIEN4RAa6mO77ZcJnAeInD6ZWnHw+bVPTbGnsz/9L8EJA/SjILpBcG9UO9pqUYu+aL80AgDF
+FoWlq/Oy5YOjTIBBMcE9iN4V7RV0S7ygA7xXQ8JEon3lrgVNRQ3tyrqclXKw90ehPS8ntYJe
+8rr7M7hw9SGC/UwLlZctG0BO/Le1aoRI7U6NTnfKgdhfn2UAPX7tgSAX/xgZDcuF3T8KeTwH
+/GYjjUzgeoKuZMtfMjXtEOfxiQIiBBABCgAMBQJMYt0+BYMJZgGAAAoJEMzS7ZTSFznpEuUP
+/ih8u8cHaYsnA0vQnfXUB3NDtKpwPA39yTh12Em2QWP9ezw9CizD9VRBmR3kksbxvFI7lNHF
+bBR26jzHvz5wh0OFAoL0QpnwqO6YVDYAnDbwU+9Gyk9zFz5WAiTaj1AFMA2Y6tfq9M6eYOG8
+7eNVVdRI6NOwmjO5cO1NNFO6fo4zxa93VLX8CS+4Xgt+qYnJc6bZDbwUPdmfSr0UgRVVbZAO
+CGE4f2tSeLQwEOkO44XB1rgRilyGu9dRShgxLQoauAXzsQvqMzaNwjal2bz+yunhj14Q81xk
+xJZ96I0w7IzMPmu5tjyPa/1Bhn+f8cHkqQQKcu4Bf2OEtANNU6M98reiS/K4cHEj0ChdFiHX
+l2z4WxSsihbC3megEX96l9A2uVgJK0VsSPQQkGKzVsJkEAsld8tC4XK4OzukpXB184h68huy
+TL1jdJkYcZoBQ/3Lo6Z7TJ5ZvnUhdpuvQdRfmBYK1AuRuNuhmPDYV2/qqmFOYBrpUY2/qv0k
+xOYUduergCG6cI8zFK+KWn3S3sfxVt/032qe7oa9/VsloGBRwiaLl7MAwzHJfUgZCMIcfJgx
+6sQRhrvZbwWg64UyG+xFuocSqTRkcCU2fezMZHhLA6B6CZgk0sY/VBQLBBOy4bmtb54AslmW
+f39NNnD/VzkSqURypo3aDKn/f/v9+JNBfcCJiQI3BBMBCAAhAhsDAh4BAheABQJKB2jkBQsJ
+CAcDBRUKCQgLBRYCAwEAAAoJEESXUni4YStd9mcP/AtRNozdY/n06hAVJCnI2W0U0/BknKBd
+z8SXGItd3Mb++tWs8tMvZw40hB3C6oQJu9CdZ4tzZtf1jSUxoAJjGTGOiz0pooeINAuN0xRa
+eLzUPyQNJpd1/CsZPFgtn4FeUa/T9WwHxZn/XzDBPd+N3uKzM63ZRpKU2lkSvSrh7fvqP13A
+h8Zq/quMgOsCbQR6Dp1swJIm0s9gPfN4mEVXeknXnd2vRGrblJYL3u8V7cfjUjnCUlFmB7U5
+TiROYZYeP3OIuDsAqv8+xweBswWxCxX0LYsuRHRxmLKWEYHAV6e0czRSJYKQdV90+URoOZin
+Qdeo24cWK6caJEavAHFnDcKP5aMCrCtp9hM9EB1J5/w0zOEXLotwhD3cWVDv1k2s0w9wkNZp
+PJKRdXL9f0en47MpqJqR9/8U9X9j8t8tTUbo9PcUcf3YB4hvmEBauBHrCBNslMx58uPYOFjV
+YqbwHUzhTKHhUGVHbCkQrUOjD0z3sjKlzXFqO8Ba3sDAP+hs9+g3YUQX+A403rYJoI/b4Bvy
+eZ4ryKanz4/zhskMDdSBZ/UvduPm+gHEyq8Xtj/jxRDX0EqLvkphDdUgZqnmanx3FkkH9EOx
+fUxnqpdwJvAj6k3diWEuei7pSbTBlqi80fLRUm43135UP6AryHtUnraBSsaGskH4pznmwUfW
+Kh5WtChHcmVnb3J5IENvbHBhcnQgKEV2b2xpeCkgPHJlZ0Bldm9saXguZnI+iEYEEBECAAYF
+Akxr78UACgkQ1cqbBPLEI7xL7ACghnGFWacQR2ySOwHGcuP3y2NepV8AoLz9sWYoqYd0SL5T
+192WWkJWAboKiEYEEBECAAYFAlCf5Q8ACgkQcPNeJG1THnOB7QCghdTeFj/8kaopb1WjUCof
+BrrhzNQAnjYiGUchyKzDS++2vV4VPwxvMZZIiEYEEBEIAAYFAkoHceYACgkQMhdcDcECeg7B
+0gCfXpPTRYvu8+YGBrnl3ryzbBrYCiIAnRMek3cGNpJrDT76nPCVkp9J7zqjiEYEEBEIAAYF
+AkxccSAACgkQ4VUX8isJIMAYjQCfRZD7k69DKbhcMYOYWt5paHpg6SMAoIPdjQhnId+yPSTL
+h05O6LtJU7XOiEYEEBEIAAYFAkxdPysACgkQ1OXtrMAUPS2JYACeP1vgz920Qbq9CMig1p7V
+9Bve+7sAn0FIeNCiAGp7owWq6mZX4BOD0o/IiEYEEBEIAAYFAkxfNKAACgkQ+YXjQAr8dHYl
+2QCfa1lGYuTcxswPc6nqR8P9G1KoS5gAoNsq+dtZCJmYMIflfGNOxlzLUsNziEYEEBEIAAYF
+AkxnTKEACgkQn3j4POjENGFPMQCeNYzQIXlYtcurpdjQru//evWc084AnA4MQEEKUkVvRLOl
+PvkCi847vss1iEYEEBEKAAYFAkxeUcIACgkQ2hliNwI7P0846ACgm2JlzfNk5w49MB4cGDwy
+Aodz+MQAnjanm/JlttRZCU+zLaxHxEj4JovdiQEcBBMBCAAGBQJK22d7AAoJEC0NWrh8JT1S
+LqwIAKQmrdBXWS2UmANTYLBfDuytJJm+mHj1YSJ8ro92xzst6WBmqxMwQ2EscOv7S0rI/LGr
+8PfXBnpp7Mf3zhwEXeUts0ZUt/Vy6s8UAVPTGPSQlj/Ya8u0mFfXkdGsLMgMdds9Cz8fLbZr
+SycslmVmLtK4S+rhjQhJ0vXt2sL5VJ3HRznCpmSP5+ZQOlH/PenHLmV0kC9KcOsrxgvV6Rls
+HIZ7oiATogYm/kuwXwQ+0qQAMsTY3AGwE0yuMXvDuDUnGdUBzaZJJZ/wodDFYlDxTJb9NOh5
+P7PDBQghiR0LrnU+Y4b4Oh6ne61EyGRhP5ULvZ8RZsvDCO27gjNxRH1nJkmJAZwEEAEIAAYF
+Akx2jugACgkQIjrgVb2U4VSOeAwAsBhm8cj/o2YZPP0gFdUCUyr6ecydoD1d0ER8wwvOci64
+bA6Xeu+i8LtcAHKowj0h1uVye9SXK7FpfyPlD3j6hbikG5CKXSwwEfEOUHmBIdY+UarL2Att
+791yM3hADK/LjKObU/hEFs+b50xsug4pbYGbnDgitj4AG7mrqLLReCAV708jbizQyxizDl2w
+/aXbgRvjjVczuxFeFYGlkIFv+da3NoeYCV1oH7Wcg2vrBb+TrxgIbAMW4V36v+fIPaTsderL
+QQTv86Rq5Uv+FvZaoA1y7rXMpDbD8OJ1DdRv5BeDAGOAWUFYj+XDDdpfKt91zOlzfr74hikP
+1NWx0NEyG09wxvkV/6P1zjbv8NVedwhDBs6QQsco/oYx25Pqsin+x0mnc1NiDpR+9Oe7c4ha
+6JzzN3ufllxydLpK4D1RC/ITKhNhIrG26qSEtk9K6zM4QQbD/Ngh/hztcHMObLYv4MIz/Uus
+K+CoJDI9kPAISK7zKTHfGTbM4O+gST0gqcFSiQGcBBMBAgAGBQJSKkiDAAoJEO9z5tpYNrga
+fAoL/0E2pxy8oF9vH2d87G/tYfJB1sndWixltZtLYJMZ6HVAwYBsq6ju02893SllpZ6xp99x
+xAss+xeJF8PlpH5nauQOn07IyUNTytxa6kJ/xHcIuVEVFEBU5SUaXStqfugM/EE/V8pbW5di
+oIILQx52NKli/JhrBWlW4/1k8moyuCkZqYsdwwp2QgLrJhcTNB1nWx4DBgonAL7GOGy7s2DP
+6zoQT2rDmlMY+Y0GrYkt6dwwed0y8mP/6c1ayLP/5E7ZlJK7Lj/3WFxYXeOOP3rU2xm+Brym
+u1ND4gGC9P+p3rlEBJ/loSruk9bbviULqiO5s7dB4Xzr2joED4u0suutYtSPnuY1fNV0DGxG
+qgYvhwxcuOHVD3zBMuAfYoGSRQNsMrpzBnfytP2pF2CcS9L7maaTBxyKF7UbpqdvDDh74i+A
+/J2O0TmMuraSX6r/szqCS8B5UdetjxWHpaEViIy4TiFBMIzkhhJIn4nngn8lHniRT6ex+TWp
+dM/vkeO5f9ea24kCHAQQAQIABgUCTFxxnwAKCRDxppvkKcD/7nyjD/wIQDebpZRkWpthmHaP
+NtpU8vn2WWtxigo4D/crBIrhWCvJGqm9P9n33AXpGGc3T6VEJGyq4lxdwBP/K5FC8a3hgCXr
+dXAA+V5knfURy8kya5FBGK34YtrGXBcNv77I9GdGdum+tooYNnNJERueRkBLA4aIImB/W3NL
+eL1f8vWVi4vys8Utpj8+5pg5GLstbpmzewtc2LQFstMDeCjBsrDiuZZrsp3fO6zKnizg0SOS
+jTkSdXwvCma9j4mlmU2Ry9QJf3EBqyDwhe5Rcrl8TopaP75wOKD3r5npo+e95Wjvxy06PjjK
+1ntAYLMuEODWiKAhQ31YYYg8v0yMvBRFLfFmtgmSoFcIiGJw7azkxJefqIhQr6SWUF2G3keQ
+iD3qNjrriIqxdJQqj1XZjbwwHMKlvtvokf0xCWltpqzgW9YBcKwqr80Sp5Z2M5wjeB9TWhSu
+uoG44r8dtz7GEVllGwGd+hRYbyhdaEjdgFjZtJ/T2n5ESYQ5h3V3vjJbbxVZ3fOE4ksVNEkR
+5cv/h1x631SuU/287bb/ObGieYIbaIxpaQPedcPuX1+hHbLCrtZ9FAx1COzhIJbXG/2mS+2b
+hTUyax9RQ4n01fgsU/C6FPeGqfyrrfijS2XKQAGsigRGm7rIjENjXM2fGqNsWGEPt9v3YoAl
+vVv216XE3sCRMz4Ua4kCHAQQAQIABgUCTGAriwAKCRAedZpyap/ddM2HEADRXZZx9vRiIKFC
+taquk6DZB15B+CTJSe+rhtiiRiSH8GZcifbF2ARqZF00OctbKkbBNycNV8FuxRiaZZSZN1fu
+ZckgOKwMK83Llj0tHd+BTrjmOiZqrZ20l9j4CMfvoTQZLOqxbf0XKpfkx+WEf8HaJ59+2GDy
+CvqYrzYW4oQLdc1wwQ1mI/6XcP5YyTPaOai7WzrRhL0ClYj6/kKrcyzUm3G91SuC/AXPGs5n
+8QVINq1hidCyEjuRO29Pi9YjOIRA0YSmWwmF1Jq0CAWDlSeWZf6oZZq232UM4OnDosjp58pj
+ldIf8YS8TcNLjFZUSq3ilfIJgTLZIfMj0H+YZyBRvHL8071X6xmqcQXmZb2xGOJHu/Zn1qrq
+BjN7HIOrohVvVqccR5rbmQp2m763vqGCPL8nxZszGvH7v5PFCTdrfa8tlqiugadUvYW+SCn7
+RI1QMijJJjrlWolD6ZJLSiA21a9B/y8XmUluedCQ+RiJLzYBVSZhHI4j6EdavCKbTZfeUZEW
+PiYbpjltZ5oOjoTzI/C7GKn/btPdY298tHPIRPJP2P4Ybi0Xzx1tsZIApFEn/uHxzxndigef
+Q0EtTz/ikmVN3CAPo2i9dj1urBixB2QuoESumF2hjUHs9rZDtug6CuskojI0GAb2wPNf/U6x
+ugU3APwb6c8O+66de8wHNYkCHAQQAQIABgUCTGA3OAAKCRDXiExHGOGPRLxnEADsBFKXFFK9
+8wUfiWk8b5ov+XJRvYhrOQZz7fX0iIxUaZCLaSIViyOD8RYFXr9KKuhGc7pcEvU71ccRdmN3
+SoHz+RQDrCJlRgBosEAY5hfIuqtuCEF/njo1cNSR7kjkYc5PKXpbHL2G+15X8aOBdsd/Wa0W
+E6vLxMerhS5ILRbRs30W/VzcNnlb/3dhHSvJPVF9FGBeZuOahY1edZKU7xu8k+udND6lV1Xy
+j25Ty0mb1WfQ6ORuqLhXPbfIycqLD2sNmpFBNVlRkRejEhJU9IiOrqkgECPjqKUMo9cnCCt1
+rVO0EZYvJGD75wl1PySqbQus1MMLep6FJsqvnUpEh/HzS6+Q3/2AL3a9JLITDm2h0TkCeX6q
+o7b27aoe+J4cjiApF5E643OduBA6Ox2iauEr1t5d1J8ewFWx929EQYHnLgHtBx0CzZGUAZqU
+NJEqLwfgxZaN86Kdw1xP6qKCuCdkhrsLt7gsACvSpkIEEhVxoAHqJleWF4MqozwfpsEO9BSg
+L071pyc0Czw0XJlNNq2sn/GomNRvXLbYeSpqzsLdOAYxsG2l7aNRHVb81ml/OEvIuxHZE4Ae
+cjxfsvnONarc5jWIA7iFgk3sLaTVejP4Y8cbn4rXn+98QwseRPBMHRPx84W0Rx+YUXQSAvVG
+2GboFMP1PvnEEv0Qqq6JsdMmZYkCHAQQAQIABgUCTGWPGAAKCRATwLVmejiwsLktD/9ALTT3
+VOyGLPKCdTYn+kXo/R4x1+VpRdoLLkUnxKBzfTVqtHg6X9GAqMn4b8PIgIh+9ULPiK9OLV5k
+bdko3T/cbP+Cl2iqSbVZoKuYpf/xd49oIdiJm/omruVotTDbz5vOHwxzmrSRcxXNzKrnmptr
+f48dZjoDdrirUJNDlPE7yvM0IvBSwPv5R+t7gcti0/ZZFWDSEQ1fphx5q5fD47+t2Oqeyq9s
+oIC1uO9xnzB7tTmQ4m1Up0mwRsf/r0JdTkcT2Q1PNOttWUY4aDncF+d8wCraPW7715C7iP/U
+saAW2h+MwAVC3yMT6iu1dcufRJsgFg0iEd7G4Uxp4IcCfwSLWD1mh4NEXZ8Tis4hTnfpbICs
+Go7qPAFDdPhWRw7ZGs/aLV0+E6hu0t5hE2CWaOCS7hfx8Z9W1heEuMBqDXZeSEfkiA6/sNHW
+ocgNXiDXVMdyHm53xlswdbSDxDT6CPcdvzHsyNP9/pYd6+CFgTBAw60XqLrjYPr3tyTHBWgt
+vFS0tmSq2h6zMht+yMu0WCoZgw4iTYKtwoE+8RE0aaqwxUcNw1w5h8TTFY0b0NyfD16pHX94
+TruaZnlnpNWZtHgYEqtobMH6SKyOsy0G+BJ/XM3jLKczi1U5osqH0yBRCWxVk0uUAOT7Y8fi
+wkUSNQl8wnUbDoRSOtwCn1AQ0LRgOokCHAQQAQIABgUCTGbH+AAKCRAcAfRDyck8Wux1D/4y
+7uso609rTdbQTInHqA2XUshIOCgsk9aW9Vphgs4hY0VEhhfRyajEa6RrjdYs68BuWUWO8qs8
+PKe3LhgTDv2ZmSBMdXEowYVY0CvvHhyHHZwdMl+6vRZX1uI3SHf3TKqT0eci7gNNvYnCbdMO
+nXiBCM8nYUbbPOzSBKFEq3CE7EhNOvSMZwTu6pnOdH0qiVUvqNTx/hEo9qg+brPrPcLho7Yp
+cGu/Kuqp30r2b/HVv4U5X5mOy/OebqzCAb8WEdWoY9V9sDo0bf4or5DZaY/JB6tozg7bQ4Zv
+CTwyu4x9D1SqnySE9/wsu9xSlhni8e43o9ujv3jxABpbbOPqt00wA43wSoCbdfv4mWLsbGk4
+byKR3eWEh1XcUwRfaPk08fh0ssskKBk8C4sUMIk5oTiT+VU7IZ50gh8+XgMxrwdMcWAQH/Qs
+VtsYhDGA0UTw7C1Qp8mCmeqLVw9RA11d/S47UgYlXBQiv+3LXuYfmz/sALy/ktIpz/tp5CtY
+PeP3CPuFMTlKpVScL7+DbeW4pwwR3pkm1QAVaG/lb3Dqc4QpYcucetSyfdof1E7ZQtCRTR+L
+BXBHkfqQT4xnqYOU8ULraaLaUGOd3y17rlYUXlHijhNtytzSbn+GPDnbteQYqZPx16IS1H/6
+buaSwB5ZRHBbfsF9O8JP9+ldLkbjaodxpIkCHAQQAQIABgUCTHblCgAKCRCvIoOqduKse+8L
+EACKRmLci/pI12k8kF81SrF1TEZG4Mlqtij0vFQNTvaLJW9PSX5xE9ln/WcsLwUPf0ciV7bF
+M92bdaPiiEDOzpC3MFEV8Kx/cBGPdGNx42SHbOrxzbriIt+OCFxylsqlElW+Wbo8chPtXWzi
+/G39v1a/xHVxzBg4uUPFRL6zOOZ12M+l+TCijja4EKgctCb63t+x82GCW8UspmTTaEn8UT5F
+STK+qp4+cQeIYBRBcHAGKyfzKJ6Chbv3MlNq+zhmg3b8NYLTKWOgpP4th1v44EeO/R8Oibnt
+KJ9hqQF7a58hb2JLuoEmXXBJVk552hKD5UjKm1DrfZAapUTbWvVv9L5IdozaDph+GZzpXQ4C
+Mxlwil3JVEe9sWPoT35iApFSgoWbDNYGW8M/CRiyLzYtCqcAzExJbU9KnKOV9kbebiZ8J7CZ
+gxot5en0OaXrc/ALPHjYKrNmZEQ+B7dlUcN7KzFMEJHPC5Jb9xsV3Jje6T17lA+W4skejqPC
+ZB1mi9D6SHTN0MYajeRLasFq7F1Vytd0H09MLkQ3i2lymE50Su7cOsMk1+KjA63C0JmMquMp
+4rvuBt6Sh3qVaXDTPEUV5ZT5by7z6KCb4iYg7AB3IsCTsP9njUCZh19YE8IKxd4y1XXD+ymW
+FwxcQs8Fak4HdGfmXLf7G55wI1E4GHFEwWMJ1YkCHAQQAQIABgUCVXGlUAAKCRDagoMOPMw6
+OpY6D/9xPI7IEHZCcGdZV1C5JH93KmiqARv45K0p36nAxmGH16mpFYtTOuK9oJ3ZSAZtbGp2
+oppbQX5AZHhRUvHcjwv33ME0RduosJqeMA8GT/xZKfXNGvQpn/ZG/pDyDLbL0LyEngRR1R+E
+JCPNAna+op7ULQSQ/gf/HSwPI6ImnirMwXFAGOBSW0s29z0ilC/BYRlr4xt5uGwWugYnyhJK
+/SSwrGBaDxB7hakk2LTeVOe18etFCno07VPoI8pUtNLBiLmySM2aK2Muy4NR+jZjU9x6oDoB
+tTq40fkFln64nK82hqFoJP6kDPkzdQx5NaRiH4PAr1DOydHyXofs0MghS0UKlCZR6rkyAR2k
+9r+b9+KUDEQYrHXXDqhpeCunQv9LGzTi9GmaCatNHJTwTmVk1+oydWiruYLQCQHETCzQrK2Y
+FEonJnwJO8XremTXw+V3jyKZLee311I+ggQmtI5StRF7fFh7OGzdJXBVw5hI1VlISketFvAz
+rllAI8Txt59l45NFNkZDZlJlJeadffen6GOXsWr5q5JfS9XlfLbGlzlrcZCG0uxGfKoYaUJM
+0SNa5rvWO04pEK6AjBufkinWJBIJ1l9bz1uSkDY8g2tQWvdZrqGgih2DAXDhv+lu96U62fn6
+k+UtKx1D2Y6JI+KEdeGffuVp+4SnydvYIAH4GgSaN4kCHAQQAQgABgUCTFxxMwAKCRDxFAhM
+CGEREQw7EADTPt7E7JjfPg5B5r8xEQwvWnQ09/dE9xie4ohfzCOfGVpvTquyG3xKrbw9SKhh
+akS8HPLGgBvvodqvZOqPGP6eZKfAAZmlER5fAEtw42deAGhL074S4XOeuPmRPnYlzPZW8cy8
+HhcmjbuwXbhC7SJs1KtQ+sHZ6ihtTqXoqjsC1ArMOuA0Lsw9d4IOT5sXILtqnk92ynkX420i
+yAiRU5RXlASnBNg5fAmMGZbW2/EGrHtfE+zzpqX0N38qKmBnE7kRgPM8OGYxYGpUl8x+M1zz
+KY8BLhJx+gwCzI4L22uKwqv8dz3kzdWD1RBUUKJycCDzwrR+RI+xO9cQzaU/HOykH3HoRfIG
+TmaewYDxl2vsVeHVDbGdZOmhVRzLqQIS259eRjQe6ZjdMiRJe15j+udFF/iVMgSgq93vWWNF
+WB9Q7dKRZyPHjBuFuL9YP1VmxiNELX/BkQlDXcnlXHvK+KSFuEgV8RgQenmFtHy64YBC0MoS
+ka4NtWkPl9EimPn3iAHNLBCfqqs83TaG9Fl8+V9se/B//AcsNoM0/3vBU/L/5F0PppPVO6fk
+ELDY2V11zy7L5KcLJWm8f4YwOKCdyDYPYVTpl7xGM+30n5h3xto8Mz6f5NWVZbfxfErLU5iK
+aeDdSebdqns+FUXmZYUlWJGCXEnY1aAzy/9MpRSz+mtXAokCHAQQAQgABgUCTF0/MwAKCRCH
+L3AsTW4lqMf4D/9oxFxZbLh/kRIjys0wNgeiq0oBLh+KgN83Rf+vc74A2q2T9/XiopuEtk0T
+ywbz3Xw9KlidyGr9Rrbl6O6aWpy0csxUOWvprE7jaTwjqZxqISNCcsPFbsWQieJ1bVv6upjE
+j/wrTRh4IEC/P+K1OU0lWblbeDDEv2K8aj2uiO8g5Ckp9X8Y47Lh9VMPvSOPN6aFyX0s1DDV
+fweQtoYGQOmteY/pFDP+K+FV8iBw/wjEVEWflqWUCIOAWBT4w2sJ49KDdi3RGmFk6PSp/JsU
+SLGrwUU3YnRiVh2vsK0X5nukWk41jm/1XdvPzEEpMK/RYiSAzGXKvs+UUWFi8g7AHQNfJOl0
+hmB8LYFV7mQOLdbNIVTRB/ImbexKtuLDxU35CIxrJFvg7Ry3ulIZgDgFZEM0D/xu+2tBd28X
+GjppOjqp2W6Zwnn4uwqBXMrggtNRVSeGASTDs8WPdwR3PxYKxx237f8J/aC3o2k08q8KbjmR
+QVRLlOo1huZxmXpn+SUUKUJ0dqrrQHIEyzGtS/VSRRI+Kj4wiThPOS6zmc/vFaLjl5T69sOA
+LS5TJqoGZz7j+GDK2MINkWWNM61SNyzomtdQc2PIICR7TP9zJbOvad1QDfT7kyM1JuhpvV/6
+7XIP/oxk6OfgMT7yHTF6rh+G8UUNt/ZBCYAipcFByCKDwNB5sIkCHAQQAQgABgUCTF1E2gAK
+CRBTlEed01JMUcebD/9aEHlc3TtXSGHF/gxVl0zsi3mFM/wibd2n/2Zv2gRrL0Su7BunKEMc
+l+7SECKbDzWC3LYucKhjgVuPHSgGakk3ANiXiDw4qFqiYil1Prf/MK8F6RWye00IIG7yZamG
++1kLA5ft7sjO/emappGvW7bicXqgoEsazImSi9ekfYhLFKHn64IR4UjynHibKjoXA+EatPnN
+pT+IHnBRRHRq2uaU8ycQoxiwUT8WMPyjlIg7NT+IIYqQm7DRjSTsUoTwhdaMlH7YCbi/dX0y
+SlfG0LF/5fdg+MV0h/hPqy6gq2oRouILZlfEGtvv0vBmqagmPP+m4KJ/6/Ikf5ysMtC/NlN7
+exkyj4M8Nl1U07ijha5CQCvn6DyQmy7xT/rmbJ0i1zjZauFmPf1ZaqennMkz2ndC0glSAYIh
+d76mDDWGjvszrYpbO7KdJJeiO0LkoSW7fKxgabNm6x5MaPVhcynmjlC8BFbn8xuZQst13Pit
+VmFtIDX+SJVFQCK0Ypuw0NhkXx4sRqkBukASSwCRrDxPPWqlg9/Ji9uKjInS7M/y3RDZqwJK
+UZqLw2pdlzdAStExWfA3YAX6lI7IrpHMuoPUt+aKNyO6XBLMOGmAGo6LUP8vOvwfkFI72nWL
+IgHSbB7MzHLFcMxyb4CvGjpZQzu3VDt7sDIweT4ZqWMuMIxreik+M4kCHAQQAQgABgUCTF8j
+ZwAKCRB6j0notjSAvpDND/4nzSbiS1pMCum5H8dhR6odBPIRanEa8fLaltUQCfwG+CXBfuH0
+nguvR07j3oMWLZJ0YqZIfGWy+FRMAqFjkY9Wm35ddEO4fm5O7j662mJn32S7ouAWvMXeZa7i
+uhz7pe5o5hxoN9dzr/jD0qNIUwWzCl8C1KC6Gm2Szhnzr4jMM6fxol3i1TIjzqcRACqIFM9k
+rJdpHe18XEE0Ao/cNC4bPdPFEqFdDi+zoYXNrHqyCl0FqnWOkq9IVa6Sizy/8+ncgLt7mxpR
+CeA6v/N4w55AGlxfS284QzDWUDzAoMzMibhnqoY/3p9xup1tMtOZe+2R6/AOfSa7nB3BSGDi
+g3INNT37Xh3OiwYtiGoAPGnBvMdVQYeLd0ySC1cTls+HsXuhfediraNnzRRgioi+r7Ew29Dj
+H4O0gWhunw0gqn5NO/0sqQyN5cW70iIjhJlXA2pJYXSLvONRzQ9GmvhYIq+UA89UmriycCBd
+u12zi0NfEY85B8qqzFP1c0EJrHclHNm4SuSh/cXFlejRbIiSejp9uCHXQqELSRWzxRWOSy9T
+4iARC/twBSE+rJYfCrTMLKZznBzz+FgY/NU91w+teGbKanrKLKjRJtlXanm5kMSVXpmeTnc4
+x46OO8QjHGto4hyaILX+H0+jYcTFZXV1wXPqgevaGLL5fZ2EwfdURZOMI4kCHAQQAQgABgUC
+TF80rwAKCRDRXTE4ggBBc1JWD/9xj+Vpx8DaFRrmDwND90I7bFDux0MrxxGZ1NJc0WhF03+t
+1rqP5aoqgXTx6UxMHTTQXRk6dNKpqRdWCiacxd9LUpUIFj8QrSE6zwWweW+5e1lCa4cIC69y
+AHRN7LwdWV/s8dTbBWxPuCspDXrb3wPNmNaouw76T2Ny5Qwt13PnkaHmoNGIDju8yOpVhcAM
+mRIeAHgJn5X3WkMPi9dGfKr94Vv+K1dAKzl1VQ2DHUcS8dVUTqugYcaq1NXeZ8ipacQtTy6o
+4+aiY1iBJDvKdH1MxJGsS2EvcXT14r5YzOz+KTwIExlrKK98+3XI/u1L3VkUHqY9rILN03Q+
+cKxX/3dV3j9YDu3mUNL9at+cZ4FjZG/rJ0B/7frBxf9fy+7RnqKHsrr5H7jFK+mZlqyAWqLn
+Lxi1kW9tliiEZ5RgqLsYQk/nvvA/hr01rAI/todTvFHV7RIByNQVrp8zBbpmSUhyGaycc3q0
+aNStTXoy6dFS5WLAirq5o0W2zKRbWF6RAZLCwYAz8BAvKfbdDNAjTeXQ1X6kEYxEmsOJL3UQ
+UYLUHm8Ko8pPeaFLjMfRNZYVdQhpyLQbKxEDWwmzuAxODTHPa+bWmD2QRP6g/be8ff43L+zW
+Ti+1bglSk5xCncsGp5ydPfxYhAQiizIySbmVGV0u+hVPSB+vGJTelgw8p0PMeokCHAQQAQgA
+BgUCTGHuTwAKCRBwNzzxKQ25zl+FD/0TkiEx7eq83NaPbkxw4fQGgIfV+ZQHHZPHZxQmWQe5
+Nw+o6jBv4spK4iTQOgfcyZQ9vcNoxDyvFXTPxD1SA9VhJKY/pvZYgFk4chfIAwqsuLhL2B4x
+fL7XRU044MIy12YG24mQ6wq4Yp4CLX0J7XTkqF4o5gZ53W2lZ8IBhGee13vY658Ie7OmSwXd
+HZwLABOIck59PBOnDQmbIWHw2nO8esxPuCG7A1vJ9oX71PRYGe53310L/vqRWliGwgINI+Lc
+ghnn/GIxdBNAQzvn1vrBtLvZB50Ck5WxRZdRyAh29i8IQKVt43X3CeXatFqPke30n1hudgXN
+f5zu7aJAHA3TvIghig9L9uZtHUMIZzxSovTF75ACmxfqiCXxS2pxqzJacDpahog4rJ/AZbsG
+3787vyhM2zjCiSZIrA2GE53M4M3TQpV8gKAZy54Gdjy2S8FcOiFARFGXVu/l6j3vf2dDrTdI
+Hlr+Ta/f2eKfKhyCLT5ShZwem9O10mpDfP/Lznb4kPKygCjT24t/UdY21mvVKwAiXDtkeeSI
+LhXVj+I4ddyx4xf5mrH7khCxwDiYKr/sPmzFUg6gHHPsxIMoV/8+DA/VU+x/r2thuSH2rdKp
+IuPcN1fLI3R/Buy2Pv3KGHzzOHQyHv2UbfGK5ijKY/lF5Y3RWYynInUcjQLbx9g+V4kCHAQQ
+AQgABgUCTGH1OQAKCRB3MfzMY+Tid/cSD/0XD2h3/YcPxSfN1Wc+CRkbtw/14V3lgDOa83Q1
+Gr6GySQZMeZ9NeBIeC03fvlfmQl4EwFebqGR7jsuRRVZ03P9I9fKoPXJhlx/hpbavP8mkAAd
+Ye/ziA5xjzIi6j7GIpID9ULMvAW9nwPtL6p0ritjvkfx7EOJ1D30ID5Gn0BzyhgPUKiqLsR9
+zdP11Z4u85ja1cgkVXMl6IEMflMJ/qUonGX51sEGvAC9OfbshoASv9g1cohRJe0MAVG0arWj
+KkxekFXTaChVOSuzfavExtlW2eCHy2IH4LVRT2VlOiPA+dyRZuhjBMaRr9raeYnNtB+7SLWu
+XeRgMcAiwWdvKSJRIS1H1sVAlP02APy67wBeHEcMrURx0NzAZaw/7XeyPAt7+S00LJNp6qNQ
+fnecBTF5LZkfKGIentqjKKN0Ns20lyMuo5TGb2mZSdhlYRixsY/z95STNhsGe3SNzgdSpbG1
+2eB8j+uaoLj9Gjd4UF0uAhfS/xqDXF3MONZX+IjKbGnVx1MMwg/ECPjtfRu0nzm2o3jpYQgU
+XlnM/kAjGDcHgWsWyWdKVeMB+bXOwGPl6wDmcAkaj2GoUJP2B2bDnd6QHmtBQSD0jiRmqoXb
+ARisPDuTJ7VywYSND/zTkYfBpXh9YLikxYS+Vl+NtLuvILXsyOt9FV5pxNOoWKVbj3X03okC
+HAQQAQgABgUCTGdOLwAKCRCzRk+JaqFZSNlnEADIAMz9GZZwdKchx9VqWzsHKetF7ASrZuv0
+5DSzfPH9lxJQZskWDRnLLtTzpSkrMDqueu7bgKE5XIoRcPgIfKoBI/iJBZPQaoxN9aRyxrNa
+HM/F3AF2H0hc3fqUyi5+s58C5/El8Bc8oq1ePKGrOWFAFoNTYIvQJ3CNbXfw3tm56TGVKKws
+SMiH+9xk2fIBj1m8mSpAwZKo6CMjlVU3Mz3h7DNiEa0yCiESl3USCIBO1dmIRs08DNn+MZyE
+oeXSXM+eJtw+GpWGwDflnwOlKDlDj42y4K6pH6BubyfXe9ylb5DI19TV1X3wtvsqyhE+nPuT
+4V6j8Bli1YKm/KhwjkXw7KggkStS+6TMlT6EF9f7JiLbDjAqhCZ0eBvgCm/p0/TNL0lBwrf5
+90vD8QpXfnxAprdGR8O9ZEyviUqpw4JRnlRiH7TMBHVDiNCJ0eX53oyFd/TuDSTcvfyp3i2J
+GO38NQfoO0u880bpRbCiBsLcZfEAByaXp2hV/9oPEvBP+95GwbnMAR8PlmL8EDzygDElweDc
+F11FvcD6pgKQdXPubxeM6vJgcrFEozzW0mLZxXLUlv0n64YUMy/7JVoETPIEFJqAKwsMvaJy
+OHJH7ycbs2dTeWNT3KDigSM49VE8ERd7XzyncZUbRk3ZkhGgRAE0Fe1prHPDx86PClBV76hm
+hIkCHAQQAQgABgUCTGy/igAKCRDkT4AW02MPibaTD/442P0Qwf27NHs5RV+n/M2CKeG4sZmB
+epDU0XjnqjTZJYYcMtKvVJ3EPvB8qh3Y69d+pCy92pE9x+4TXj+59pSYxSaZFacW+3s1884K
+BQYe4256NjbVnxQEIStYtS4wRL1xjYBoNnPu1hq+vj+zArQ1pCWjCcM9Wzpl2tUPu7Lat7Os
+qB7HnDvgDB/HUbNgpni6EmfrWN3YlbGthnBXfGvAf3nyPwuM++GKs7a7R/6+it/dnPdke3Tb
+/aJKAC8YXlUSo4mEqpuBzz4Sk+5wBv+xS0h2GF4z+mnwsMY7ChqlyX1eLqfx+WWdO7V5CuPM
+sHMp0WxsCw4x8NPhzBzEPFlYSvYlS2z5M/RMie0g5JuXvs/ajDHZItZYJoVbeRAIVZ5q3ru4
+jR2tuSLQNo8qoqll+u7qA01zeEh3heov+FZXqoe8I1z7XOS6i7ZP745+zdbyRhi2beqEQ6XB
+7ub3jSSOUPM+x+LKxXC7bbhKLlAat5256wZnTTKRVNEUuoCFPtUR8FwzwRXl9AOl1Ekmqdfq
+M1F9TKYq3dPATHCxw/vV1QrCaIbqdJBAtf7ZLHH9B0sAZ8kudVPQeB+Ghr4KYaSPyX8Vstx6
+tl+qTyuVlkWd26OZo1mFUc9kPej7cjiXtf/XOp2mI73piU4bfTAOBHAopiNiKe25M/75bGso
+bAWSh4kCHAQQAQgABgUCTG8qxQAKCRB8Vqz+lHiX2Nc0EACkkjvmLuJz2Wp9Lq0fvdjBhGCp
+95dZFpvcBFJfX0rzifUEmbWRp9fiU9P2SJaCy392PL0gEhEi4P7Aos1rRfyXjGhxcy+TYSUA
+HaP/jQF59XED6t2ElW8+NnZNQ3NE1NnZ2ivcig09GdxvfV/Ivi3dAjYXslsd0um4pVCEEBlc
+lWw9lWRfm1V9/Zmz+/83CNuc6yVGmch9lckcq/1zxqcBE38WyP/cR6nvvuiC4NY9W6e3LobD
+eLkagJqFtsThM06Hy2mI3pDsC33nu0Za1tOV1ihJCUTxArZBDqUYWBN7C7hfx6/+IO+as+2Z
+hi8bav8mjY9j7chXREqnmJq5uTXGyI0LDuTABn+Sfr8861zPeev56GhS3/gBIsvhEik+Hym1
+1qnvlFhICo6Gq8qtXiJ9KQE+XI/bWZgFuflJdDLWT7V+DUw5+Rdqo3Qay0vHvsto+EMQLCiL
+8qLdw3eE5/lVOn9vHPccypGq5saMyS2hdS7yF8x+laj9xfIwMyp3CKTJ892K/NOh+dEhAo4J
+ZNw5tHCviE2KVRxDWNjjBOcrpONkp8o/OPe5bxCXVnV5F9oZqHCfWtXc+MTlI4dkk2dPRB3P
+JNUnKbSgX4x63th/m6oAB1JJ5DE1iT+fdDre4zBpSI3ILCxegWL4ve+hLHUWS/ubfkJtlO5z
+4w4wiLmfPokCHAQQAQgABgUCTG/44AAKCRCdC15bHuyPDso6EADTyj6fKEvSzHFo4caqYOVX
+d5kZir9ss0hzplt/csBDosMdW+wO+wxzt7jXXtfPlA0OGoFqCVEtxUGQG4qYHSbCKPd9PEHS
+ruWlcqNFAqRBi6k0phM8GeKbE0+B1u0qiyEvuG8IuP+1DlXla3yG4yEUWqprBMjl46OnTd7u
+ZKS24zOqnS4Hx9fId3s7bW1JwrVmodbx2rdHDyZKXqCpwXFJsVWe3cbh/h2lXYalDKzwbdcm
+rgDZUJp75YxlxerMiTG9Xc/4e+XOs30DKGy2cHAMitswtjXm7ZKZ8yL5pmbmDeP99XASwByB
+7Mm6KuvQSA+8ByLmkvu9XBrRq5WUG9Cx3m0Shxy7e74w5/u4LJkqrmr1wdw+gZIvWG3UuTWR
+kqJw6rEoiv8WTjJSWE5rTFVaN6YH2OuOFsTWNaUH1bc01HpEKivhk3ZiOOg2Bhxbt7i7oYJc
+Y+UHCbC3PwwktM3wEnANz9UMoIFxn/2OHdIWl09t50iaDErTmtgbfkENDdsXEcLA7qs+8vpr
+8qY+M7ycCuRat7Vu2dqopwpkhRpKtddoMNYZ5/51vFcSuz9BdCk+y+q06Ri494UPVFJsHTvn
+gjtEcxsJopZn4pddzk8g2z69BBWRv31c8xiV5X5QTf9zmRUFD06pux6dn1CUI4zoul5kW0ah
+LwQysmqgG40apYkCHAQQAQgABgUCVZLuEQAKCRDroMbHHAAlb97dEAC8oQamwtIj/SWT2PJS
+Kl3bdPdQaYI8+9ZL9xXLYyhOl8aduFVMlJ7rqkWSdwg/AGnp8nh/pQiaGsnRweqFoSte3poC
+QkNmRR3pgsZ1qqWMxqVrE37R51MSGRBEZq50diQ0sG63tzX7GSnsHXyxDjVfR4J0/ohZzyXn
+UubBB8X/C72E8CaxrFAzyrLY0zqJBMzub+b2zg5Ac0V+GK45Iz4duftmvnWf6d9aOvXsPqe9
+/BPbix8l8lCWUjfAPh0sSskI48mIi+jK6rm7+JmsF+9zIoVxlnnlFcmDxMGtapUl73BzpCKI
+tbplOogAKpA9/2pcSvf2JO26cjQm2gN7BHGfApB4qYFHb90fmSt7XUQEwxyCbsQyhS7Tb6bN
+wI8mTqajGoRZydB8WZVjRgsnnCHa9ecY3Hs1IrTMKM3gl7Kmm1tzbtAK+NMSH0mxPG3dmTbv
+NIkjOcgGTYo4r9Qt4Q6rV0zfm43dZs7AP6nECRYyMggEoHHBDh1PaPUjoUsJ4Q/b0R8yvNNC
+8defastUYtUkepBJ90FzlIJeMLf/1t/1cYX0or5wfp7DPAGxTx3+5EtyKC2Vk3JltR5QkLaj
+blZ2PIq8TTtdDprXJuOtucF33p3SwXRjA59DrxEofOf1B2cAcxvb42QgZ0ToJmfeTz9TfGDS
+adTRh+oqbbjogv0A8okCHAQQAQoABgUCTF22EQAKCRBdMo0IKqqxQBAND/sHFnas21+PsxN5
+Uo2Gr6ieI6NqP2347xT3ZAugQFDhobNJkdXexShpW/PAAxN8/JdndFtuF3nNCy6gSt9c+eLx
+uZ1srzyE9nZeXne59TDI4+ubXhuu/oXIfj0n2j7m53st6+RI5JJ3SuI9kJTOhIYA+7AHBpZp
+XUu+m8sS+Jhyy3h7tqJw4IrwwOfW9/WEwhp3Yb2zDoEBe2Na5whcjFRtCJkJub4YwL3L/D5G
+w31dFnTFQV9C8BNmyPfoHiTWRQovejmORLdNOzaHKy9a0c4fF6C92j4s9wR3KM/eaVJxM5bD
+NvP78usX8LQY5A6C/3+e7kRo1gzDoDhgYii3gDm5hItXXU0V6sTcFWWVSPGwrm+628G3VWmm
+1b57mxWn6+7Yzw01R/CyqEzovFG+M1BZrJn2JqJ8Y4pM7T0oRpi0/Ee9Dqiw4+v5I8wKCTag
+713ZLx2IdMQxIsMnmBq/819ZqjKkYpAbgteov/foku+Y8RvymE+afjxcE+aYQpYOyMPNRMRp
+Dq6CKkVErPNpI758Eav7UqUi5KyfMQ6tMh09F+mKBZvAVE7AGIbrQWhHlTCOYdSRA7uFtgSX
+TUQlMSsj/2xkorXaPoFqShOr1hiWIG78zduIGT5FxSG06j8h7j2h6W7nCj0rYaOzDNOBM9yt
+3il8eu9SeAgl2cEosRL/4IkCHAQQAQoABgUCTF5RxAAKCRA5FLUy9N++mdKJD/9Lclk6nEQu
+xlcgA/0ugEKmWn5JsNnq8ZUl78nZP6fKY0syx9v4bMA+ICQrokfwY4o6dMxcj2Us6JUp/FBV
+Z5lo2T2iPE+ucxobFslNdpZtzOQGOsOJ0N7qirafFXJ7ACtydbnCUaPfzkPYwwplHFqT+yQH
+k4RxBysHWw9a9YoBMl9KFjIwZ7Q8v0x4ywySwfRAKEzFp+ESP+hDwhlOqTBKFL1/P54lmbhG
+JHDCNbwxGLIjiAeCjomyoxpg5YdSZVyWttmsy1rxMV+ndERK5vELfZYqdlhL0quVPzd1L+g0
+m2iA4QdeGfqrCxex7olq1su60PFrMee2wFzH8YEYY70nCi6/JRTb/Vk0wNqgyNjKY434EzHn
+liuyhFvsTkQy+ciegx1lQixRxJfVnyz1BkHNDd37qL9lbzPwVqLhhh7jkjW8koPbExQGjVcH
+St2HCGDcAxyOJK9sG5a2GxPn1K/SzHXWwhVCSQN7sJSkpNmRNgjpJdOTnEtsfRC7keUEG853
+cKtWtqJw38/ye6RbXXHM9y4oiLkSWLneGH3sQFtbmdtjubLQNXE7rfuUHarwCnVHV5FaeAn9
+FNBoo9MCAZL1cuxe7CR/awAuH/JAkuZOanj2jFwvqeyfNgsB/LIlHIBTLPwVXDOZ3E7+KUMJ
+lQ45DOfhGPOSzv3QTL4gP6lcvIkCHAQQAQoABgUCTGWvlAAKCRAyJH+7QK0fpgPsD/9gJRwY
+37FXgq6tqiUO+q8H1m+VQ4y64cKNA/SMOGxV04h7o5tC3B9D/ZghAyfQ71Li88PIk8n7PAV0
+Wnbv+V/9kawa7C7Bfq4OJOGzMU0Y0JPd6LnupBtq+jtE9H1TLneCiBu05bjeLSQde438Or9w
+SV0sLwqKncwqRJY8iIjz9O44X+6+6p4CqdMYmsZV9nGM+cES6uytQ/sB/mh5PutZahslWurz
+ouec1uqTY4uuGNwOz+MJvYUNPyajcgtpH8JNQ0phlUvV+nAOJuiNXBHw8MbxNzTdLfsdtdpy
+zRH6NAMN3QHrtEGAQ8XgFnCtu6BEPpgOQIB1pMw9OiRMhkcu9uCNCY5p9NMhL1tEx92DkSyW
+lmFIF/h1Ohd4yaxnn9jwTVxxhdAxqK0rIORy+sHUSuc5LrtItNe+AnTvQeY7MRgZwJuCCohQ
+L3OLXULZajB98g6cZQJmNmtdUeqMY/QymIOH8IoY3SCOws4h4QZSSVxNczo2Ag5R5QKSpBA6
+jjsFo/VHUX0wB/KbJTb1Hl2vtID20kR7MfzACFTI9AEbwvG6CX7oWsnciom7bHEiyHWR4Olp
+tlpQk2RQ4T3RG8r9kDgJuX6KmDH6uI9CdYTuBxQgIfpEm+tfSki3LVfnOKgkRDqAJciBv+ua
+qeW7KSjNDpBC4u8pn9tyX8RhpYUP7IkCHAQQAQoABgUCTGwP9AAKCRB4U9pNSYga09OUD/9X
+xTiFFzcuev5k8MtYx7+T30Z549gFnOx6GdFgCK7GzW7ZjnofKt8e0NIQmzzCf0g1vxdulqeZ
+7Oh8iFrxpPZyOKJoO2BDKS9VnYEANQf+quUJPTdyhGqdMSDQGbSEqjLF3oNp/+jdIIMjuo3Q
+nShdK/BJPcluN7AoOFLQ3QH4Q5fEbtwc+bEJL9TfFqAhUhcY3TYnqWtsMRW3tkrgCvcp0Bo7
+LMSJB6jH4Dx5q60Am4V1Zz7C9wxtZeZP+P0h0YYWCbOmQWhzT2aCRYDrp1o3SsuatHm/bPkv
+rliBzslW8i5Hh3gv5Atn/P5bhMaXtJiGepkat/MGw1hP8BYaSb/mmy9XbdMlfDijcsAF2+w6
+w1b782oCGXgz2ISqPLsFYWccS4GOAwSytep22iwsWpIx2JNNndg4GVfgBxx3QIhci7EVN5Pv
+/586PwxTetIZmQ+FNNHcAzqBzi3oe6J8o7HlMEHjG6Dps/D2clTNHtD0vSk5ECfhSC3W8OAD
+VSuB8NxZVfI2UfnyCsdjyDLUu06fMR4gNW+zlSHI1FJBSVuU8CCQOtMPJ5fHPq3hEc0DFyLx
+8fPE02n8It0wm5RrdUkgOjiVK2n251SyAwSM6zATCFOIt6zdZWx6T/HrJw5wzI+wgsZHibVt
+i0vOA0GsAXzobE5yyhhWTnhqJgW2vKNHjYkCIgQQAQoADAUCTGLdPgWDCWYBgAAKCRDM0u2U
+0hc56aYKD/4gPLkcER4nlKdsMN5x4MuUjBbv/+Hab1+hSDxEiA0Ya2Lt3J64y03fz7J1RzIB
+djH2QGhdvuZtEohiad44DUdLNGJ98q7PPll2KPeuuth+bDa3P4h8ynVbCJRSmIkSVCRG90eE
+AibHWOgTNOmn48Rwq5zMEgwNvmgsX7ZRm7Mwggt24LIK93iBMqH7WqS1CujF+WqQygpk671e
+GUIWSUc/iBmaHZ/yoElL5cSBSPHm+ePyQsPSN7ooaWfodXXTADpQN4d5Tl1WzwZT8G5cRVLP
+4CZ4sqbzJ9EKWFMlohcf3ibT4r8H5ij8btgq0TvNcoMvCbO2P94KChQWxQSwJRftJ9/GPPo1
+7zK7pXGK1QMZNMYhvbYSdcbxG/AsmC4qJb4NVdrrxBiEye41+M+nQiT7g2GbbJ9gBCv8k7lH
+iw3B+KfNoAkQ2v2CaVMrguQuzxCs8Zpl7iKuFG+d3SGqnn8rRrRPE5AOlSk6bOr22jLyGsns
+URt6Mvh5QyVrk0G/6YW/5IMIVNuS/i12m6ireKvpPBkUIkNlS938vNqZ4LnsZ/+gBlZqmY8H
+sZEt6Wfq7efDBw8z1FLRW58xOqCY0vh4tteFJkcY1LgzK5GUddIHfYcO/Y6p/3/Vq1/ao4VJ
+Jq+HSIsqrdW1nF3EDSbwyy96uAdxuhfZLxSgRugCKyyOk4kCNwQTAQgAIQIbAwIeAQIXgAUC
+Sgdo4AULCQgHAwUVCgkICwUWAgMBAAAKCRBEl1J4uGErXaQAD/9wcX8JM24NI9mCjnHOGOuV
+eo/1Z9sefzYvhlbbTWvJsEdt5eaL0FRl+kErHtwNyEqvOTAmt860GrpekjkFYQObCsmDOiEy
+i+vJBScub9YK6TJSOQJ7f7zyIwzHgvilktujiS+/YDqd1IEyxD3QxQ9PTdjcQX/Z7enfBeei
+sBFfgRwbH32p5EtdwovrmBYtgyXUqp+lSg9kG3vvdj0bt/Fkq7Es1eEW8Sp9QqaBpo2fuzNS
+rojYfZu68coreRIV/nhuA7/ehjiVXlvzi3su+0ybJwGZXLXaM7kxXoYm5i8NDxp4p+7laXe2
+J6HUuIQM5ea4NuPu9BKIpKGxqNXQE+n4tmX3lp6QwXuZShwOXjSFsKxXvipKI4sAkxPfrPFa
+xzz/EDqUf9lzCBZ5nl6+OLv+GyTz6Meq1NGIX1N7u6XBPtdCujVbKzXd5PbEk0Y00skLFcQ4
+9FwAwDFw1XIPljQ6WttsQlV6k0yoVJZc6HHovnV1zGDviSyUdegDX9uKBmgGG8ApliPLvZ6r
+haU4yHykFHBMPfwBNBwrmthTShdPS7xh4bz5xYlay9wm2CzIVB6muK8PIyTrRfouuFivJuYA
+zoEcPBbubalC3OCocLl2xv+Qb5G7cz2hTDx9JZXUD18IeG2A2mcLeGp1zTc1qz/7h9qa0TLe
+fWpC75exhIgXVrkCDQRKB2tdARAAqsQbw2Qd1WfbJr9U1KRdwTKm2OsDODftgNv0zmfaiYCN
+iOKEsrsJdtonmaisMi+Z+5/wrf3Q0bV54qmwOMTlCVvqnpxwbVik8VVGWgUcLJYYK5Lkn0dz
+rtZs6AaT/sbFewir8q6m3ADbq9hTXxt9uUfe5Z/D4sdbhgbWtQa/DeJwWZr6VeyCHcY8BhR0
+FXYmYDZ0c1rmbZZBt+vIF4UNTNU4x6me9va6QPW0nWTEjae9ExGSPwm1B4hQd63Nop6E2Vqu
+ahdJqKVRYYmD/IqVXOxAhFRA/w9vqF95aV2BB/ZrF0FTA8iCEbFy3oNrZfq8KlJRCtcUH2qf
+igMndOt8P65omM1DQhlvterVgm2PCb1GmwLEbMi+HtLntziFozYGLTlAMcUJt7Pyu/iinzx6
+Sc4U108dmNTJLxqSZtvJFaRyHml9x7oP2gWjpuyVgo1KuEXKq2Z96S+sxE/YtPyB/cBpazZ+
++o/i7PLhxKa1RTIA8NgkDelWeNalvYzjNkB+tXeH0UnxtBTC+PW8dyUP8OmmM/2V1Dzcj9Tm
+Ky/G04TFQyL1NjvFjzXyIUO5WpdEbSs04h5J3KM6YZJlicqB2aKAUslOi9wUIpKRK+UZBTSj
+886jynsu+HA1Ob6tcTSlwtj95RV7nBTiTM6MpPuxTmZ2DR/vLE6c7yE+XgrOx9EAEQEAAYkC
+HwQYAQgACQUCSgdrXQIbDAAKCRBEl1J4uGErXVFeD/9Q2vtN0FeOiveLwN4KAFbMLZP97bT/
+sRJkQQUZoawfbINwzGDuFrZSsWipoBLam6BnMH6OfHkUOrCToZROHYagW/nv/WTjBTX8lJt8
+SFhHh4ONPBaxF90z/YrpWlNcs/z/rqu+sm1KgCA9mkheENGOj3t97udZNfA1N4NZu67Lo6HZ
+yUUCK+eJtX6BS2HgMGokHuGha/LokTor1lkl52Y3CVfds9YDrJmlSQVhxI/S6/IajLwKFyHd
+pMiK/o8q3mYuZ7JKCBOooNnRpa4myUrBetf1p6xZqbhEAALMFJc7/8NXxesqvG7RQJ7VWyYO
+5BhgzPutqTUOVZskc3r4cvaB7CT1CsKPdW+af/I8q/C7dhTWWthirPN4DCdcTIlK9ECpba+m
+S7MQG/3ta7+/3lT3yyMKlhLkAaUlUNa/VbzUHOlVA1txJk6jcuEzWIzebEtoT/aYJZwNE+jL
+CFOC75HTGlxp7/8ngHCXn1rcBS9TQJ7CGX31HhbmNak0LtzhAS4B+fWQLrFfShTREcYD+31z
+yLns4jIKY8dehPner0Y8RX31/0eQOknRwRSl6uceu/6liJT23KHYzT3FPGHuK2QH6AHnORGS
+g6FmBsbXSzosQOKWE3sO0dzjPIE6DRKwZIJmqQKvHqeAvPsC0U7JBWlKl0eMoIuDjp9qFDKz
+BWcdiQ==
+=iUyJ
+-----END PGP PUBLIC KEY BLOCK-----

apt/meta/main.yml

@@ -1,17 +1,23 @@
 galaxy_info:
-  author: Evolix
+  company: Evolix
   description: Add repositories to APT sources list.
 
   issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
 
   license: GPLv2
 
-  min_ansible_version: 2.2
+  min_ansible_version: "2.2"
 
   platforms:
-  - name: Debian
-    versions:
-    - jessie
+    - name: Debian
+      versions:
+        - jessie
+        - stretch
+        - buster
+
+  galaxy_tags: []
+    # Be sure to remove the '[]' above if you add dependencies
+    # to this list.
 
 dependencies: []
   # List your role dependencies here, one per line.

apt/tasks/basics.yml

@@ -14,13 +14,14 @@
   file:
     path: '{{ item }}'
     state: absent
-  with_items:
+  loop:
     - /etc/apt/sources.list.d/debian-security.list
     - /etc/apt/sources.list.d/debian-jessie.list
     - /etc/apt/sources.list.d/debian-stretch.list
     - /etc/apt/sources.list.d/debian-buster.list
+    - /etc/apt/sources.list.d/debian-bullseye.list
     - /etc/apt/sources.list.d/debian-update.list
-  when: apt_clean_gandi_sourceslist
+  when: apt_clean_gandi_sourceslist | bool
   tags:
     - apt
 

apt/tasks/config.yml

@@ -8,10 +8,11 @@
     create: yes
     state: present
     mode: "0640"
-  with_items:
+  loop:
     - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
     - { line: "APT::Install-Suggests \"false\";",   regexp: 'APT::Install-Suggests' }
-  when: apt_evolinux_config
+    - { line: "APT::Periodic::Enable \"0\";",   regexp: 'APT::Periodic::Enable' }
+  when: apt_evolinux_config | bool
   tags:
     - apt
 
@@ -22,12 +23,12 @@
     create: yes
     state: present
     mode: "0640"
-  with_items:
+  loop:
     - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };"
     - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
     - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
     - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
-  when: apt_hooks
+  when: apt_hooks | bool
   tags:
     - apt
 
@@ -35,20 +36,6 @@
   apt:
     name: aptitude
     state: absent
-  when: apt_remove_aptitude
-  tags:
-    - apt
-
-- name: Updating APT cache
-  apt:
-    update_cache: yes
-  changed_when: False
-  tags:
-    - apt
-
-- name: Upgrading system
-  apt:
-    upgrade: dist
-  when: apt_upgrade
+  when: apt_remove_aptitude | bool
   tags:
     - apt

apt/tasks/evolix_public.yml

@@ -1,17 +1,29 @@
 ---
 
-# - name: Fail if distribution is not supported
-#   fail:
-#     msg: "Error: Evolix public repository is not compatble with 'Debian Stretch' yet."
-#   when: ansible_distribution_release == "stretch"
-#   tags:
-#   - apt
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - apt
 
+- name: Evolix embedded GPG key is absent
+  apt_key:
+    id: "B8612B5D"
+    keyring: /etc/apt/trusted.gpg
+    state: absent
+  when: _trusted_gpg_keyring.stat.exists
+  tags:
+    - apt
 
 - name: Add Evolix GPG key
-  apt_key:
-    #url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D
-    data: "{{ lookup('file', 'reg.gpg') }}"
+  copy:
+    src: reg.asc
+    dest: /etc/apt/trusted.gpg.d/reg.asc
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
   tags:
     - apt
 

apt/tasks/hold_packages.yml

@@ -1,10 +1,15 @@
 ---
 
 - name: "hold packages (apt)"
-  shell: "(dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
+  shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
+  args:
+    executable: /bin/bash
+  check_mode: no
   register: apt_mark
   changed_when: "item + ' set on hold.' in apt_mark.stdout"
-  failed_when: apt_mark.rc != 0 and not apt_mark.stdout == ''
+  failed_when:
+    - apt_mark.rc != 0
+    - apt_mark.stdout | length > 0
   loop: "{{ apt_hold_packages }}"
   tags:
     - apt
@@ -28,7 +33,10 @@
     - apt
 
 - name: "unhold packages (apt)"
-  shell: "(dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
+  shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
+  args:
+    executable: /bin/bash
+  check_mode: no
   register: apt_mark
   changed_when: "'Canceled hold on' + item in apt_mark.stdout"
   failed_when: apt_mark.rc != 0 and not apt_mark.stdout = ''

apt/tasks/main.yml

@@ -10,30 +10,44 @@
 
 - name: Custom configuration
   include: config.yml
-  when: apt_config
+  when: apt_config | bool
   tags:
     - apt
 
 - name: Install basics repositories
   include: basics.yml
-  when: apt_install_basics
+  when: apt_install_basics | bool
   tags:
     - apt
 
 - name: Install APT Backports repository
   include: backports.yml
-  when: apt_install_backports
+  when: apt_install_backports | bool
   tags:
     - apt
 
 - name: Install Evolix Public APT repository
   include: evolix_public.yml
-  when: apt_install_evolix_public
+  when: apt_install_evolix_public | bool
   tags:
     - apt
 
 - name: Install check for packages marked hold
   include: hold_packages.yml
-  when: apt_install_hold_packages
+  when: apt_install_hold_packages | bool
   tags:
     - apt
+
+- name: Updating APT cache
+  apt:
+    update_cache: yes
+  changed_when: False
+  tags:
+    - apt
+
+- name: Upgrading system
+  apt:
+    upgrade: dist
+  when: apt_upgrade | bool
+  tags:
+    - apt

apt/templates/bullseye_backports.list.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+deb http://mirror.evolix.org/debian bullseye-backports {{ apt_backports_components | mandatory }}

apt/templates/bullseye_basics.list.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
+deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }} 
+deb https://deb.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}

bind/handlers/main.yml

@@ -2,6 +2,11 @@
 - name: reload systemd
   command: systemctl daemon-reload
 
+- name: restart apparmor
+  service:
+    name: apparmor
+    state: restarted
+
 - name: restart bind
   service:
     name: bind9

bind/meta/main.yml

@@ -1,17 +1,23 @@
 galaxy_info:
-  author: Evolix
+  company: Evolix
   description: Installation and basic configuration of bind9.
 
   issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
 
   license: GPLv2
 
-  min_ansible_version: 2.2
+  min_ansible_version: "2.2"
 
   platforms:
-  - name: Debian
-    versions:
-    - jessie
+    - name: Debian
+      versions:
+        - jessie
+        - stretch
+        - buster
+
+  galaxy_tags: []
+    # Be sure to remove the '[]' above if you add dependencies
+    # to this list.
 
 dependencies: []
   # List your role dependencies here, one per line.

bind/tasks/main.yml

@@ -6,7 +6,17 @@
      bind_cache_dir: /var/cache/bind
      bind_statistics_file: /var/run/named.stats
      bind_chroot_path: /var/chroot-bind
-  when: bind_chroot_set
+  when: bind_chroot_set | bool
+
+- name: configure apparmor
+  template:
+    src: apparmor.usr.sbin.named.j2
+    dest: /etc/apparmor.d/usr.sbin.named
+    owner: root
+    group: root
+    mode: '0644'
+    force: yes
+  notify: restart apparmor
 
 - name: package are installed
   apt:
@@ -24,7 +34,7 @@
     mode: "0644"
     force: yes
   notify: restart bind
-  when: bind_recursive_server
+  when: bind_recursive_server | bool
 
 - name: enable zones.rfc1918 for recursive server
   lineinfile:
@@ -32,7 +42,7 @@
     line: 'include "/etc/bind/zones.rfc1918";'
     regexp: "zones.rfc1918"
   notify: restart bind
-  when: bind_recursive_server
+  when: bind_recursive_server | bool
 
 - name: Set bind configuration for authoritative server
   template:
@@ -43,7 +53,7 @@
     mode: "0644"
     force: yes
   notify: restart bind
-  when: bind_authoritative_server
+  when: bind_authoritative_server | bool
 
 - name: Create systemd service
   template:
@@ -65,7 +75,7 @@
     group: adm
     mode: "0640"
     state: touch
-  when: not bind_chroot_set
+  when: not (bind_chroot_set | bool)
 
 - name: "touch {{ bind_query_file }} if non chroot"
   file:
@@ -74,7 +84,7 @@
     group: adm
     mode: "0640"
     state: touch
-  when: not bind_chroot_set
+  when: not (bind_chroot_set | bool)
 
 - name: send chroot-bind.sh in /root
   copy:
@@ -84,17 +94,19 @@
     owner: root
     force: yes
     backup: yes
-  when: bind_chroot_set
+  when: bind_chroot_set | bool
 
 - name: exec chroot-bind.sh
   command: "/root/chroot-bind.sh"
   register: chrootbind_run
   changed_when: False
-  when: bind_chroot_set
+  when: bind_chroot_set | bool
 
 - debug:
     var: chrootbind_run.stdout_lines
-  when: bind_chroot_set and chrootbind_run.stdout != ""
+  when:
+    - bind_chroot_set | bool
+    - chrootbind_run.stdout | length > 0
 
 - name: Modify OPTIONS in /etc/default/bind9 for chroot
   replace:
@@ -102,7 +114,7 @@
     regexp: '^OPTIONS=.*'
     replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
   notify: restart bind
-  when: bind_chroot_set
+  when: bind_chroot_set | bool
 
 - name: logrotate for bind
   template:

bind/tasks/munin.yml

@@ -14,7 +14,7 @@
     src: "/usr/share/munin/plugins/{{ item }}"
     dest: "/etc/munin/plugins/{{ item }}"
     state: link
-  with_items:
+  loop:
     - bind9
     - bind9_rndc
   notify: restart munin-node
@@ -30,7 +30,7 @@
     src: "/usr/share/munin/plugins/{{ item }}"
     dest: "/etc/munin/plugins/{{ item }}"
     state: link
-  with_items:
+  loop:
     - bind9
     - bind9_rndc
   notify: restart munin-node

bind/templates/apparmor.usr.sbin.named.j2

@@ -0,0 +1,95 @@
+# vim:syntax=apparmor
+# Last Modified: Tue Mar  9 14:17:50 EST 2021
+#include <tunables/global>
+
+/usr/sbin/named flags=(attach_disconnected) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+  capability sys_resource,
+
+  # /etc/bind should be read-only for bind
+  # /var/lib/bind is for dynamically updated zone (and journal) files.
+  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
+  # See /usr/share/doc/bind9/README.Debian.gz
+  /etc/bind/** r,
+  /var/lib/bind/** rw,
+  /var/lib/bind/ rw,
+  /var/cache/bind/** lrw,
+  /var/cache/bind/ rw,
+
+  # Database file used by allow-new-zones
+  /var/cache/bind/_default.nzd-lock rwk,
+
+  # gssapi
+  /etc/krb5.keytab kr,
+  /etc/bind/krb5.keytab kr,
+
+  # ssl
+  /etc/ssl/openssl.cnf r,
+
+  # root hints from dns-data-root
+  /usr/share/dns/root.* r,
+
+  # GeoIP data files for GeoIP ACLs
+  /usr/share/GeoIP/** r,
+
+  # dnscvsutil package
+  /var/lib/dnscvsutil/compiled/** rw,
+
+  # Allow changing worker thread names
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+  @{PROC}/net/if_inet6 r,
+  @{PROC}/*/net/if_inet6 r,
+  @{PROC}/sys/net/ipv4/ip_local_port_range r,
+  /usr/sbin/named mr,
+  /{,var/}run/named/named.pid w,
+  /{,var/}run/named/session.key w,
+  # support for resolvconf
+  /{,var/}run/named/named.options r,
+
+  # some people like to put logs in /var/log/named/ instead of having
+  # syslog do the heavy lifting.
+  {{ bind_log_file }} rw,
+  {{ bind_query_file }} rw,
+
+  # gssapi
+  /var/lib/sss/pubconf/krb5.include.d/** r,
+  /var/lib/sss/pubconf/krb5.include.d/ r,
+  /var/lib/sss/mc/initgroups r,
+  /etc/gss/mech.d/ r,
+
+  # ldap
+  /etc/ldap/ldap.conf r,
+  /{,var/}run/slapd-*.socket rw,
+
+  # dynamic updates
+  /var/tmp/DNS_* rw,
+
+  # dyndb backends
+  /usr/lib/bind/*.so rm,
+
+  # Samba DLZ
+  /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
+  /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
+  /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
+  /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
+  /var/lib/samba/bind-dns/dns.keytab rk,
+  /var/lib/samba/bind-dns/named.conf r,
+  /var/lib/samba/bind-dns/dns/** rwk,
+  /var/lib/samba/private/dns.keytab rk,
+  /var/lib/samba/private/named.conf r,
+  /var/lib/samba/private/dns/** rwk,
+  /etc/samba/smb.conf r,
+  /dev/urandom rwmk,
+  owner /var/tmp/krb5_* rwk,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.named>
+}
+

bullseye-detect/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+# Force facts until Debian 11 is released because Ansible is dumb
+- set_fact:
+    ansible_distribution_major_version: 11
+    ansible_distribution: "Debian"
+    ansible_distribution_release: "bullseye"
+  when: "ansible_lsb.codename == 'bullseye' or ansible_lsb.release == 'testing/unstable'"

certbot/defaults/main.yml

@@ -1,3 +1,6 @@
 ---
 
 certbot_work_dir: /var/lib/letsencrypt
+certbot_custom_crontab: True
+
+certbot_hooks_sync_remote_servers: []

certbot/files/cron_jessie

@@ -8,4 +8,4 @@
 SHELL=/bin/sh
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
-0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-update -q renew
+0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-upgrade -q renew

certbot/files/hooks/deploy/haproxy.sh

@@ -36,7 +36,7 @@ cert_and_key_mismatch() {
 }
 detect_haproxy_cert_dir() {
     # get last field or line wich defines the crt directory
-    config_cert_dir=$(grep -r -o -E -h '^\s*bind .* crt /etc/.+\b' "${haproxy_config_file}" | head -1 | awk '{ print $(NF)}')
+    config_cert_dir=$(grep -r -o -E -h '^\s*bind .* crt /etc/\S+' "${haproxy_config_file}" | head -1 | awk '{ print $(NF)}')
     if [ -n "${config_cert_dir}" ]; then
         debug "Cert directory is configured with ${config_cert_dir}"
         echo "${config_cert_dir}"
@@ -56,6 +56,9 @@ main() {
     fi
 
     if daemon_found_and_running; then
+        readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
+        readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
+
         if found_renewed_lineage; then
             haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
             failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
@@ -86,7 +89,5 @@ readonly VERBOSE=${VERBOSE:-"0"}
 readonly QUIET=${QUIET:-"0"}
 
 readonly haproxy_bin=$(command -v haproxy)
-readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
-readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
 
 main

certbot/files/hooks/deploy/sync_remote.sh

@@ -0,0 +1,81 @@
+#!/bin/sh
+
+set -u
+
+error() {
+    >&2 echo "${PROGNAME}: $1"
+    exit 1
+}
+debug() {
+    if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
+        >&2 echo "${PROGNAME}: $1"
+    fi
+}
+found_renewed_lineage() {
+    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
+}
+cert_content() {
+    openssl x509 -text -in "${RENEWED_LINEAGE}/fullchain.pem"
+}
+domain_from_cert() {
+    if cert_content | grep -q "X509v3 Subject Alternative Name:" && cert_content | grep -q "DNS:"; then
+        cert_content | grep "DNS:" | sed -e 's/\s\+//g' -e 's/DNS://g'
+    else
+        cert_content | sed 's/^.*CN\ *=\ *//'
+    fi
+}
+main() {
+    if [ -z "${RENEWED_LINEAGE}" ]; then
+        error "Missing RENEWED_LINEAGE environment variable (usually provided by certbot)."
+    fi
+    if [ -z "${servers}" ]; then
+        debug "Empty server list, skip."
+        exit 0
+    fi
+
+    if found_renewed_lineage; then
+        RENEWED_DOMAINS=${RENEWED_DOMAINS:-$(domain_from_cert)}
+
+        remote_lineage=${remote_dir}/renewed_lineage/$(basename "${RENEWED_LINEAGE}")
+
+        for server in ${servers}; do
+            remote_host="root@${server}"
+            # shellcheck disable=SC2029
+            ssh "${remote_host}" "mkdir -p ${remote_lineage}" \
+                || error "Couldn't create ${remote_dir} directory ${server}"
+
+            rsync --archive --copy-links --delete "${RENEWED_LINEAGE}/" "${remote_host}:${remote_lineage}/" \
+                || error "Couldn't sync certificate on ${server}"
+
+            rsync --archive --copy-links --delete --exclude "$(basename "$0")" --delete-excluded "${hooks_dir}/" "${remote_host}:${remote_dir}/hooks/" \
+                || error "Couldn't sync hooks on ${server}"
+
+            # shellcheck disable=SC2029
+            ssh "${remote_host}" "export RENEWED_LINEAGE=\"${remote_lineage}/\" RENEWED_DOMAINS=\"${RENEWED_DOMAINS}\"; find ${remote_dir}/hooks/ -mindepth 1 -maxdepth 1 -type f -executable -exec {} \;" \
+                || error "Something went wrong on ${server} for deploy hooks"
+        done
+    else
+        error "Couldn't find required files in \`${RENEWED_LINEAGE}'"
+    fi
+}
+
+PROGNAME=$(basename "$0")
+VERBOSE=${VERBOSE:-"0"}
+QUIET=${QUIET:-"0"}
+
+hooks_dir="/etc/letsencrypt/renewal-hooks/deploy"
+# The config file lust have the same name as the script, with a different extension (.cf instead of .sh)
+config_file="${0%.*}.cf"
+remote_dir="/root/cert_sync"
+
+if [ -f "${config_file}" ]; then
+    . "${config_file}"
+fi
+servers=${servers:-""}
+
+if [ -z "${servers}" ]; then
+    echo "${PROGNAME}: No server provided. Skip." >&2
+    exit 0
+fi
+
+main

certbot/files/hooks/deploy/z-commit-etc.sh

@@ -9,6 +9,13 @@ debug() {
         >&2 echo "${PROGNAME}: $1"
     fi
 }
+domain_from_cert() {
+    if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ]; then
+        openssl x509 -noout -subject -in "${RENEWED_LINEAGE}/fullchain.pem" | sed 's/^.*CN\ *=\ *//'
+    else
+        debug "Unable to find \`${RENEWED_LINEAGE}/fullchain.pem', skip domain detection."
+    fi
+}
 main() {
     export GIT_DIR="/etc/.git"
     export GIT_WORK_TREE="/etc"
@@ -17,12 +24,15 @@ main() {
       changed_lines=$(${git_bin} status --porcelain | wc -l | tr -d ' ')
 
       if [ "${changed_lines}" != "0" ]; then
+          if [ -z "${RENEWED_DOMAINS}" ] && [ -n "${RENEWED_LINEAGE}" ]; then
+              RENEWED_DOMAINS=$(domain_from_cert)
+          fi
           debug "Committing for ${RENEWED_DOMAINS}"
           ${git_bin} add --all
           message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
           ${git_bin} commit --message "${message}" --quiet
       else
-          error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
+          debug "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
       fi
     fi
 }
@@ -32,6 +42,5 @@ readonly VERBOSE=${VERBOSE:-"0"}
 readonly QUIET=${QUIET:-"0"}
 
 readonly git_bin=$(command -v git)
-readonly letsencrypt_dir=/etc/letsencrypt
 
 main

certbot/files/hooks/manual-deploy.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -u
+
+error() {
+    >&2 echo "${PROGNAME}: $1"
+    exit 1
+}
+debug() {
+    if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
+        >&2 echo "${PROGNAME}: $1"
+    fi
+}
+found_renewed_lineage() {
+    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
+}
+main() {
+    if [ -z "${RENEWED_LINEAGE:-}" ]; then
+        error "Missing RENEWED_LINEAGE environment variable (usually provided by certbot)."
+    fi
+    if [ "${VERBOSE}" = "1" ]; then
+        xargs_verbose="--verbose"
+    else
+        xargs_verbose=""
+    fi
+    if found_renewed_lineage; then
+        find "${hooks_dir}" -mindepth 1 -maxdepth 1 -type f -executable -print0 | sort --zero-terminated --dictionary-order | xargs ${xargs_verbose} --no-run-if-empty --null --max-args=1 sh -c
+    else
+        error "Couldn't find required files in \`${RENEWED_LINEAGE}'"
+    fi
+    
+}
+
+PROGNAME=$(basename "$0")
+VERBOSE=${VERBOSE:-"0"}
+QUIET=${QUIET:-"0"}
+
+hooks_dir="/etc/letsencrypt/renewal-hooks/deploy"
+
+main

certbot/files/letsencrypt-auto

@@ -0,0 +1,1988 @@
+#!/bin/sh
+#
+# Download and run the latest release version of the Certbot client.
+#
+# NOTE: THIS SCRIPT IS AUTO-GENERATED AND SELF-UPDATING
+#
+# IF YOU WANT TO EDIT IT LOCALLY, *ALWAYS* RUN YOUR COPY WITH THE
+# "--no-self-upgrade" FLAG
+#
+# IF YOU WANT TO SEND PULL REQUESTS, THE REAL SOURCE FOR THIS FILE IS
+# letsencrypt-auto-source/letsencrypt-auto.template AND
+# letsencrypt-auto-source/pieces/bootstrappers/*
+
+set -e  # Work even if somebody does "sh thisscript.sh".
+
+# Note: you can set XDG_DATA_HOME or VENV_PATH before running this script,
+# if you want to change where the virtual environment will be installed
+
+# HOME might not be defined when being run through something like systemd
+if [ -z "$HOME" ]; then
+  HOME=~root
+fi
+if [ -z "$XDG_DATA_HOME" ]; then
+  XDG_DATA_HOME=~/.local/share
+fi
+if [ -z "$VENV_PATH" ]; then
+  # We export these values so they are preserved properly if this script is
+  # rerun with sudo/su where $HOME/$XDG_DATA_HOME may have a different value.
+  export OLD_VENV_PATH="$XDG_DATA_HOME/letsencrypt"
+  export VENV_PATH="/opt/eff.org/certbot/venv"
+fi
+VENV_BIN="$VENV_PATH/bin"
+BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
+LE_AUTO_VERSION="1.14.0"
+BASENAME=$(basename $0)
+USAGE="Usage: $BASENAME [OPTIONS]
+A self-updating wrapper script for the Certbot ACME client. When run, updates
+to both this script and certbot will be downloaded and installed. After
+ensuring you have the latest versions installed, certbot will be invoked with
+all arguments you have provided.
+
+Help for certbot itself cannot be provided until it is installed.
+
+  --debug                                   attempt experimental installation
+  -h, --help                                print this help
+  -n, --non-interactive, --noninteractive   run without asking for user input
+  --no-bootstrap                            do not install OS dependencies
+  --no-permissions-check                    do not warn about file system permissions
+  --no-self-upgrade                         do not download updates
+  --os-packages-only                        install OS dependencies and exit
+  --install-only                            install certbot, upgrade if needed, and exit
+  -v, --verbose                             provide more output
+  -q, --quiet                               provide only update/error output;
+                                            implies --non-interactive
+
+All arguments are accepted and forwarded to the Certbot client when run."
+export CERTBOT_AUTO="$0"
+
+for arg in "$@" ; do
+  case "$arg" in
+    --debug)
+      DEBUG=1;;
+    --os-packages-only)
+      OS_PACKAGES_ONLY=1;;
+    --install-only)
+      INSTALL_ONLY=1;;
+    --no-self-upgrade)
+      # Do not upgrade this script (also prevents client upgrades, because each
+      # copy of the script pins a hash of the python client)
+      NO_SELF_UPGRADE=1;;
+    --no-permissions-check)
+      NO_PERMISSIONS_CHECK=1;;
+    --no-bootstrap)
+      NO_BOOTSTRAP=1;;
+    --help)
+      HELP=1;;
+    --noninteractive|--non-interactive)
+      NONINTERACTIVE=1;;
+    --quiet)
+      QUIET=1;;
+    renew)
+      ASSUME_YES=1;;
+    --verbose)
+      VERBOSE=1;;
+    -[!-]*)
+      OPTIND=1
+      while getopts ":hnvq" short_arg $arg; do
+        case "$short_arg" in
+          h)
+            HELP=1;;
+          n)
+            NONINTERACTIVE=1;;
+          q)
+            QUIET=1;;
+          v)
+            VERBOSE=1;;
+        esac
+      done;;
+  esac
+done
+
+if [ $BASENAME = "letsencrypt-auto" ]; then
+  # letsencrypt-auto does not respect --help or --yes for backwards compatibility
+  NONINTERACTIVE=1
+  HELP=0
+fi
+
+# Set ASSUME_YES to 1 if QUIET or NONINTERACTIVE
+if [ "$QUIET" = 1 -o "$NONINTERACTIVE" = 1 ]; then
+  ASSUME_YES=1
+fi
+
+say() {
+    if [  "$QUIET" != 1 ]; then
+        echo "$@"
+    fi
+}
+
+error() {
+    echo "$@"
+}
+
+# Support for busybox and others where there is no "command",
+# but "which" instead
+if command -v command > /dev/null 2>&1 ; then
+  export EXISTS="command -v"
+elif which which > /dev/null 2>&1 ; then
+  export EXISTS="which"
+else
+  error "Cannot find command nor which... please install one!"
+  exit 1
+fi
+
+# Certbot itself needs root access for almost all modes of operation.
+# certbot-auto needs root access to bootstrap OS dependencies and install
+# Certbot at a protected path so it can be safely run as root. To accomplish
+# this, this script will attempt to run itself as root if it doesn't have the
+# necessary privileges by using `sudo` or falling back to `su` if it is not
+# available. The mechanism used to obtain root access can be set explicitly by
+# setting the environment variable LE_AUTO_SUDO to 'sudo', 'su', 'su_sudo',
+# 'SuSudo', or '' as used below.
+
+# Because the parameters in `su -c` has to be a string,
+# we need to properly escape it.
+SuSudo() {
+  args=""
+  # This `while` loop iterates over all parameters given to this function.
+  # For each parameter, all `'` will be replace by `'"'"'`, and the escaped string
+  # will be wrapped in a pair of `'`, then appended to `$args` string
+  # For example, `echo "It's only 1\$\!"` will be escaped to:
+  #   'echo' 'It'"'"'s only 1$!'
+  #     │       │└┼┘│
+  #     │       │ │ └── `'s only 1$!'` the literal string
+  #     │       │ └── `\"'\"` is a single quote (as a string)
+  #     │       └── `'It'`, to be concatenated with the strings following it
+  #     └── `echo` wrapped in a pair of `'`, it's totally fine for the shell command itself
+  while [ $# -ne 0 ]; do
+    args="$args'$(printf "%s" "$1" | sed -e "s/'/'\"'\"'/g")' "
+    shift
+  done
+  su root -c "$args"
+}
+
+# Sets the environment variable SUDO to be the name of the program or function
+# to call to get root access. If this script already has root privleges, SUDO
+# is set to an empty string. The value in SUDO should be run with the command
+# to called with root privileges as arguments.
+SetRootAuthMechanism() {
+  SUDO=""
+  if [ -n "${LE_AUTO_SUDO+x}" ]; then
+    case "$LE_AUTO_SUDO" in
+      SuSudo|su_sudo|su)
+        SUDO=SuSudo
+        ;;
+      sudo)
+        SUDO="sudo -E"
+        ;;
+      '')
+        # If we're not running with root, don't check that this script can only
+        # be modified by system users and groups.
+        NO_PERMISSIONS_CHECK=1
+        ;;
+      *)
+        error "Error: unknown root authorization mechanism '$LE_AUTO_SUDO'."
+        exit 1
+    esac
+    say "Using preset root authorization mechanism '$LE_AUTO_SUDO'."
+  else
+    if test "`id -u`" -ne "0" ; then
+      if $EXISTS sudo 1>/dev/null 2>&1; then
+        SUDO="sudo -E"
+      else
+        say \"sudo\" is not available, will use \"su\" for installation steps...
+        SUDO=SuSudo
+      fi
+    fi
+  fi
+}
+
+if [ "$1" = "--cb-auto-has-root" ]; then
+  shift 1
+else
+  SetRootAuthMechanism
+  if [ -n "$SUDO" ]; then
+    say "Requesting to rerun $0 with root privileges..."
+    $SUDO "$0" --cb-auto-has-root "$@"
+    exit 0
+  fi
+fi
+
+# Runs this script again with the given arguments. --cb-auto-has-root is added
+# to the command line arguments to ensure we don't try to acquire root a
+# second time. After the script is rerun, we exit the current script.
+RerunWithArgs() {
+    "$0" --cb-auto-has-root "$@"
+    exit 0
+}
+
+BootstrapMessage() {
+  # Arguments: Platform name
+  say "Bootstrapping dependencies for $1... (you can skip this with --no-bootstrap)"
+}
+
+ExperimentalBootstrap() {
+  # Arguments: Platform name, bootstrap function name
+  if [ "$DEBUG" = 1 ]; then
+    if [ "$2" != "" ]; then
+      BootstrapMessage $1
+      $2
+    fi
+  else
+    error "FATAL: $1 support is very experimental at present..."
+    error "if you would like to work on improving it, please ensure you have backups"
+    error "and then run this script again with the --debug flag!"
+    error "Alternatively, you can install OS dependencies yourself and run this script"
+    error "again with --no-bootstrap."
+    exit 1
+  fi
+}
+
+DeprecationBootstrap() {
+  # Arguments: Platform name, bootstrap function name
+  if [ "$DEBUG" = 1 ]; then
+    if [ "$2" != "" ]; then
+      BootstrapMessage $1
+      $2
+    fi
+  else
+    error "WARNING: certbot-auto support for this $1 is DEPRECATED!"
+    error "Please visit certbot.eff.org to learn how to download a version of"
+    error "Certbot that is packaged for your system. While an existing version"
+    error "of certbot-auto may work currently, we have stopped supporting updating"
+    error "system packages for your system. Please switch to a packaged version"
+    error "as soon as possible."
+    exit 1
+  fi
+}
+
+MIN_PYTHON_2_VERSION="2.7"
+MIN_PYVER2=$(echo "$MIN_PYTHON_2_VERSION" | sed 's/\.//')
+MIN_PYTHON_3_VERSION="3.6"
+MIN_PYVER3=$(echo "$MIN_PYTHON_3_VERSION" | sed 's/\.//')
+# Sets LE_PYTHON to Python version string and PYVER to the first two
+# digits of the python version.
+# MIN_PYVER and MIN_PYTHON_VERSION are also set by this function, and their
+# values depend on if we try to use Python 3 or Python 2.
+DeterminePythonVersion() {
+  # Arguments: "NOCRASH" if we shouldn't crash if we don't find a good python
+  #
+  # If no Python is found, PYVER is set to 0.
+  if [ "$USE_PYTHON_3" = 1 ]; then
+    MIN_PYVER=$MIN_PYVER3
+    MIN_PYTHON_VERSION=$MIN_PYTHON_3_VERSION
+    for LE_PYTHON in "$LE_PYTHON" python3; do
+      # Break (while keeping the LE_PYTHON value) if found.
+      $EXISTS "$LE_PYTHON" > /dev/null && break
+    done
+  else
+    MIN_PYVER=$MIN_PYVER2
+    MIN_PYTHON_VERSION=$MIN_PYTHON_2_VERSION
+    for LE_PYTHON in "$LE_PYTHON" python2.7 python27 python2 python; do
+      # Break (while keeping the LE_PYTHON value) if found.
+      $EXISTS "$LE_PYTHON" > /dev/null && break
+    done
+  fi
+  if [ "$?" != "0" ]; then
+    if [ "$1" != "NOCRASH" ]; then
+      error "Cannot find any Pythons; please install one!"
+      exit 1
+    else
+      PYVER=0
+      return 0
+    fi
+  fi
+
+  PYVER=$("$LE_PYTHON" -V 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//')
+  if [ "$PYVER" -lt "$MIN_PYVER" ]; then
+    if [ "$1" != "NOCRASH" ]; then
+      error "You have an ancient version of Python entombed in your operating system..."
+      error "This isn't going to work; you'll need at least version $MIN_PYTHON_VERSION."
+      exit 1
+    fi
+  fi
+}
+
+# If new packages are installed by BootstrapDebCommon below, this version
+# number must be increased.
+BOOTSTRAP_DEB_COMMON_VERSION=1
+
+BootstrapDebCommon() {
+  # Current version tested with:
+  #
+  # - Ubuntu
+  #     - 14.04 (x64)
+  #     - 15.04 (x64)
+  # - Debian
+  #     - 7.9 "wheezy" (x64)
+  #     - sid (2015-10-21) (x64)
+
+  # Past versions tested with:
+  #
+  # - Debian 8.0 "jessie" (x64)
+  # - Raspbian 7.8 (armhf)
+
+  # Believed not to work:
+  #
+  # - Debian 6.0.10 "squeeze" (x64)
+
+  if [ "$QUIET" = 1 ]; then
+    QUIET_FLAG='-qq'
+  fi
+
+  apt-get $QUIET_FLAG update || error apt-get update hit problems but continuing anyway...
+
+  # virtualenv binary can be found in different packages depending on
+  # distro version (#346)
+
+  virtualenv=
+  # virtual env is known to apt and is installable
+  if apt-cache show virtualenv > /dev/null 2>&1 ; then
+    if ! LC_ALL=C apt-cache --quiet=0 show virtualenv 2>&1 | grep -q 'No packages found'; then
+      virtualenv="virtualenv"
+    fi
+  fi
+
+  if apt-cache show python-virtualenv > /dev/null 2>&1; then
+    virtualenv="$virtualenv python-virtualenv"
+  fi
+
+  augeas_pkg="libaugeas0 augeas-lenses"
+
+  if [ "$ASSUME_YES" = 1 ]; then
+    YES_FLAG="-y"
+  fi
+
+  apt-get install $QUIET_FLAG $YES_FLAG --no-install-recommends \
+    python \
+    python-dev \
+    $virtualenv \
+    gcc \
+    $augeas_pkg \
+    libssl-dev \
+    openssl \
+    libffi-dev \
+    ca-certificates \
+
+
+  if ! $EXISTS virtualenv > /dev/null ; then
+    error Failed to install a working \"virtualenv\" command, exiting
+    exit 1
+  fi
+}
+
+# If new packages are installed by BootstrapRpmCommonBase below, version
+# numbers in rpm_common.sh and rpm_python3.sh must be increased.
+
+# Sets TOOL to the name of the package manager
+# Sets appropriate values for YES_FLAG and QUIET_FLAG based on $ASSUME_YES and $QUIET_FLAG.
+# Note: this function is called both while selecting the bootstrap scripts and
+# during the actual bootstrap. Some things like prompting to user can be done in the latter
+# case, but not in the former one.
+InitializeRPMCommonBase() {
+  if type dnf 2>/dev/null
+  then
+    TOOL=dnf
+  elif type yum 2>/dev/null
+  then
+    TOOL=yum
+
+  else
+    error "Neither yum nor dnf found. Aborting bootstrap!"
+    exit 1
+  fi
+
+  if [ "$ASSUME_YES" = 1 ]; then
+    YES_FLAG="-y"
+  fi
+  if [ "$QUIET" = 1 ]; then
+    QUIET_FLAG='--quiet'
+  fi
+}
+
+BootstrapRpmCommonBase() {
+  # Arguments: whitespace-delimited python packages to install
+
+  InitializeRPMCommonBase # This call is superfluous in practice
+
+  pkgs="
+    gcc
+    augeas-libs
+    openssl
+    openssl-devel
+    libffi-devel
+    redhat-rpm-config
+    ca-certificates
+  "
+
+  # Add the python packages
+  pkgs="$pkgs
+    $1
+  "
+
+  if $TOOL list installed "httpd" >/dev/null 2>&1; then
+    pkgs="$pkgs
+      mod_ssl
+    "
+  fi
+
+  if ! $TOOL install $YES_FLAG $QUIET_FLAG $pkgs; then
+    error "Could not install OS dependencies. Aborting bootstrap!"
+    exit 1
+  fi
+}
+
+# If new packages are installed by BootstrapRpmCommon below, this version
+# number must be increased.
+BOOTSTRAP_RPM_COMMON_VERSION=1
+
+BootstrapRpmCommon() {
+  # Tested with:
+  #   - Fedora 20, 21, 22, 23 (x64)
+  #   - Centos 7 (x64: on DigitalOcean droplet)
+  #   - CentOS 7 Minimal install in a Hyper-V VM
+  #   - CentOS 6
+
+  InitializeRPMCommonBase
+
+  # Most RPM distros use the "python" or "python-" naming convention.  Let's try that first.
+  if $TOOL list python >/dev/null 2>&1; then
+    python_pkgs="$python
+      python-devel
+      python-virtualenv
+      python-tools
+      python-pip
+    "
+  # Fedora 26 starts to use the prefix python2 for python2 based packages.
+  # this elseif is theoretically for any Fedora over version 26:
+  elif $TOOL list python2 >/dev/null 2>&1; then
+    python_pkgs="$python2
+      python2-libs
+      python2-setuptools
+      python2-devel
+      python2-virtualenv
+      python2-tools
+      python2-pip
+    "
+  # Some distros and older versions of current distros use a "python27"
+  # instead of the "python" or "python-" naming convention.
+  else
+    python_pkgs="$python27
+      python27-devel
+      python27-virtualenv
+      python27-tools
+      python27-pip
+    "
+  fi
+
+  BootstrapRpmCommonBase "$python_pkgs"
+}
+
+# If new packages are installed by BootstrapRpmPython3 below, this version
+# number must be increased.
+BOOTSTRAP_RPM_PYTHON3_LEGACY_VERSION=1
+
+# Checks if rh-python36 can be installed.
+Python36SclIsAvailable() {
+  InitializeRPMCommonBase >/dev/null 2>&1;
+
+  if "${TOOL}" list rh-python36 >/dev/null 2>&1; then
+    return 0
+  fi
+  if "${TOOL}" list centos-release-scl >/dev/null 2>&1; then
+    return 0
+  fi
+  return 1
+}
+
+# Try to enable rh-python36 from SCL if it is necessary and possible.
+EnablePython36SCL() {
+  if "$EXISTS" python3.6 > /dev/null 2> /dev/null; then
+      return 0
+  fi
+  if [ ! -f /opt/rh/rh-python36/enable ]; then
+      return 0
+  fi
+  set +e
+  if ! . /opt/rh/rh-python36/enable; then
+    error 'Unable to enable rh-python36!'
+    exit 1
+  fi
+  set -e
+}
+
+# This bootstrap concerns old RedHat-based distributions that do not ship by default
+# with Python 2.7, but only Python 2.6. We bootstrap them by enabling SCL and installing
+# Python 3.6. Some of these distributions are: CentOS/RHEL/OL/SL 6.
+BootstrapRpmPython3Legacy() {
+  # Tested with:
+  #   - CentOS 6
+
+  InitializeRPMCommonBase
+
+  if ! "${TOOL}" list rh-python36 >/dev/null 2>&1; then
+    echo "To use Certbot on this operating system, packages from the SCL repository need to be installed."
+    if ! "${TOOL}" list centos-release-scl >/dev/null 2>&1; then
+      error "Enable the SCL repository and try running Certbot again."
+      exit 1
+    fi
+    if [ "${ASSUME_YES}" = 1 ]; then
+      /bin/echo -n "Enabling the SCL repository in 3 seconds... (Press Ctrl-C to cancel)"
+      sleep 1s
+      /bin/echo -ne "\e[0K\rEnabling the SCL repository in 2 seconds... (Press Ctrl-C to cancel)"
+      sleep 1s
+      /bin/echo -e "\e[0K\rEnabling the SCL repository in 1 second... (Press Ctrl-C to cancel)"
+      sleep 1s
+    fi
+    if ! "${TOOL}" install "${YES_FLAG}" "${QUIET_FLAG}" centos-release-scl; then
+      error "Could not enable SCL. Aborting bootstrap!"
+      exit 1
+    fi
+  fi
+
+  # CentOS 6 must use rh-python36 from SCL
+  if "${TOOL}" list rh-python36 >/dev/null 2>&1; then
+    python_pkgs="rh-python36-python
+      rh-python36-python-virtualenv
+      rh-python36-python-devel
+    "
+  else
+    error "No supported Python package available to install. Aborting bootstrap!"
+    exit 1
+  fi
+
+  BootstrapRpmCommonBase "${python_pkgs}"
+
+  # Enable SCL rh-python36 after bootstrapping.
+  EnablePython36SCL
+}
+
+# If new packages are installed by BootstrapRpmPython3 below, this version
+# number must be increased.
+BOOTSTRAP_RPM_PYTHON3_VERSION=1
+
+BootstrapRpmPython3() {
+  # Tested with:
+  #   - Fedora 29
+
+  InitializeRPMCommonBase
+
+  # Fedora 29 must use python3-virtualenv
+  if $TOOL list python3-virtualenv >/dev/null 2>&1; then
+    python_pkgs="python3
+      python3-virtualenv
+      python3-devel
+    "
+  else
+    error "No supported Python package available to install. Aborting bootstrap!"
+    exit 1
+  fi
+
+  BootstrapRpmCommonBase "$python_pkgs"
+}
+
+# If new packages are installed by BootstrapSuseCommon below, this version
+# number must be increased.
+BOOTSTRAP_SUSE_COMMON_VERSION=1
+
+BootstrapSuseCommon() {
+  # SLE12 don't have python-virtualenv
+
+  if [ "$ASSUME_YES" = 1 ]; then
+    zypper_flags="-nq"
+    install_flags="-l"
+  fi
+
+  if [ "$QUIET" = 1 ]; then
+    QUIET_FLAG='-qq'
+  fi
+
+  if zypper search -x python-virtualenv >/dev/null 2>&1; then
+    OPENSUSE_VIRTUALENV_PACKAGES="python-virtualenv"
+  else
+    # Since Leap 15.0 (and associated Tumbleweed version), python-virtualenv
+    # is a source package, and python2-virtualenv must be used instead.
+    # Also currently python2-setuptools is not a dependency of python2-virtualenv,
+    # while it should be. Installing it explicitly until upstream fix.
+    OPENSUSE_VIRTUALENV_PACKAGES="python2-virtualenv python2-setuptools"
+  fi
+
+  zypper $QUIET_FLAG $zypper_flags in $install_flags \
+    python \
+    python-devel \
+    $OPENSUSE_VIRTUALENV_PACKAGES \
+    gcc \
+    augeas-lenses \
+    libopenssl-devel \
+    libffi-devel \
+    ca-certificates
+}
+
+# If new packages are installed by BootstrapArchCommon below, this version
+# number must be increased.
+BOOTSTRAP_ARCH_COMMON_VERSION=1
+
+BootstrapArchCommon() {
+  # Tested with:
+  #   - ArchLinux (x86_64)
+  #
+  # "python-virtualenv" is Python3, but "python2-virtualenv" provides
+  # only "virtualenv2" binary, not "virtualenv".
+
+  deps="
+    python2
+    python-virtualenv
+    gcc
+    augeas
+    openssl
+    libffi
+    ca-certificates
+    pkg-config
+  "
+
+  # pacman -T exits with 127 if there are missing dependencies
+  missing=$(pacman -T $deps) || true
+
+  if [ "$ASSUME_YES" = 1 ]; then
+    noconfirm="--noconfirm"
+  fi
+
+  if [ "$missing" ]; then
+    if [ "$QUIET" = 1 ]; then
+      pacman -S --needed $missing $noconfirm > /dev/null
+    else
+      pacman -S --needed $missing $noconfirm
+    fi
+  fi
+}
+
+# If new packages are installed by BootstrapGentooCommon below, this version
+# number must be increased.
+BOOTSTRAP_GENTOO_COMMON_VERSION=1
+
+BootstrapGentooCommon() {
+  PACKAGES="
+    dev-lang/python:2.7
+    dev-python/virtualenv
+    app-admin/augeas
+    dev-libs/openssl
+    dev-libs/libffi
+    app-misc/ca-certificates
+    virtual/pkgconfig"
+
+  ASK_OPTION="--ask"
+  if [ "$ASSUME_YES" = 1 ]; then
+    ASK_OPTION=""
+  fi
+
+  case "$PACKAGE_MANAGER" in
+    (paludis)
+      cave resolve --preserve-world --keep-targets if-possible $PACKAGES -x
+      ;;
+    (pkgcore)
+      pmerge --noreplace --oneshot $ASK_OPTION $PACKAGES
+      ;;
+    (portage|*)
+      emerge --noreplace --oneshot $ASK_OPTION $PACKAGES
+      ;;
+  esac
+}
+
+# If new packages are installed by BootstrapFreeBsd below, this version number
+# must be increased.
+BOOTSTRAP_FREEBSD_VERSION=1
+
+BootstrapFreeBsd() {
+  if [ "$QUIET" = 1 ]; then
+    QUIET_FLAG="--quiet"
+  fi
+
+  pkg install -Ay $QUIET_FLAG \
+    python \
+    py27-virtualenv \
+    augeas \
+    libffi
+}
+
+# If new packages are installed by BootstrapMac below, this version number must
+# be increased.
+BOOTSTRAP_MAC_VERSION=1
+
+BootstrapMac() {
+  if hash brew 2>/dev/null; then
+    say "Using Homebrew to install dependencies..."
+    pkgman=brew
+    pkgcmd="brew install"
+  elif hash port 2>/dev/null; then
+    say "Using MacPorts to install dependencies..."
+    pkgman=port
+    pkgcmd="port install"
+  else
+    say "No Homebrew/MacPorts; installing Homebrew..."
+    ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
+    pkgman=brew
+    pkgcmd="brew install"
+  fi
+
+  $pkgcmd augeas
+  if [ "$(which python)" = "/System/Library/Frameworks/Python.framework/Versions/2.7/bin/python" \
+      -o "$(which python)" = "/usr/bin/python" ]; then
+    # We want to avoid using the system Python because it requires root to use pip.
+    # python.org, MacPorts or HomeBrew Python installations should all be OK.
+    say "Installing python..."
+    $pkgcmd python
+  fi
+
+  # Workaround for _dlopen not finding augeas on macOS
+  if [ "$pkgman" = "port" ] && ! [ -e "/usr/local/lib/libaugeas.dylib" ] && [ -e "/opt/local/lib/libaugeas.dylib" ]; then
+    say "Applying augeas workaround"
+    mkdir -p /usr/local/lib/
+    ln -s /opt/local/lib/libaugeas.dylib /usr/local/lib/
+  fi
+
+  if ! hash pip 2>/dev/null; then
+    say "pip not installed"
+    say "Installing pip..."
+    curl --silent --show-error --retry 5 https://bootstrap.pypa.io/get-pip.py | python
+  fi
+
+  if ! hash virtualenv 2>/dev/null; then
+    say "virtualenv not installed."
+    say "Installing with pip..."
+    pip install virtualenv
+  fi
+}
+
+# If new packages are installed by BootstrapSmartOS below, this version number
+# must be increased.
+BOOTSTRAP_SMARTOS_VERSION=1
+
+BootstrapSmartOS() {
+  pkgin update
+  pkgin -y install 'gcc49' 'py27-augeas' 'py27-virtualenv'
+}
+
+# If new packages are installed by BootstrapMageiaCommon below, this version
+# number must be increased.
+BOOTSTRAP_MAGEIA_COMMON_VERSION=1
+
+BootstrapMageiaCommon() {
+  if [ "$QUIET" = 1 ]; then
+    QUIET_FLAG='--quiet'
+  fi
+
+  if ! urpmi --force $QUIET_FLAG \
+      python \
+      libpython-devel \
+      python-virtualenv
+    then
+      error "Could not install Python dependencies. Aborting bootstrap!"
+      exit 1
+  fi
+
+  if ! urpmi --force $QUIET_FLAG \
+      git \
+      gcc \
+      python-augeas \
+      libopenssl-devel \
+      libffi-devel \
+      rootcerts
+    then
+      error "Could not install additional dependencies. Aborting bootstrap!"
+      exit 1
+    fi
+}
+
+
+# Set Bootstrap to the function that installs OS dependencies on this system
+# and BOOTSTRAP_VERSION to the unique identifier for the current version of
+# that function. If Bootstrap is set to a function that doesn't install any
+# packages BOOTSTRAP_VERSION is not set.
+if [ -f /etc/debian_version ]; then
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
+elif [ -f /etc/mageia-release ]; then
+  # Mageia has both /etc/mageia-release and /etc/redhat-release
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
+elif [ -f /etc/redhat-release ]; then
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
+  # Run DeterminePythonVersion to decide on the basis of available Python versions
+  # whether to use 2.x or 3.x on RedHat-like systems.
+  # Then, revert LE_PYTHON to its previous state.
+  prev_le_python="$LE_PYTHON"
+  unset LE_PYTHON
+  DeterminePythonVersion "NOCRASH"
+
+  RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
+
+  if [ "$PYVER" -eq 26 -a $(uname -m) != 'x86_64' ]; then
+    # 32 bits CentOS 6 and affiliates are not supported anymore by certbot-auto.
+    DEPRECATED_OS=1
+  fi
+
+  # Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on
+  # '.' characters (e.g. "8.0" becomes "8"). If the command exits with an
+  # error, RPM_DIST_VERSION is set to "unknown".
+  RPM_DIST_VERSION=$( (. /etc/os-release 2> /dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown")
+
+  # If RPM_DIST_VERSION is an empty string or it contains any nonnumeric
+  # characters, the value is unexpected so we set RPM_DIST_VERSION to 0.
+  if [ -z "$RPM_DIST_VERSION" ] || [ -n "$(echo "$RPM_DIST_VERSION" | tr -d '[0-9]')" ]; then
+     RPM_DIST_VERSION=0
+  fi
+
+  # Handle legacy RPM distributions
+  if [ "$PYVER" -eq 26 ]; then
+    # Check if an automated bootstrap can be achieved on this system.
+    if ! Python36SclIsAvailable; then
+      INTERACTIVE_BOOTSTRAP=1
+    fi
+
+    USE_PYTHON_3=1
+
+    # Try now to enable SCL rh-python36 for systems already bootstrapped
+    # NB: EnablePython36SCL has been defined along with BootstrapRpmPython3Legacy in certbot-auto
+    EnablePython36SCL
+  else
+    # Starting to Fedora 29, python2 is on a deprecation path. Let's move to python3 then.
+    # RHEL 8 also uses python3 by default.
+    if [ "$RPM_DIST_NAME" = "fedora" -a "$RPM_DIST_VERSION" -ge 29 ]; then
+      RPM_USE_PYTHON_3=1
+    elif [ "$RPM_DIST_NAME" = "rhel" -a "$RPM_DIST_VERSION" -ge 8 ]; then
+      RPM_USE_PYTHON_3=1
+    elif [ "$RPM_DIST_NAME" = "centos" -a "$RPM_DIST_VERSION" -ge 8 ]; then
+      RPM_USE_PYTHON_3=1
+    else
+      RPM_USE_PYTHON_3=0
+    fi
+
+    if [ "$RPM_USE_PYTHON_3" = 1 ]; then
+      USE_PYTHON_3=1
+    fi
+  fi
+
+  LE_PYTHON="$prev_le_python"
+elif [ -f /etc/os-release ] && `grep -q openSUSE /etc/os-release` ; then
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
+elif [ -f /etc/arch-release ]; then
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
+elif [ -f /etc/manjaro-release ]; then
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
+elif [ -f /etc/gentoo-release ]; then
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
+elif uname | grep -iq FreeBSD ; then
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
+elif uname | grep -iq Darwin ; then
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
+elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
+elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
+else
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
+fi
+
+# We handle this case after determining the normal bootstrap version to allow
+# variables like USE_PYTHON_3 to be properly set. As described above, if the
+# Bootstrap function doesn't install any packages, BOOTSTRAP_VERSION should not
+# be set so we unset it here.
+if [ "$NO_BOOTSTRAP" = 1 ]; then
+  Bootstrap() {
+    :
+  }
+  unset BOOTSTRAP_VERSION
+fi
+
+if [ "$DEPRECATED_OS" = 1 ]; then
+  Bootstrap() {
+    error "Skipping bootstrap because certbot-auto is deprecated on this system."
+  }
+  unset BOOTSTRAP_VERSION
+fi
+
+# Sets PREV_BOOTSTRAP_VERSION to the identifier for the bootstrap script used
+# to install OS dependencies on this system. PREV_BOOTSTRAP_VERSION isn't set
+# if it is unknown how OS dependencies were installed on this system.
+SetPrevBootstrapVersion() {
+  if [ -f $BOOTSTRAP_VERSION_PATH ]; then
+    PREV_BOOTSTRAP_VERSION=$(cat "$BOOTSTRAP_VERSION_PATH")
+  # The list below only contains bootstrap version strings that existed before
+  # we started writing them to disk.
+  #
+  # DO NOT MODIFY THIS LIST UNLESS YOU KNOW WHAT YOU'RE DOING!
+  elif grep -Fqx "$BOOTSTRAP_VERSION" << "UNLIKELY_EOF"
+BootstrapDebCommon 1
+BootstrapMageiaCommon 1
+BootstrapRpmCommon 1
+BootstrapSuseCommon 1
+BootstrapArchCommon 1
+BootstrapGentooCommon 1
+BootstrapFreeBsd 1
+BootstrapMac 1
+BootstrapSmartOS 1
+UNLIKELY_EOF
+  then
+    # If there's no bootstrap version saved to disk, but the currently selected
+    # bootstrap script is from before we started saving the version number,
+    # return the currently selected version to prevent us from rebootstrapping
+    # unnecessarily.
+    PREV_BOOTSTRAP_VERSION="$BOOTSTRAP_VERSION"
+  fi
+}
+
+TempDir() {
+  mktemp -d 2>/dev/null || mktemp -d -t 'le'  # Linux || macOS
+}
+
+# Returns 0 if a letsencrypt installation exists at $OLD_VENV_PATH, otherwise,
+# returns a non-zero number.
+OldVenvExists() {
+    [ -n "$OLD_VENV_PATH" -a -f "$OLD_VENV_PATH/bin/letsencrypt" ]
+}
+
+# Given python path, version 1 and version 2, check if version 1 is outdated compared to version 2.
+# An unofficial version provided as version 1 (eg. 0.28.0.dev0) will be treated
+# specifically by printing "UNOFFICIAL". Otherwise, print "OUTDATED" if version 1
+# is outdated, and "UP_TO_DATE" if not.
+# This function relies only on installed python environment (2.x or 3.x) by certbot-auto.
+CompareVersions() {
+    "$1" - "$2" "$3" << "UNLIKELY_EOF"
+import sys
+from distutils.version import StrictVersion
+
+try:
+    current = StrictVersion(sys.argv[1])
+except ValueError:
+    sys.stdout.write('UNOFFICIAL')
+    sys.exit()
+
+try:
+    remote = StrictVersion(sys.argv[2])
+except ValueError:
+    sys.stdout.write('UP_TO_DATE')
+    sys.exit()
+
+if current < remote:
+    sys.stdout.write('OUTDATED')
+else:
+    sys.stdout.write('UP_TO_DATE')
+UNLIKELY_EOF
+}
+
+# Create a new virtual environment for Certbot. It will overwrite any existing one.
+# Parameters: LE_PYTHON, VENV_PATH, PYVER, VERBOSE
+CreateVenv() {
+    "$1" - "$2" "$3" "$4" << "UNLIKELY_EOF"
+#!/usr/bin/env python
+import os
+import shutil
+import subprocess
+import sys
+
+
+def create_venv(venv_path, pyver, verbose):
+    if os.path.exists(venv_path):
+        shutil.rmtree(venv_path)
+
+    stdout = sys.stdout if verbose == '1' else open(os.devnull, 'w')
+
+    if int(pyver) <= 27:
+        # Use virtualenv binary
+        environ = os.environ.copy()
+        environ['VIRTUALENV_NO_DOWNLOAD'] = '1'
+        command = ['virtualenv', '--no-site-packages', '--python', sys.executable, venv_path]
+        subprocess.check_call(command, stdout=stdout, env=environ)
+    else:
+        # Use embedded venv module in Python 3
+        command = [sys.executable, '-m', 'venv', venv_path]
+        subprocess.check_call(command, stdout=stdout)
+
+
+if __name__ == '__main__':
+    create_venv(*sys.argv[1:])
+
+UNLIKELY_EOF
+}
+
+# Check that the given PATH_TO_CHECK has secured permissions.
+# Parameters: LE_PYTHON, PATH_TO_CHECK
+CheckPathPermissions() {
+    "$1" - "$2" << "UNLIKELY_EOF"
+"""Verifies certbot-auto cannot be modified by unprivileged users.
+
+This script takes the path to certbot-auto as its only command line
+argument.  It then checks that the file can only be modified by uid/gid
+< 1000 and if other users can modify the file, it prints a warning with
+a suggestion on how to solve the problem.
+
+Permissions on symlinks in the absolute path of certbot-auto are ignored
+and only the canonical path to certbot-auto is checked. There could be
+permissions problems due to the symlinks that are unreported by this
+script, however, issues like this were not caused by our documentation
+and are ignored for the sake of simplicity.
+
+All warnings are printed to stdout rather than stderr so all stderr
+output from this script can be suppressed to avoid printing messages if
+this script fails for some reason.
+
+"""
+from __future__ import print_function
+
+import os
+import stat
+import sys
+
+
+FORUM_POST_URL = 'https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/'
+
+
+def has_safe_permissions(path):
+    """Returns True if the given path has secure permissions.
+
+    The permissions are considered safe if the file is only writable by
+    uid/gid < 1000.
+
+    The reason we allow more IDs than 0 is because on some systems such
+    as Debian, system users/groups other than uid/gid 0 are used for the
+    path we recommend in our instructions which is /usr/local/bin.  1000
+    was chosen because on Debian 0-999 is reserved for system IDs[1] and
+    on RHEL either 0-499 or 0-999 is reserved depending on the
+    version[2][3]. Due to these differences across different OSes, this
+    detection isn't perfect so we only determine permissions are
+    insecure when we can be reasonably confident there is a problem
+    regardless of the underlying OS.
+
+    [1] https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes
+    [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/ch-managing_users_and_groups
+    [3] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-managing_users_and_groups
+
+    :param str path: filesystem path to check
+    :returns: True if the path has secure permissions, otherwise, False
+    :rtype: bool
+
+    """
+    # os.stat follows symlinks before obtaining information about a file.
+    stat_result = os.stat(path)
+    if stat_result.st_mode & stat.S_IWOTH:
+        return False
+    if stat_result.st_mode & stat.S_IWGRP and stat_result.st_gid >= 1000:
+        return False
+    if stat_result.st_mode & stat.S_IWUSR and stat_result.st_uid >= 1000:
+        return False
+    return True
+
+
+def main(certbot_auto_path):
+    current_path = os.path.realpath(certbot_auto_path)
+    last_path = None
+    permissions_ok = True
+    # This loop makes use of the fact that os.path.dirname('/') == '/'.
+    while current_path != last_path and permissions_ok:
+        permissions_ok = has_safe_permissions(current_path)
+        last_path = current_path
+        current_path = os.path.dirname(current_path)
+
+    if not permissions_ok:
+        print('{0} has insecure permissions!'.format(certbot_auto_path))
+        print('To learn how to fix them, visit {0}'.format(FORUM_POST_URL))
+
+
+if __name__ == '__main__':
+    main(sys.argv[1])
+
+UNLIKELY_EOF
+}
+
+if [ "$1" = "--le-auto-phase2" ]; then
+  # Phase 2: Create venv, install LE, and run.
+
+  shift 1  # the --le-auto-phase2 arg
+
+  if [ "$DEPRECATED_OS" = 1 ]; then
+    # Phase 2 damage control mode for deprecated OSes.
+    # In this situation, we bypass any bootstrap or certbot venv setup.
+    # error "Your system is not supported by certbot-auto anymore."
+
+    if [ ! -d "$VENV_PATH" ] && OldVenvExists; then
+      VENV_BIN="$OLD_VENV_PATH/bin"
+    fi
+
+    if [ -f "$VENV_BIN/letsencrypt" -a "$INSTALL_ONLY" != 1 ]; then
+      # error "certbot-auto and its Certbot installation will no longer receive updates."
+      # error "You will not receive any bug fixes including those fixing server compatibility"
+      # error "or security problems."
+      # error "Please visit https://certbot.eff.org/ to check for other alternatives."
+      "$VENV_BIN/letsencrypt" "$@"
+      exit 0
+    else
+      error "Certbot cannot be installed."
+      error "Please visit https://certbot.eff.org/ to check for other alternatives."
+      exit 1
+    fi
+  fi
+
+  SetPrevBootstrapVersion
+
+  if [ -z "$PHASE_1_VERSION" -a "$USE_PYTHON_3" = 1 ]; then
+    unset LE_PYTHON
+  fi
+
+  INSTALLED_VERSION="none"
+  if [ -d "$VENV_PATH" ] || OldVenvExists; then
+    # If the selected Bootstrap function isn't a noop and it differs from the
+    # previously used version
+    if [ -n "$BOOTSTRAP_VERSION" -a "$BOOTSTRAP_VERSION" != "$PREV_BOOTSTRAP_VERSION" ]; then
+      # Check if we can rebootstrap without manual user intervention: this requires that
+      # certbot-auto is in non-interactive mode AND selected bootstrap does not claim to
+      # require a manual user intervention.
+      if [ "$NONINTERACTIVE" = 1 -a "$INTERACTIVE_BOOTSTRAP" != 1 ]; then
+        CAN_REBOOTSTRAP=1
+      fi
+      # Check if rebootstrap can be done non-interactively and current shell is non-interactive
+      # (true if stdin and stdout are not attached to a terminal).
+      if [ \( "$CAN_REBOOTSTRAP" = 1 \) -o \( \( -t 0 \) -a \( -t 1 \) \) ]; then
+        if [ -d "$VENV_PATH" ]; then
+          rm -rf "$VENV_PATH"
+        fi
+        # In the case the old venv was just a symlink to the new one,
+        # OldVenvExists is now false because we deleted the venv at VENV_PATH.
+        if OldVenvExists; then
+          rm -rf "$OLD_VENV_PATH"
+          ln -s "$VENV_PATH" "$OLD_VENV_PATH"
+        fi
+        RerunWithArgs "$@"
+      # Otherwise bootstrap needs to be done manually by the user.
+      else
+        # If it is because bootstrapping is interactive, --non-interactive will be of no use.
+        if [ "$INTERACTIVE_BOOTSTRAP" = 1 ]; then
+          error "Skipping upgrade because new OS dependencies may need to be installed."
+          error "This requires manual user intervention: please run this script again manually."
+        # If this is because of the environment (eg. non interactive shell without
+        # --non-interactive flag set), help the user in that direction.
+        else
+          error "Skipping upgrade because new OS dependencies may need to be installed."
+          error
+          error "To upgrade to a newer version, please run this script again manually so you can"
+          error "approve changes or with --non-interactive on the command line to automatically"
+          error "install any required packages."
+        fi
+        # Set INSTALLED_VERSION to be the same so we don't update the venv
+        INSTALLED_VERSION="$LE_AUTO_VERSION"
+        # Continue to use OLD_VENV_PATH if the new venv doesn't exist
+        if [ ! -d "$VENV_PATH" ]; then
+          VENV_BIN="$OLD_VENV_PATH/bin"
+        fi
+      fi
+    elif [ -f "$VENV_BIN/letsencrypt" ]; then
+      # --version output ran through grep due to python-cryptography DeprecationWarnings
+      # grep for both certbot and letsencrypt until certbot and shim packages have been released
+      INSTALLED_VERSION=$("$VENV_BIN/letsencrypt" --version 2>&1 | grep "^certbot\|^letsencrypt" | cut -d " " -f 2)
+      if [ -z "$INSTALLED_VERSION" ]; then
+          error "Error: couldn't get currently installed version for $VENV_BIN/letsencrypt: " 1>&2
+          "$VENV_BIN/letsencrypt" --version
+          exit 1
+      fi
+    fi
+  fi
+
+  if [ "$LE_AUTO_VERSION" != "$INSTALLED_VERSION" ]; then
+    say "Creating virtual environment..."
+    DeterminePythonVersion
+    CreateVenv "$LE_PYTHON" "$VENV_PATH" "$PYVER" "$VERBOSE"
+
+    if [ -n "$BOOTSTRAP_VERSION" ]; then
+      echo "$BOOTSTRAP_VERSION" > "$BOOTSTRAP_VERSION_PATH"
+    elif [ -n "$PREV_BOOTSTRAP_VERSION" ]; then
+      echo "$PREV_BOOTSTRAP_VERSION" > "$BOOTSTRAP_VERSION_PATH"
+    fi
+
+    say "Installing Python packages..."
+    TEMP_DIR=$(TempDir)
+    trap 'rm -rf "$TEMP_DIR"' EXIT
+    # There is no $ interpolation due to quotes on starting heredoc delimiter.
+    # -------------------------------------------------------------------------
+    cat << "UNLIKELY_EOF" > "$TEMP_DIR/letsencrypt-auto-requirements.txt"
+# This is the flattened list of packages certbot-auto installs.
+# To generate this, do (with docker and package hashin installed):
+# ```
+# letsencrypt-auto-source/rebuild_dependencies.py \
+#   letsencrypt-auto-source/pieces/dependency-requirements.txt
+# ```
+# If you want to update a single dependency, run commands similar to these:
+# ```
+# pip install hashin
+# hashin -r dependency-requirements.txt cryptography==1.5.2
+# ```
+ConfigArgParse==1.2.3 \
+    --hash=sha256:edd17be986d5c1ba2e307150b8e5f5107aba125f3574dddd02c85d5cdcfd37dc
+certifi==2020.4.5.1 \
+    --hash=sha256:1d987a998c75633c40847cc966fcf5904906c920a7f17ef374f5aa4282abd304 \
+    --hash=sha256:51fcb31174be6e6664c5f69e3e1691a2d72a1a12e90f872cbdb1567eb47b6519
+cffi==1.14.0 \
+    --hash=sha256:001bf3242a1bb04d985d63e138230802c6c8d4db3668fb545fb5005ddf5bb5ff \
+    --hash=sha256:00789914be39dffba161cfc5be31b55775de5ba2235fe49aa28c148236c4e06b \
+    --hash=sha256:028a579fc9aed3af38f4892bdcc7390508adabc30c6af4a6e4f611b0c680e6ac \
+    --hash=sha256:14491a910663bf9f13ddf2bc8f60562d6bc5315c1f09c704937ef17293fb85b0 \
+    --hash=sha256:1cae98a7054b5c9391eb3249b86e0e99ab1e02bb0cc0575da191aedadbdf4384 \
+    --hash=sha256:2089ed025da3919d2e75a4d963d008330c96751127dd6f73c8dc0c65041b4c26 \
+    --hash=sha256:2d384f4a127a15ba701207f7639d94106693b6cd64173d6c8988e2c25f3ac2b6 \
+    --hash=sha256:337d448e5a725bba2d8293c48d9353fc68d0e9e4088d62a9571def317797522b \
+    --hash=sha256:399aed636c7d3749bbed55bc907c3288cb43c65c4389964ad5ff849b6370603e \
+    --hash=sha256:3b911c2dbd4f423b4c4fcca138cadde747abdb20d196c4a48708b8a2d32b16dd \
+    --hash=sha256:3d311bcc4a41408cf5854f06ef2c5cab88f9fded37a3b95936c9879c1640d4c2 \
+    --hash=sha256:62ae9af2d069ea2698bf536dcfe1e4eed9090211dbaafeeedf5cb6c41b352f66 \
+    --hash=sha256:66e41db66b47d0d8672d8ed2708ba91b2f2524ece3dee48b5dfb36be8c2f21dc \
+    --hash=sha256:675686925a9fb403edba0114db74e741d8181683dcf216be697d208857e04ca8 \
+    --hash=sha256:7e63cbcf2429a8dbfe48dcc2322d5f2220b77b2e17b7ba023d6166d84655da55 \
+    --hash=sha256:8a6c688fefb4e1cd56feb6c511984a6c4f7ec7d2a1ff31a10254f3c817054ae4 \
+    --hash=sha256:8c0ffc886aea5df6a1762d0019e9cb05f825d0eec1f520c51be9d198701daee5 \
+    --hash=sha256:95cd16d3dee553f882540c1ffe331d085c9e629499ceadfbda4d4fde635f4b7d \
+    --hash=sha256:99f748a7e71ff382613b4e1acc0ac83bf7ad167fb3802e35e90d9763daba4d78 \
+    --hash=sha256:b8c78301cefcf5fd914aad35d3c04c2b21ce8629b5e4f4e45ae6812e461910fa \
+    --hash=sha256:c420917b188a5582a56d8b93bdd8e0f6eca08c84ff623a4c16e809152cd35793 \
+    --hash=sha256:c43866529f2f06fe0edc6246eb4faa34f03fe88b64a0a9a942561c8e22f4b71f \
+    --hash=sha256:cab50b8c2250b46fe738c77dbd25ce017d5e6fb35d3407606e7a4180656a5a6a \
+    --hash=sha256:cef128cb4d5e0b3493f058f10ce32365972c554572ff821e175dbc6f8ff6924f \
+    --hash=sha256:cf16e3cf6c0a5fdd9bc10c21687e19d29ad1fe863372b5543deaec1039581a30 \
+    --hash=sha256:e56c744aa6ff427a607763346e4170629caf7e48ead6921745986db3692f987f \
+    --hash=sha256:e577934fc5f8779c554639376beeaa5657d54349096ef24abe8c74c5d9c117c3 \
+    --hash=sha256:f2b0fa0c01d8a0c7483afd9f31d7ecf2d71760ca24499c8697aeb5ca37dc090c
+chardet==3.0.4 \
+    --hash=sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae \
+    --hash=sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691
+configobj==5.0.6 \
+    --hash=sha256:a2f5650770e1c87fb335af19a9b7eb73fc05ccf22144eb68db7d00cd2bcb0902
+cryptography==2.8 \
+    --hash=sha256:02079a6addc7b5140ba0825f542c0869ff4df9a69c360e339ecead5baefa843c \
+    --hash=sha256:1df22371fbf2004c6f64e927668734070a8953362cd8370ddd336774d6743595 \
+    --hash=sha256:369d2346db5934345787451504853ad9d342d7f721ae82d098083e1f49a582ad \
+    --hash=sha256:3cda1f0ed8747339bbdf71b9f38ca74c7b592f24f65cdb3ab3765e4b02871651 \
+    --hash=sha256:44ff04138935882fef7c686878e1c8fd80a723161ad6a98da31e14b7553170c2 \
+    --hash=sha256:4b1030728872c59687badcca1e225a9103440e467c17d6d1730ab3d2d64bfeff \
+    --hash=sha256:58363dbd966afb4f89b3b11dfb8ff200058fbc3b947507675c19ceb46104b48d \
+    --hash=sha256:6ec280fb24d27e3d97aa731e16207d58bd8ae94ef6eab97249a2afe4ba643d42 \
+    --hash=sha256:7270a6c29199adc1297776937a05b59720e8a782531f1f122f2eb8467f9aab4d \
+    --hash=sha256:73fd30c57fa2d0a1d7a49c561c40c2f79c7d6c374cc7750e9ac7c99176f6428e \
+    --hash=sha256:7f09806ed4fbea8f51585231ba742b58cbcfbfe823ea197d8c89a5e433c7e912 \
+    --hash=sha256:90df0cc93e1f8d2fba8365fb59a858f51a11a394d64dbf3ef844f783844cc793 \
+    --hash=sha256:971221ed40f058f5662a604bd1ae6e4521d84e6cad0b7b170564cc34169c8f13 \
+    --hash=sha256:a518c153a2b5ed6b8cc03f7ae79d5ffad7315ad4569b2d5333a13c38d64bd8d7 \
+    --hash=sha256:b0de590a8b0979649ebeef8bb9f54394d3a41f66c5584fff4220901739b6b2f0 \
+    --hash=sha256:b43f53f29816ba1db8525f006fa6f49292e9b029554b3eb56a189a70f2a40879 \
+    --hash=sha256:d31402aad60ed889c7e57934a03477b572a03af7794fa8fb1780f21ea8f6551f \
+    --hash=sha256:de96157ec73458a7f14e3d26f17f8128c959084931e8997b9e655a39c8fde9f9 \
+    --hash=sha256:df6b4dca2e11865e6cfbfb708e800efb18370f5a46fd601d3755bc7f85b3a8a2 \
+    --hash=sha256:ecadccc7ba52193963c0475ac9f6fa28ac01e01349a2ca48509667ef41ffd2cf \
+    --hash=sha256:fb81c17e0ebe3358486cd8cc3ad78adbae58af12fc2bf2bc0bb84e8090fa5ce8
+distro==1.5.0 \
+    --hash=sha256:0e58756ae38fbd8fc3020d54badb8eae17c5b9dcbed388b17bb55b8a5928df92 \
+    --hash=sha256:df74eed763e18d10d0da624258524ae80486432cd17392d9c3d96f5e83cd2799
+enum34==1.1.10; python_version < '3.4' \
+    --hash=sha256:a98a201d6de3f2ab3db284e70a33b0f896fbf35f8086594e8c9e74b909058d53 \
+    --hash=sha256:c3858660960c984d6ab0ebad691265180da2b43f07e061c0f8dca9ef3cffd328 \
+    --hash=sha256:cce6a7477ed816bd2542d03d53db9f0db935dd013b70f336a95c73979289f248
+funcsigs==1.0.2 \
+    --hash=sha256:330cc27ccbf7f1e992e69fef78261dc7c6569012cf397db8d3de0234e6c937ca \
+    --hash=sha256:a7bb0f2cf3a3fd1ab2732cb49eba4252c2af4240442415b4abce3b87022a8f50
+idna==2.9 \
+    --hash=sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb \
+    --hash=sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa
+ipaddress==1.0.23 \
+    --hash=sha256:6e0f4a39e66cb5bb9a137b00276a2eff74f93b71dcbdad6f10ff7df9d3557fcc \
+    --hash=sha256:b7f8e0369580bb4a24d5ba1d7cc29660a4a6987763faf1d8a8046830e020e7e2
+josepy==1.3.0 \
+    --hash=sha256:c341ffa403399b18e9eae9012f804843045764d1390f9cb4648980a7569b1619 \
+    --hash=sha256:e54882c64be12a2a76533f73d33cba9e331950fda9e2731e843490b774e7a01c
+mock==1.3.0 \
+    --hash=sha256:1e247dbecc6ce057299eb7ee019ad68314bb93152e81d9a6110d35f4d5eca0f6 \
+    --hash=sha256:3f573a18be94de886d1191f27c168427ef693e8dcfcecf95b170577b2eb69cbb
+parsedatetime==2.5 \
+    --hash=sha256:3b835fc54e472c17ef447be37458b400e3fefdf14bb1ffdedb5d2c853acf4ba1 \
+    --hash=sha256:d2e9ddb1e463de871d32088a3f3cea3dc8282b1b2800e081bd0ef86900451667
+pbr==5.4.5 \
+    --hash=sha256:07f558fece33b05caf857474a366dfcc00562bca13dd8b47b2b3e22d9f9bf55c \
+    --hash=sha256:579170e23f8e0c2f24b0de612f71f648eccb79fb1322c814ae6b3c07b5ba23e8
+pyOpenSSL==19.1.0 \
+    --hash=sha256:621880965a720b8ece2f1b2f54ea2071966ab00e2970ad2ce11d596102063504 \
+    --hash=sha256:9a24494b2602aaf402be5c9e30a0b82d4a5c67528fe8fb475e3f3bc00dd69507
+pyRFC3339==1.1 \
+    --hash=sha256:67196cb83b470709c580bb4738b83165e67c6cc60e1f2e4f286cfcb402a926f4 \
+    --hash=sha256:81b8cbe1519cdb79bed04910dd6fa4e181faf8c88dff1e1b987b5f7ab23a5b1a
+pycparser==2.20 \
+    --hash=sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0 \
+    --hash=sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705
+pyparsing==2.4.7 \
+    --hash=sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1 \
+    --hash=sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b
+python-augeas==0.5.0 \
+    --hash=sha256:67d59d66cdba8d624e0389b87b2a83a176f21f16a87553b50f5703b23f29bac2
+pytz==2020.1 \
+    --hash=sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed \
+    --hash=sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048
+requests==2.23.0 \
+    --hash=sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee \
+    --hash=sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6
+requests-toolbelt==0.9.1 \
+    --hash=sha256:380606e1d10dc85c3bd47bf5a6095f815ec007be7a8b69c878507068df059e6f \
+    --hash=sha256:968089d4584ad4ad7c171454f0a5c6dac23971e9472521ea3b6d49d610aa6fc0
+six==1.15.0 \
+    --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
+    --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced
+urllib3==1.25.9 \
+    --hash=sha256:3018294ebefce6572a474f0604c2021e33b3fd8006ecd11d62107a5d2a963527 \
+    --hash=sha256:88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115
+zope.component==4.6.1 \
+    --hash=sha256:bfbe55d4a93e70a78b10edc3aad4de31bb8860919b7cbd8d66f717f7d7b279ac \
+    --hash=sha256:d9c7c27673d787faff8a83797ce34d6ebcae26a370e25bddb465ac2182766aca
+zope.deferredimport==4.3.1 \
+    --hash=sha256:57b2345e7b5eef47efcd4f634ff16c93e4265de3dcf325afc7315ade48d909e1 \
+    --hash=sha256:9a0c211df44aa95f1c4e6d2626f90b400f56989180d3ef96032d708da3d23e0a
+zope.deprecation==4.4.0 \
+    --hash=sha256:0d453338f04bacf91bbfba545d8bcdf529aa829e67b705eac8c1a7fdce66e2df \
+    --hash=sha256:f1480b74995958b24ce37b0ef04d3663d2683e5d6debc96726eff18acf4ea113
+zope.event==4.4 \
+    --hash=sha256:69c27debad9bdacd9ce9b735dad382142281ac770c4a432b533d6d65c4614bcf \
+    --hash=sha256:d8e97d165fd5a0997b45f5303ae11ea3338becfe68c401dd88ffd2113fe5cae7
+zope.hookable==5.0.1 \
+    --hash=sha256:0194b9b9e7f614abba60c90b231908861036578297515d3d6508eb10190f266d \
+    --hash=sha256:0c2977473918bdefc6fa8dfb311f154e7f13c6133957fe649704deca79b92093 \
+    --hash=sha256:17b8bdb3b77e03a152ca0d5ca185a7ae0156f5e5a2dbddf538676633a1f7380f \
+    --hash=sha256:29d07681a78042cdd15b268ae9decffed9ace68a53eebeb61d65ae931d158841 \
+    --hash=sha256:36fb1b35d1150267cb0543a1ddd950c0bc2c75ed0e6e92e3aaa6ac2e29416cb7 \
+    --hash=sha256:3aed60c2bb5e812bbf9295c70f25b17ac37c233f30447a96c67913ba5073642f \
+    --hash=sha256:3cac1565cc768911e72ca9ec4ddf5c5109e1fef0104f19f06649cf1874943b60 \
+    --hash=sha256:3d4bc0cc4a37c3cd3081063142eeb2125511db3c13f6dc932d899c512690378e \
+    --hash=sha256:3f73096f27b8c28be53ffb6604f7b570fbbb82f273c6febe5f58119009b59898 \
+    --hash=sha256:522d1153d93f2d48aa0bd9fb778d8d4500be2e4dcf86c3150768f0e3adbbc4ef \
+    --hash=sha256:523d2928fb7377bbdbc9af9c0b14ad73e6eaf226349f105733bdae27efd15b5a \
+    --hash=sha256:5848309d4fc5c02150a45e8f8d2227e5bfda386a508bbd3160fed7c633c5a2fa \
+    --hash=sha256:6781f86e6d54a110980a76e761eb54590630fd2af2a17d7edf02a079d2646c1d \
+    --hash=sha256:6fd27921ebf3aaa945fa25d790f1f2046204f24dba4946f82f5f0a442577c3e9 \
+    --hash=sha256:70d581862863f6bf9e175e85c9d70c2d7155f53fb04dcdb2f73cf288ca559a53 \
+    --hash=sha256:81867c23b0dc66c8366f351d00923f2bc5902820a24c2534dfd7bf01a5879963 \
+    --hash=sha256:81db29edadcbb740cd2716c95a297893a546ed89db1bfe9110168732d7f0afdd \
+    --hash=sha256:86bd12624068cea60860a0759af5e2c3adc89c12aef6f71cf12f577e28deefe3 \
+    --hash=sha256:9c184d8f9f7a76e1ced99855ccf390ffdd0ec3765e5cbf7b9cada600accc0a1e \
+    --hash=sha256:acc789e8c29c13555e43fe4bf9fcd15a65512c9645e97bbaa5602e3201252b02 \
+    --hash=sha256:afaa740206b7660d4cc3b8f120426c85761f51379af7a5b05451f624ad12b0af \
+    --hash=sha256:b5f5fa323f878bb16eae68ea1ba7f6c0419d4695d0248bed4b18f51d7ce5ab85 \
+    --hash=sha256:bd89e0e2c67bf4ac3aca2a19702b1a37269fb1923827f68324ac2e7afd6e3406 \
+    --hash=sha256:c212de743283ec0735db24ec6ad913758df3af1b7217550ff270038062afd6ae \
+    --hash=sha256:ca553f524293a0bdea05e7f44c3e685e4b7b022cb37d87bc4a3efa0f86587a8d \
+    --hash=sha256:cab67065a3db92f636128d3157cc5424a145f82d96fb47159c539132833a6d36 \
+    --hash=sha256:d3b3b3eedfdbf6b02898216e85aa6baf50207f4378a2a6803d6d47650cd37031 \
+    --hash=sha256:d9f4a5a72f40256b686d31c5c0b1fde503172307beb12c1568296e76118e402c \
+    --hash=sha256:df5067d87aaa111ed5d050e1ee853ba284969497f91806efd42425f5348f1c06 \
+    --hash=sha256:e2587644812c6138f05b8a41594a8337c6790e3baf9a01915e52438c13fc6bef \
+    --hash=sha256:e27fd877662db94f897f3fd532ef211ca4901eb1a70ba456f15c0866a985464a \
+    --hash=sha256:e427ebbdd223c72e06ba94c004bb04e996c84dec8a0fa84e837556ae145c439e \
+    --hash=sha256:e583ad4309c203ef75a09d43434cf9c2b4fa247997ecb0dcad769982c39411c7 \
+    --hash=sha256:e760b2bc8ece9200804f0c2b64d10147ecaf18455a2a90827fbec4c9d84f3ad5 \
+    --hash=sha256:ea9a9cc8bcc70e18023f30fa2f53d11ae069572a162791224e60cd65df55fb69 \
+    --hash=sha256:ecb3f17dce4803c1099bd21742cd126b59817a4e76a6544d31d2cca6e30dbffd \
+    --hash=sha256:ed794e3b3de42486d30444fb60b5561e724ee8a2d1b17b0c2e0f81e3ddaf7a87 \
+    --hash=sha256:ee885d347279e38226d0a437b6a932f207f691c502ee565aba27a7022f1285df \
+    --hash=sha256:fd5e7bc5f24f7e3d490698f7b854659a9851da2187414617cd5ed360af7efd63 \
+    --hash=sha256:fe45f6870f7588ac7b2763ff1ce98cce59369717afe70cc353ec5218bc854bcc
+zope.interface==5.1.0 \
+    --hash=sha256:0103cba5ed09f27d2e3de7e48bb320338592e2fabc5ce1432cf33808eb2dfd8b \
+    --hash=sha256:14415d6979356629f1c386c8c4249b4d0082f2ea7f75871ebad2e29584bd16c5 \
+    --hash=sha256:1ae4693ccee94c6e0c88a4568fb3b34af8871c60f5ba30cf9f94977ed0e53ddd \
+    --hash=sha256:1b87ed2dc05cb835138f6a6e3595593fea3564d712cb2eb2de963a41fd35758c \
+    --hash=sha256:269b27f60bcf45438e8683269f8ecd1235fa13e5411de93dae3b9ee4fe7f7bc7 \
+    --hash=sha256:27d287e61639d692563d9dab76bafe071fbeb26818dd6a32a0022f3f7ca884b5 \
+    --hash=sha256:39106649c3082972106f930766ae23d1464a73b7d30b3698c986f74bf1256a34 \
+    --hash=sha256:40e4c42bd27ed3c11b2c983fecfb03356fae1209de10686d03c02c8696a1d90e \
+    --hash=sha256:461d4339b3b8f3335d7e2c90ce335eb275488c587b61aca4b305196dde2ff086 \
+    --hash=sha256:4f98f70328bc788c86a6a1a8a14b0ea979f81ae6015dd6c72978f1feff70ecda \
+    --hash=sha256:558a20a0845d1a5dc6ff87cd0f63d7dac982d7c3be05d2ffb6322a87c17fa286 \
+    --hash=sha256:562dccd37acec149458c1791da459f130c6cf8902c94c93b8d47c6337b9fb826 \
+    --hash=sha256:5e86c66a6dea8ab6152e83b0facc856dc4d435fe0f872f01d66ce0a2131b7f1d \
+    --hash=sha256:60a207efcd8c11d6bbeb7862e33418fba4e4ad79846d88d160d7231fcb42a5ee \
+    --hash=sha256:645a7092b77fdbc3f68d3cc98f9d3e71510e419f54019d6e282328c0dd140dcd \
+    --hash=sha256:6874367586c020705a44eecdad5d6b587c64b892e34305bb6ed87c9bbe22a5e9 \
+    --hash=sha256:74bf0a4f9091131de09286f9a605db449840e313753949fe07c8d0fe7659ad1e \
+    --hash=sha256:7b726194f938791a6691c7592c8b9e805fc6d1b9632a833b9c0640828cd49cbc \
+    --hash=sha256:8149ded7f90154fdc1a40e0c8975df58041a6f693b8f7edcd9348484e9dc17fe \
+    --hash=sha256:8cccf7057c7d19064a9e27660f5aec4e5c4001ffcf653a47531bde19b5aa2a8a \
+    --hash=sha256:911714b08b63d155f9c948da2b5534b223a1a4fc50bb67139ab68b277c938578 \
+    --hash=sha256:a5f8f85986197d1dd6444763c4a15c991bfed86d835a1f6f7d476f7198d5f56a \
+    --hash=sha256:a744132d0abaa854d1aad50ba9bc64e79c6f835b3e92521db4235a1991176813 \
+    --hash=sha256:af2c14efc0bb0e91af63d00080ccc067866fb8cbbaca2b0438ab4105f5e0f08d \
+    --hash=sha256:b054eb0a8aa712c8e9030065a59b5e6a5cf0746ecdb5f087cca5ec7685690c19 \
+    --hash=sha256:b0becb75418f8a130e9d465e718316cd17c7a8acce6fe8fe07adc72762bee425 \
+    --hash=sha256:b1d2ed1cbda2ae107283befd9284e650d840f8f7568cb9060b5466d25dc48975 \
+    --hash=sha256:ba4261c8ad00b49d48bbb3b5af388bb7576edfc0ca50a49c11dcb77caa1d897e \
+    --hash=sha256:d1fe9d7d09bb07228650903d6a9dc48ea649e3b8c69b1d263419cc722b3938e8 \
+    --hash=sha256:d7804f6a71fc2dda888ef2de266727ec2f3915373d5a785ed4ddc603bbc91e08 \
+    --hash=sha256:da2844fba024dd58eaa712561da47dcd1e7ad544a257482392472eae1c86d5e5 \
+    --hash=sha256:dcefc97d1daf8d55199420e9162ab584ed0893a109f45e438b9794ced44c9fd0 \
+    --hash=sha256:dd98c436a1fc56f48c70882cc243df89ad036210d871c7427dc164b31500dc11 \
+    --hash=sha256:e74671e43ed4569fbd7989e5eecc7d06dc134b571872ab1d5a88f4a123814e9f \
+    --hash=sha256:eb9b92f456ff3ec746cd4935b73c1117538d6124b8617bc0fe6fda0b3816e345 \
+    --hash=sha256:ebb4e637a1fb861c34e48a00d03cffa9234f42bef923aec44e5625ffb9a8e8f9 \
+    --hash=sha256:ef739fe89e7f43fb6494a43b1878a36273e5924869ba1d866f752c5812ae8d58 \
+    --hash=sha256:f40db0e02a8157d2b90857c24d89b6310f9b6c3642369852cdc3b5ac49b92afc \
+    --hash=sha256:f68bf937f113b88c866d090fea0bc52a098695173fc613b055a17ff0cf9683b6 \
+    --hash=sha256:fb55c182a3f7b84c1a2d6de5fa7b1a05d4660d866b91dbf8d74549c57a1499e8
+zope.proxy==4.3.5 \
+    --hash=sha256:00573dfa755d0703ab84bb23cb6ecf97bb683c34b340d4df76651f97b0bab068 \
+    --hash=sha256:092049280f2848d2ba1b57b71fe04881762a220a97b65288bcb0968bb199ec30 \
+    --hash=sha256:0cbd27b4d3718b5ec74fc65ffa53c78d34c65c6fd9411b8352d2a4f855220cf1 \
+    --hash=sha256:17fc7e16d0c81f833a138818a30f366696653d521febc8e892858041c4d88785 \
+    --hash=sha256:19577dfeb70e8a67249ba92c8ad20589a1a2d86a8d693647fa8385408a4c17b0 \
+    --hash=sha256:207aa914576b1181597a1516e1b90599dc690c095343ae281b0772e44945e6a4 \
+    --hash=sha256:219a7db5ed53e523eb4a4769f13105118b6d5b04ed169a283c9775af221e231f \
+    --hash=sha256:2b50ea79849e46b5f4f2b0247a3687505d32d161eeb16a75f6f7e6cd81936e43 \
+    --hash=sha256:5903d38362b6c716e66bbe470f190579c530a5baf03dbc8500e5c2357aa569a5 \
+    --hash=sha256:5c24903675e271bd688c6e9e7df5775ac6b168feb87dbe0e4bcc90805f21b28f \
+    --hash=sha256:5ef6bc5ed98139e084f4e91100f2b098a0cd3493d4e76f9d6b3f7b95d7ad0f06 \
+    --hash=sha256:61b55ae3c23a126a788b33ffb18f37d6668e79a05e756588d9e4d4be7246ab1c \
+    --hash=sha256:63ddb992931a5e616c87d3d89f5a58db086e617548005c7f9059fac68c03a5cc \
+    --hash=sha256:6943da9c09870490dcfd50c4909c0cc19f434fa6948f61282dc9cb07bcf08160 \
+    --hash=sha256:6ad40f85c1207803d581d5d75e9ea25327cd524925699a83dfc03bf8e4ba72b7 \
+    --hash=sha256:6b44433a79bdd7af0e3337bd7bbcf53dd1f9b0fa66bf21bcb756060ce32a96c1 \
+    --hash=sha256:6bbaa245015d933a4172395baad7874373f162955d73612f0b66b6c2c33b6366 \
+    --hash=sha256:7007227f4ea85b40a2f5e5a244479f6a6dfcf906db9b55e812a814a8f0e2c28d \
+    --hash=sha256:74884a0aec1f1609190ec8b34b5d58fb3b5353cf22b96161e13e0e835f13518f \
+    --hash=sha256:7d25fe5571ddb16369054f54cdd883f23de9941476d97f2b92eb6d7d83afe22d \
+    --hash=sha256:7e162bdc5e3baad26b2262240be7d2bab36991d85a6a556e48b9dfb402370261 \
+    --hash=sha256:814d62678dc3a30f4aa081982d830b7c342cf230ffc9d030b020cb154eeebf9e \
+    --hash=sha256:8878a34c5313ee52e20aa50b03138af8d472bae465710fb954d133a9bfd3c38d \
+    --hash=sha256:a66a0d94e5b081d5d695e66d6667e91e74d79e273eee95c1747717ba9cb70792 \
+    --hash=sha256:a69f5cbf4addcfdf03dda564a671040127a6b7c34cf9fe4973582e68441b63fa \
+    --hash=sha256:b00f9f0c334d07709d3f73a7cb8ae63c6ca1a90c790a63b5e7effa666ef96021 \
+    --hash=sha256:b6ed71e4a7b4690447b626f499d978aa13197a0e592950e5d7020308f6054698 \
+    --hash=sha256:bdf5041e5851526e885af579d2f455348dba68d74f14a32781933569a327fddf \
+    --hash=sha256:be034360dd34e62608419f86e799c97d389c10a0e677a25f236a971b2f40dac9 \
+    --hash=sha256:cc8f590a5eed30b314ae6b0232d925519ade433f663de79cc3783e4b10d662ba \
+    --hash=sha256:cd7a318a15fe6cc4584bf3c4426f092ed08c0fd012cf2a9173114234fe193e11 \
+    --hash=sha256:cf19b5f63a59c20306e034e691402b02055c8f4e38bf6792c23cad489162a642 \
+    --hash=sha256:cfc781ce442ec407c841e9aa51d0e1024f72b6ec34caa8fdb6ef9576d549acf2 \
+    --hash=sha256:dea9f6f8633571e18bc20cad83603072e697103a567f4b0738d52dd0211b4527 \
+    --hash=sha256:e4a86a1d5eb2cce83c5972b3930c7c1eac81ab3508464345e2b8e54f119d5505 \
+    --hash=sha256:e7106374d4a74ed9ff00c46cc00f0a9f06a0775f8868e423f85d4464d2333679 \
+    --hash=sha256:e98a8a585b5668aa9e34d10f7785abf9545fe72663b4bfc16c99a115185ae6a5 \
+    --hash=sha256:f64840e68483316eb58d82c376ad3585ca995e69e33b230436de0cdddf7363f9 \
+    --hash=sha256:f8f4b0a9e6683e43889852130595c8854d8ae237f2324a053cdd884de936aa9b \
+    --hash=sha256:fc45a53219ed30a7f670a6d8c98527af0020e6fd4ee4c0a8fb59f147f06d816c
+
+# Contains the requirements for the letsencrypt package.
+#
+# Since the letsencrypt package depends on certbot and using pip with hashes
+# requires that all installed packages have hashes listed, this allows
+# dependency-requirements.txt to be used without requiring a hash for a
+# (potentially unreleased) Certbot package.
+
+letsencrypt==0.7.0 \
+    --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
+    --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9
+
+certbot==1.14.0 \
+    --hash=sha256:67b4d26ceaea6c7f8325d0d45169e7a165a2cabc7122c84bc971ba068ca19cca \
+    --hash=sha256:959ea90c6bb8dca38eab9772722cb940972ef6afcd5f15deef08b3c3636841eb
+acme==1.14.0 \
+    --hash=sha256:4f48c41261202f1a389ec2986b2580b58f53e0d5a1ae2463b34318d78b87fc66 \
+    --hash=sha256:61daccfb0343628cbbca551a7fc4c82482113952c21db3fe0c585b7c98fa1c35
+certbot-apache==1.14.0 \
+    --hash=sha256:b757038db23db707c44630fecb46e99172bd791f0db5a8e623c0842613c4d3d9 \
+    --hash=sha256:887fe4a21af2de1e5c2c9428bacba6eb7c1219257bc70f1a1d8447c8a321adb0
+certbot-nginx==1.14.0 \
+    --hash=sha256:8916a815437988d6c192df9f035bb7a176eab20eee0956677b335d0698d243fb \
+    --hash=sha256:cc2a8a0de56d9bb6b2efbda6c80c647dad8db2bb90675cac03ade94bd5fc8597
+
+UNLIKELY_EOF
+    # -------------------------------------------------------------------------
+    cat << "UNLIKELY_EOF" > "$TEMP_DIR/pipstrap.py"
+#!/usr/bin/env python
+"""A small script that can act as a trust root for installing pip >=8
+Embed this in your project, and your VCS checkout is all you have to trust. In
+a post-peep era, this lets you claw your way to a hash-checking version of pip,
+with which you can install the rest of your dependencies safely. All it assumes
+is Python 2.6 or better and *some* version of pip already installed. If
+anything goes wrong, it will exit with a non-zero status code.
+"""
+# This is here so embedded copies are MIT-compliant:
+# Copyright (c) 2016 Erik Rose
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+from __future__ import print_function
+from distutils.version import StrictVersion
+from hashlib import sha256
+from os import environ
+from os.path import join
+from shutil import rmtree
+try:
+    from subprocess import check_output
+except ImportError:
+    from subprocess import CalledProcessError, PIPE, Popen
+
+    def check_output(*popenargs, **kwargs):
+        if 'stdout' in kwargs:
+            raise ValueError('stdout argument not allowed, it will be '
+                             'overridden.')
+        process = Popen(stdout=PIPE, *popenargs, **kwargs)
+        output, unused_err = process.communicate()
+        retcode = process.poll()
+        if retcode:
+            cmd = kwargs.get("args")
+            if cmd is None:
+                cmd = popenargs[0]
+            raise CalledProcessError(retcode, cmd)
+        return output
+import sys
+from tempfile import mkdtemp
+try:
+    from urllib2 import build_opener, HTTPHandler, HTTPSHandler
+except ImportError:
+    from urllib.request import build_opener, HTTPHandler, HTTPSHandler
+try:
+    from urlparse import urlparse
+except ImportError:
+    from urllib.parse import urlparse  # 3.4
+
+
+__version__ = 1, 5, 1
+PIP_VERSION = '9.0.1'
+DEFAULT_INDEX_BASE = 'https://pypi.python.org'
+
+
+# wheel has a conditional dependency on argparse:
+maybe_argparse = (
+    [('18/dd/e617cfc3f6210ae183374cd9f6a26b20514bbb5a792af97949c5aacddf0f/'
+      'argparse-1.4.0.tar.gz',
+      '62b089a55be1d8949cd2bc7e0df0bddb9e028faefc8c32038cc84862aefdd6e4')]
+    if sys.version_info < (2, 7, 0) else [])
+
+
+# Be careful when updating the pinned versions here, in particular for pip.
+# Indeed starting from 10.0, pip will build dependencies in isolation if the
+# related projects are compliant with PEP 517. This is not something we want
+# as of now, so the isolation build will need to be disabled wherever
+# pipstrap is used (see https://github.com/certbot/certbot/issues/8256).
+PACKAGES = maybe_argparse + [
+    # Pip has no dependencies, as it vendors everything:
+    ('11/b6/abcb525026a4be042b486df43905d6893fb04f05aac21c32c638e939e447/'
+     'pip-{0}.tar.gz'.format(PIP_VERSION),
+     '09f243e1a7b461f654c26a725fa373211bb7ff17a9300058b205c61658ca940d'),
+    # This version of setuptools has only optional dependencies:
+    ('37/1b/b25507861991beeade31473868463dad0e58b1978c209de27384ae541b0b/'
+     'setuptools-40.6.3.zip',
+     '3b474dad69c49f0d2d86696b68105f3a6f195f7ab655af12ef9a9c326d2b08f8'),
+    ('c9/1d/bd19e691fd4cfe908c76c429fe6e4436c9e83583c4414b54f6c85471954a/'
+     'wheel-0.29.0.tar.gz',
+     '1ebb8ad7e26b448e9caa4773d2357849bf80ff9e313964bcaf79cbf0201a1648')
+]
+
+
+class HashError(Exception):
+    def __str__(self):
+        url, path, actual, expected = self.args
+        return ('{url} did not match the expected hash {expected}. Instead, '
+                'it was {actual}. The file (left at {path}) may have been '
+                'tampered with.'.format(**locals()))
+
+
+def hashed_download(url, temp, digest):
+    """Download ``url`` to ``temp``, make sure it has the SHA-256 ``digest``,
+    and return its path."""
+    # Based on pip 1.4.1's URLOpener but with cert verification removed. Python
+    # >=2.7.9 verifies HTTPS certs itself, and, in any case, the cert
+    # authenticity has only privacy (not arbitrary code execution)
+    # implications, since we're checking hashes.
+    def opener(using_https=True):
+        opener = build_opener(HTTPSHandler())
+        if using_https:
+            # Strip out HTTPHandler to prevent MITM spoof:
+            for handler in opener.handlers:
+                if isinstance(handler, HTTPHandler):
+                    opener.handlers.remove(handler)
+        return opener
+
+    def read_chunks(response, chunk_size):
+        while True:
+            chunk = response.read(chunk_size)
+            if not chunk:
+                break
+            yield chunk
+
+    parsed_url = urlparse(url)
+    response = opener(using_https=parsed_url.scheme == 'https').open(url)
+    path = join(temp, parsed_url.path.split('/')[-1])
+    actual_hash = sha256()
+    with open(path, 'wb') as file:
+        for chunk in read_chunks(response, 4096):
+            file.write(chunk)
+            actual_hash.update(chunk)
+
+    actual_digest = actual_hash.hexdigest()
+    if actual_digest != digest:
+        raise HashError(url, path, actual_digest, digest)
+    return path
+
+
+def get_index_base():
+    """Return the URL to the dir containing the "packages" folder.
+    Try to wring something out of PIP_INDEX_URL, if set. Hack "/simple" off the
+    end if it's there; that is likely to give us the right dir.
+    """
+    env_var = environ.get('PIP_INDEX_URL', '').rstrip('/')
+    if env_var:
+        SIMPLE = '/simple'
+        if env_var.endswith(SIMPLE):
+            return env_var[:-len(SIMPLE)]
+        else:
+            return env_var
+    else:
+        return DEFAULT_INDEX_BASE
+
+
+def main():
+    python = sys.executable or 'python'
+    pip_version = StrictVersion(check_output([python, '-m', 'pip', '--version'])
+                                .decode('utf-8').split()[1])
+    has_pip_cache = pip_version >= StrictVersion('6.0')
+    index_base = get_index_base()
+    temp = mkdtemp(prefix='pipstrap-')
+    try:
+        downloads = [hashed_download(index_base + '/packages/' + path,
+                                     temp,
+                                     digest)
+                     for path, digest in PACKAGES]
+        # Calling pip as a module is the preferred way to avoid problems about pip self-upgrade.
+        command = [python, '-m', 'pip', 'install', '--no-index', '--no-deps', '-U']
+        # Disable cache since it is not used and it otherwise sometimes throws permission warnings:
+        command.extend(['--no-cache-dir'] if has_pip_cache else [])
+        command.extend(downloads)
+        check_output(command)
+    except HashError as exc:
+        print(exc)
+    except Exception:
+        rmtree(temp)
+        raise
+    else:
+        rmtree(temp)
+        return 0
+    return 1
+
+
+if __name__ == '__main__':
+    sys.exit(main())
+
+UNLIKELY_EOF
+    # -------------------------------------------------------------------------
+    # Set PATH so pipstrap upgrades the right (v)env:
+    PATH="$VENV_BIN:$PATH" "$VENV_BIN/python" "$TEMP_DIR/pipstrap.py"
+    set +e
+    if [ "$VERBOSE" = 1 ]; then
+      "$VENV_BIN/pip" install --disable-pip-version-check --no-cache-dir --require-hashes -r "$TEMP_DIR/letsencrypt-auto-requirements.txt"
+    else
+      PIP_OUT=`"$VENV_BIN/pip" install --disable-pip-version-check --no-cache-dir --require-hashes -r "$TEMP_DIR/letsencrypt-auto-requirements.txt" 2>&1`
+    fi
+    PIP_STATUS=$?
+    set -e
+    if [ "$PIP_STATUS" != 0 ]; then
+      # Report error. (Otherwise, be quiet.)
+      error "Had a problem while installing Python packages."
+      if [ "$VERBOSE" != 1 ]; then
+        error
+        error "pip prints the following errors: "
+        error "====================================================="
+        error "$PIP_OUT"
+        error "====================================================="
+        error
+        error "Certbot has problem setting up the virtual environment."
+
+        if `echo $PIP_OUT | grep -q Killed` || `echo $PIP_OUT | grep -q "allocate memory"` ; then
+          error
+          error "Based on your pip output, the problem can likely be fixed by "
+          error "increasing the available memory."
+        else
+          error
+          error "We were not be able to guess the right solution from your pip "
+          error "output."
+        fi
+
+        error
+        error "Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment"
+        error "for possible solutions."
+        error "You may also find some support resources at https://certbot.eff.org/support/ ."
+      fi
+      rm -rf "$VENV_PATH"
+      exit 1
+    fi
+
+    if [ -d "$OLD_VENV_PATH" -a ! -L "$OLD_VENV_PATH" ]; then
+      rm -rf "$OLD_VENV_PATH"
+      ln -s "$VENV_PATH" "$OLD_VENV_PATH"
+    fi
+
+    say "Installation succeeded."
+  fi
+
+  # If you're modifying any of the code after this point in this current `if` block, you
+  # may need to update the "$DEPRECATED_OS" = 1 case at the beginning of phase 2 as well.
+
+  if [ "$INSTALL_ONLY" = 1 ]; then
+    say "Certbot is installed."
+    exit 0
+  fi
+
+  "$VENV_BIN/letsencrypt" "$@"
+
+else
+  # Phase 1: Upgrade certbot-auto if necessary, then self-invoke.
+  #
+  # Each phase checks the version of only the thing it is responsible for
+  # upgrading. Phase 1 checks the version of the latest release of
+  # certbot-auto (which is always the same as that of the certbot
+  # package). Phase 2 checks the version of the locally installed certbot.
+  export PHASE_1_VERSION="$LE_AUTO_VERSION"
+
+  if [ ! -f "$VENV_BIN/letsencrypt" ]; then
+    if ! OldVenvExists; then
+      if [ "$HELP" = 1 ]; then
+        echo "$USAGE"
+        exit 0
+      fi
+      # If it looks like we've never bootstrapped before, bootstrap:
+      Bootstrap
+    fi
+  fi
+  if [ "$OS_PACKAGES_ONLY" = 1 ]; then
+    say "OS packages installed."
+    exit 0
+  fi
+
+  DeterminePythonVersion "NOCRASH"
+  # Don't warn about file permissions if the user disabled the check or we
+  # can't find an up-to-date Python.
+  if [ "$PYVER" -ge "$MIN_PYVER" -a "$NO_PERMISSIONS_CHECK" != 1 ]; then
+    # If the script fails for some reason, don't break certbot-auto.
+    set +e
+    # Suppress unexpected error output.
+    CHECK_PERM_OUT=$(CheckPathPermissions "$LE_PYTHON" "$0" 2>/dev/null)
+    CHECK_PERM_STATUS="$?"
+    set -e
+    # Only print output if the script ran successfully and it actually produced
+    # output. The latter check resolves
+    # https://github.com/certbot/certbot/issues/7012.
+    if [ "$CHECK_PERM_STATUS" = 0 -a -n "$CHECK_PERM_OUT" ]; then
+      error "$CHECK_PERM_OUT"
+    fi
+  fi
+
+  if [ "$NO_SELF_UPGRADE" != 1 ]; then
+    TEMP_DIR=$(TempDir)
+    trap 'rm -rf "$TEMP_DIR"' EXIT
+    # ---------------------------------------------------------------------------
+    cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py"
+"""Do downloading and JSON parsing without additional dependencies. ::
+
+    # Print latest released version of LE to stdout:
+    python fetch.py --latest-version
+
+    # Download letsencrypt-auto script from git tag v1.2.3 into the folder I'm
+    # in, and make sure its signature verifies:
+    python fetch.py --le-auto-script v1.2.3
+
+On failure, return non-zero.
+
+"""
+
+from __future__ import print_function, unicode_literals
+
+from distutils.version import LooseVersion
+from json import loads
+from os import devnull, environ
+from os.path import dirname, join
+import re
+import ssl
+from subprocess import check_call, CalledProcessError
+from sys import argv, exit
+try:
+    from urllib2 import build_opener, HTTPHandler, HTTPSHandler
+    from urllib2 import HTTPError, URLError
+except ImportError:
+    from urllib.request import build_opener, HTTPHandler, HTTPSHandler
+    from urllib.error import HTTPError, URLError
+
+PUBLIC_KEY = environ.get('LE_AUTO_PUBLIC_KEY', """-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbq
+OzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18
+xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp
+9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiij
+n9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XH
+cXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+
+CQIDAQAB
+-----END PUBLIC KEY-----
+""")
+
+class ExpectedError(Exception):
+    """A novice-readable exception that also carries the original exception for
+    debugging"""
+
+
+class HttpsGetter(object):
+    def __init__(self):
+        """Build an HTTPS opener."""
+        # Based on pip 1.4.1's URLOpener
+        # This verifies certs on only Python >=2.7.9, and when NO_CERT_VERIFY isn't set.
+        if environ.get('NO_CERT_VERIFY') == '1' and hasattr(ssl, 'SSLContext'):
+            self._opener = build_opener(HTTPSHandler(context=cert_none_context()))
+        else:
+            self._opener = build_opener(HTTPSHandler())
+        # Strip out HTTPHandler to prevent MITM spoof:
+        for handler in self._opener.handlers:
+            if isinstance(handler, HTTPHandler):
+                self._opener.handlers.remove(handler)
+
+    def get(self, url):
+        """Return the document contents pointed to by an HTTPS URL.
+
+        If something goes wrong (404, timeout, etc.), raise ExpectedError.
+
+        """
+        try:
+            # socket module docs say default timeout is None: that is, no
+            # timeout
+            return self._opener.open(url, timeout=30).read()
+        except (HTTPError, IOError) as exc:
+            raise ExpectedError("Couldn't download %s." % url, exc)
+
+
+def write(contents, dir, filename):
+    """Write something to a file in a certain directory."""
+    with open(join(dir, filename), 'wb') as file:
+        file.write(contents)
+
+
+def latest_stable_version(get):
+    """Return the latest stable release of letsencrypt."""
+    metadata = loads(get(
+        environ.get('LE_AUTO_JSON_URL',
+                    'https://pypi.python.org/pypi/certbot/json')).decode('UTF-8'))
+    # metadata['info']['version'] actually returns the latest of any kind of
+    # release release, contrary to https://wiki.python.org/moin/PyPIJSON.
+    # The regex is a sufficient regex for picking out prereleases for most
+    # packages, LE included.
+    return str(max(LooseVersion(r) for r
+                   in metadata['releases'].keys()
+                   if re.match('^[0-9.]+$', r)))
+
+
+def verified_new_le_auto(get, tag, temp_dir):
+    """Return the path to a verified, up-to-date letsencrypt-auto script.
+
+    If the download's signature does not verify or something else goes wrong
+    with the verification process, raise ExpectedError.
+
+    """
+    le_auto_dir = environ.get(
+        'LE_AUTO_DIR_TEMPLATE',
+        'https://raw.githubusercontent.com/certbot/certbot/%s/'
+        'letsencrypt-auto-source/') % tag
+    write(get(le_auto_dir + 'letsencrypt-auto'), temp_dir, 'letsencrypt-auto')
+    write(get(le_auto_dir + 'letsencrypt-auto.sig'), temp_dir, 'letsencrypt-auto.sig')
+    write(PUBLIC_KEY.encode('UTF-8'), temp_dir, 'public_key.pem')
+    try:
+        with open(devnull, 'w') as dev_null:
+            check_call(['openssl', 'dgst', '-sha256', '-verify',
+                        join(temp_dir, 'public_key.pem'),
+                        '-signature',
+                        join(temp_dir, 'letsencrypt-auto.sig'),
+                        join(temp_dir, 'letsencrypt-auto')],
+                       stdout=dev_null,
+                       stderr=dev_null)
+    except CalledProcessError as exc:
+        raise ExpectedError("Couldn't verify signature of downloaded "
+                            "certbot-auto.", exc)
+
+
+def cert_none_context():
+    """Create a SSLContext object to not check hostname."""
+    # PROTOCOL_TLS isn't available before 2.7.13 but this code is for 2.7.9+, so use this.
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.verify_mode = ssl.CERT_NONE
+    return context
+
+
+def main():
+    get = HttpsGetter().get
+    flag = argv[1]
+    try:
+        if flag == '--latest-version':
+            print(latest_stable_version(get))
+        elif flag == '--le-auto-script':
+            tag = argv[2]
+            verified_new_le_auto(get, tag, dirname(argv[0]))
+    except ExpectedError as exc:
+        print(exc.args[0], exc.args[1])
+        return 1
+    else:
+        return 0
+
+
+if __name__ == '__main__':
+    exit(main())
+
+UNLIKELY_EOF
+    # ---------------------------------------------------------------------------
+    if [ "$PYVER" -lt "$MIN_PYVER" ]; then
+      error "WARNING: couldn't find Python $MIN_PYTHON_VERSION+ to check for updates."
+    elif ! REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` ; then
+      error "WARNING: unable to check for updates."
+    fi
+
+    # If for any reason REMOTE_VERSION is not set, let's assume certbot-auto is up-to-date,
+    # and do not go into the self-upgrading process.
+    if [ -n "$REMOTE_VERSION" ]; then
+      LE_VERSION_STATE=`CompareVersions "$LE_PYTHON" "$LE_AUTO_VERSION" "$REMOTE_VERSION"`
+
+      if [ "$LE_VERSION_STATE" = "UNOFFICIAL" ]; then
+        say "Unofficial certbot-auto version detected, self-upgrade is disabled: $LE_AUTO_VERSION"
+      elif [ "$LE_VERSION_STATE" = "OUTDATED" ]; then
+        say "Upgrading certbot-auto $LE_AUTO_VERSION to $REMOTE_VERSION..."
+
+        # Now we drop into Python so we don't have to install even more
+        # dependencies (curl, etc.), for better flow control, and for the option of
+        # future Windows compatibility.
+        "$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION"
+
+        # Install new copy of certbot-auto.
+        # TODO: Deal with quotes in pathnames.
+        say "Replacing certbot-auto..."
+        # Clone permissions with cp. chmod and chown don't have a --reference
+        # option on macOS or BSD, and stat -c on Linux is stat -f on macOS and BSD:
+        cp -p "$0" "$TEMP_DIR/letsencrypt-auto.permission-clone"
+        cp "$TEMP_DIR/letsencrypt-auto" "$TEMP_DIR/letsencrypt-auto.permission-clone"
+        # Using mv rather than cp leaves the old file descriptor pointing to the
+        # original copy so the shell can continue to read it unmolested. mv across
+        # filesystems is non-atomic, doing `rm dest, cp src dest, rm src`, but the
+        # cp is unlikely to fail if the rm doesn't.
+        mv -f "$TEMP_DIR/letsencrypt-auto.permission-clone" "$0"
+      fi  # A newer version is available.
+    fi
+  fi  # Self-upgrading is allowed.
+
+  RerunWithArgs --le-auto-phase2 "$@"
+fi

certbot/handlers/main.yml

@@ -19,5 +19,5 @@
   systemd:
     daemon_reload: yes
 
-- name: install certbot-auto
-  command: /usr/local/bin/certbot --noninteractive --install-only
+- name: install letsencrypt-auto
+  command: /usr/local/bin/letsencrypt-auto --noninteractive --install-only --no-self-upgrade

certbot/tasks/install-legacy.yml

@@ -0,0 +1,60 @@
+---
+
+- name: certbot package is removed
+  apt:
+    name: certbot
+    state: absent
+
+- include_role:
+    name: evolix/remount-usr
+
+# copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto
+- name: Let's Encrypt script is present
+  copy:
+    src: letsencrypt-auto
+    dest: /usr/local/bin/letsencrypt-auto
+    mode: '0755'
+    owner: root
+    group: root
+    force: yes
+  notify: install letsencrypt-auto
+
+- name: Check certbot script
+  stat:
+    path: /usr/local/bin/certbot
+  register: certbot_path
+
+- name: Rename certbot script if present
+  command: "mv /usr/local/bin/certbot /usr/local/bin/certbot.bak"
+  when: certbot_path.stat.exists
+
+- name: Let's Encrypt script is symlinked as certbot
+  file:
+    src: "/usr/local/bin/letsencrypt-auto"
+    dest: "/usr/local/bin/certbot"
+    state: link
+
+- name: systemd artefacts are absent
+  file:
+    dest: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/systemd/system/certbot.service
+    - /etc/systemd/system/certbot.service.d
+    - /etc/systemd/system/certbot.timer
+  notify: systemd daemon-reload
+
+- name: custom crontab is present
+  copy:
+    src: cron_jessie
+    dest: /etc/cron.d/certbot
+    force: yes
+  when: certbot_custom_crontab | bool
+
+- name: disable self-upgrade
+  ini_file:
+    dest: "/etc/letsencrypt/cli.ini"
+    section: null
+    option: "no-self-upgrade"
+    value: "no"
+    state: present

certbot/tasks/install-sources.yml

@@ -1,35 +0,0 @@
----
-
-- name: certbot package is removed
-  apt:
-    name: certbot
-    state: absent
-
-- include_role:
-    name: evolix/remount-usr
-
-- name: Certbot script is downloaded
-  get_url:
-    url: https://dl.eff.org/certbot-auto
-    dest: /usr/local/bin/certbot
-    mode: '0755'
-    owner: root
-    group: root
-    force: no
-  notify: install certbot-auto
-
-- name: systemd artefacts are absent
-  file:
-    dest: "{{ item }}"
-    state: absent
-  loop:
-    - /etc/systemd/system/certbot.service
-    - /etc/systemd/system/certbot.service.d
-    - /etc/systemd/system/certbot.timer
-  notify: systemd daemon-reload
-
-- name: custom crontab is present
-  copy:
-    src: cron_jessie
-    dest: /etc/cron.d/certbot
-    force: yes

certbot/tasks/main.yml

@@ -7,11 +7,11 @@
       - ansible_distribution_major_version is version('8', '>=')
     msg: only compatible with Debian 9+
 
-- name: Install from sources on Debian 8
-  include: install-sources.yml
+- name: Install legacy script on Debian 8
+  include: install-legacy.yml
   when:
     - ansible_distribution == "Debian"
-    - ansible_distribution_major_version is version('8', '=')
+    - ansible_distribution_major_version is version('9', '<')
 
 - name: Install package on Debian 9+
   include: install-package.yml
@@ -23,17 +23,34 @@
 
 - name: Deploy hooks are present
   copy:
-    src: hooks/
+    src: hooks/deploy/
     dest: /etc/letsencrypt/renewal-hooks/deploy/
     mode: "0700"
     owner: root
     group: root
 
-- name: Move commit-etc.sh to z-commit-etc.sh if present
+- name: Manual deploy hook is present
+  copy:
+    src: hooks/manual-deploy.sh
+    dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh
+    mode: "0700"
+    owner: root
+    group: root
+
+- name: "sync_remote is configured with servers"
+  lineinfile:
+    dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf
+    regexp: "^servers="
+    line: "servers=\"{{ certbot_hooks_sync_remote_servers | join(' ') }}\""
+    create: yes
+
+# begining of backward compatibility tasks
+- name: Move deploy/commit-etc.sh to deploy/z-commit-etc.sh if present
   command: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh"
   args:
     removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh
     creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh
+# end of backward compatibility tasks
 
 - name: "certbot lock is ignored by Git"
   lineinfile:

certbot/templates/acme-challenge/apache.conf.j2

@@ -7,6 +7,5 @@
 Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge
 <Directory "/var/lib/letsencrypt/.well-known/acme-challenge">
     Options -Indexes
-    Allow from all
     Require all granted
 </Directory>

certbot/templates/acme-challenge/nginx.conf.j2

@@ -5,5 +5,6 @@ location ~ /.well-known/acme-challenge {
     alias {{ certbot_work_dir }}/;
 {% endif %}
     try_files $uri =404;
+    auth_basic off;
     allow all;
 }

clamav/tasks/main.yml

@@ -5,49 +5,49 @@
     question: "{{ item.key }}"
     value: "{{ item.value }}"
     vtype: "{{ item.type }}"
-  with_items:
-  - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
-  - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
-  - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
-  - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
-  - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
-  - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
-  - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
-  - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
-  - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
-  - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
-  - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
-  - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
-  - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
-  - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
-  - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
-  - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
-  - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
-  - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
-  - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
-  - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
-  - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
-  - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
-  - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
-  - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
-  - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
-  - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
+  loop:
+    - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
+    - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
+    - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
+    - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
+    - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
+    - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
+    - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
+    - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
+    - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
+    - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
+    - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
+    - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
+    - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
+    - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
+    - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
+    - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
+    - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
+    - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
+    - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
+    - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
+    - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
+    - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
+    - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
+    - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
+    - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
+    - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
   tags:
   - clamav
 
@@ -57,18 +57,18 @@
     question: "{{ item.key }}"
     value: "{{ item.value }}"
     vtype: "{{ item.type }}"
-  with_items:
-  - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
-  - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
-  - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
-  - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
-  - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
-  - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
-  - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
-  - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
-  - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
-  - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
-  - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
+  loop:
+    - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
+    - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
+    - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
+    - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
+    - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
+    - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
+    - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
+    - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
   tags:
   - clamav
 

dhcpd/meta/main.yml

@@ -1,17 +1,23 @@
 galaxy_info:
-  author: Evolix
+  company: Evolix
   description: Installation and basic configuration of isc-dhcp-server.
 
   issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
 
   license: GPLv2
 
-  min_ansible_version: 2.2
+  min_ansible_version: "2.2"
 
   platforms:
-  - name: Debian
-    versions:
-    - jessie
+    - name: Debian
+      versions:
+        - jessie
+        - stretch
+        - buster
+
+  galaxy_tags: []
+    # Be sure to remove the '[]' above if you add dependencies
+    # to this list.
 
 dependencies: []
   # List your role dependencies here, one per line.

docker-host/tasks/main.yml

@@ -28,17 +28,34 @@
   when: ansible_distribution_release == 'jessie'
 
 - name: Add Docker's official GPG key
-  apt_key:
-    #url: https://download.docker.com/linux/debian/gpg
-    data: "{{ lookup('file', 'docker-debian.gpg') }}"
+  copy:
+    src: docker-debian.asc
+    dest: /etc/apt/trusted.gpg.d/docker-debian.asc
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
 
-- name: Install docker and python-docker
+- name: Install Docker
   apt:
     name:
       - docker-ce
-      - python-docker
+      - docker-ce-cli
+      - containerd.io
     update_cache: yes
 
+- name: python-docker is installed
+  apt:
+    name: python-docker
+    state: present
+  when: ansible_python_version is version('3', '<')
+
+- name: python3-docker is installed
+  apt:
+    name: python3-docker
+    state: present
+  when: ansible_python_version is version('3', '>=')
+
 - name: Copy Docker daemon configuration file
   template:
     src: daemon.json.j2
@@ -71,17 +88,17 @@
     state: directory
     mode: "0644"
     owner: root
-  when: docker_tls_enabled
+  when: docker_tls_enabled | bool
 
 - name: Copy shellpki utility to Docker TLS directory
   template:
     src: "{{ item }}.j2"
     dest: "{{ docker_tls_path }}/{{ item }}"
     mode: "0744"
-  with_items:
+  loop:
     - shellpki.sh
     - openssl.cnf
-  when: docker_tls_enabled
+  when: docker_tls_enabled | bool
 
 - name: Check if certs are already created
   stat:
@@ -90,4 +107,6 @@
 
 - name: Creating a CA, server key
   command: "{{ docker_tls_path }}/shellpki.sh init"
-  when: docker_tls_enabled and not tls_certs_stat.stat.isdir is defined
+  when:
+    - docker_tls_enabled | bool
+    - not tls_certs_stat.stat.isdir

dovecot/defaults/main.yml

@@ -1,2 +1,4 @@
 ---
-dovecot_foo: bar
+
+dovecot_vmail_uid: 5000
+dovecot_vmail_gid: 5000

dovecot/files/munin_config

@@ -0,0 +1,2 @@
+[dovecot]
+group adm

dovecot/files/munin_plugin

@@ -2,21 +2,22 @@
 #
 # Munin Plugin
 # to count logins to your dovecot mailserver
-# 
+#
 # Created by Dominik Schulz <lkml@ds.gauner.org>
 # http://developer.gauner.org/munin/
 # Contributions by:
 # - Stephane Enten <tuf@delyth.net>
 # - Steve Schnepp <steve.schnepp@pwkf.org>
-# 
+# - pcy <pcy@ulyssis.org> (make 'Connected Users' DERIVE, check existence of logfile in autoconf)
+#
 # Parameters understood:
 #
 #	config		(required)
 #	autoconf 	(optional - used by munin-config)
-# 
+#
 # Config variables:
 #
-#       logfile      - Where to find the syslog file
+#       logfile        - Where to find the syslog file
 #
 # Add the following line to a file in /etc/munin/plugin-conf.d:
 # 	env.logfile /var/log/your/logfile.log
@@ -34,13 +35,13 @@ LOGFILE=${logfile:-/var/log/mail.log}
 ######################
 
 if [ "$1" = "autoconf" ]; then
-	echo yes
+	[ -f "$LOGFILE" ] && echo yes || echo "no (logfile $LOGFILE not found)"
 	exit 0
 fi
 
 if [ "$1" = "config" ]; then
 	echo 'graph_title Dovecot Logins'
-	echo 'graph_category Mail'
+	echo 'graph_category mail'
 	echo 'graph_args --base 1000 -l 0'
 	echo 'graph_vlabel Login Counters'
 
@@ -53,6 +54,7 @@ if [ "$1" = "config" ]; then
 	done
 
 	echo 'connected.label Connected Users'
+	echo "connected.type DERIVE"
 
 	exit 0
 fi
@@ -86,7 +88,7 @@ echo -n
 echo -en "login_tls.value "
 VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE)
 if [ ! -z "$VALUE" ]; then
-        echo "$VALUE"
+	echo "$VALUE"
 else
 	echo "0"
 fi
@@ -97,7 +99,7 @@ echo -n
 echo -en "login_ssl.value "
 VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE)
 if [ ! -z "$VALUE" ]; then
-        echo "$VALUE"
+	echo "$VALUE"
 else
 	echo "0"
 fi
@@ -108,7 +110,7 @@ echo -n
 echo -en "login_imap.value "
 VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE)
 if [ ! -z "$VALUE" ]; then
-        echo "$VALUE"
+	echo "$VALUE"
 else
 	echo "0"
 fi
@@ -119,7 +121,7 @@ echo -n
 echo -en "login_pop3.value "
 VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE)
 if [ ! -z "$VALUE" ]; then
-        echo "$VALUE"
+	echo "$VALUE"
 else
 	echo "0"
 fi

dovecot/tasks/main.yml

@@ -10,6 +10,11 @@
   tags:
   - dovecot
 
+- name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes)
+  openssl_dhparam:
+    path: /etc/ssl/dhparams.pem
+    size: 4096
+
 - name: disable pam auth
   replace:
     dest: /etc/dovecot/conf.d/10-auth.conf
@@ -24,7 +29,7 @@
     line: "{{ item.key }} = {{ item.value }}"
     regexp: "^#*{{ item.key }}"
     state: present
-  with_items:
+  loop:
     - { key: 'hosts', value: '127.0.0.1' }
     - { key: 'auth_bind', value: 'yes' }
     - { key: 'ldap_version', value: 3 }
@@ -40,7 +45,8 @@
 - name: create vmail group
   group:
     name: vmail
-    gid: 5000
+    gid: "{{ dovecot_vmail_gid }}"
+    system: True
   tags:
   - dovecot
 
@@ -48,8 +54,9 @@
   user:
     name: vmail
     group: vmail
-    uid: 5000
+    uid: "{{ dovecot_vmail_uid }}"
     shell: /bin/false
+    system: True
   tags:
   - dovecot
 
@@ -62,6 +69,15 @@
   tags:
   - dovecot
 
+- name: deploy file for custom configuration
+  template:
+    src: zzz-evolinux-custom.conf.j2
+    dest: /etc/dovecot/conf.d/zzz-evolinux-custom.conf
+    mode: "0644"
+  notify: reload dovecot
+  tags:
+  - dovecot
+
 - include: munin.yml
   tags:
   - dovecot

dovecot/tasks/munin.yml

@@ -14,8 +14,10 @@
         dest: /etc/munin/plugins/dovecot
         mode: "0755"
 
-# TODO : add in /etc/munin/plugin-conf.d/munin-node
-# [dovecot]
-# group adm
+    - name: Install munin config
+      copy:
+        src: munin_config
+        dest: /etc/munin/plugin-conf.d/dovecot
+        mode: "0644"
 
   when: munin_node_plugins_config.stat.exists

dovecot/templates/z-evolinux-defaults.conf.j2

@@ -35,12 +35,27 @@ service login {
 }
 mail_max_userip_connections = 42
 
+# Configuration pour stats dovecot
+service stats {
+    unix_listener stats-reader {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+
+    unix_listener stats-writer {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+}
+
 # SSL/TLS
 ssl = yes
 ssl_prefer_server_ciphers = yes
-ssl_dh_parameters_length = 2048
+ssl_dh=</etc/ssl/dhparams.pem
 ssl_options = no_compression no_ticket
-ssl_protocols = !TLSv1 !TLSv1.1
+ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
 ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key

dovecot/templates/zzz-evolinux-custom.conf.j2

@@ -0,0 +1 @@
+## Put your customized configuration here, verify configuration with "doveconf -n" and /var/log/mail.log

drbd/meta/main.yml

@@ -1,17 +1,23 @@
 galaxy_info:
-  author: Evolix
+  company: Evolix
   description: Install tools to setup DRBD replication accross servers.
 
   issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
 
   license: GPLv2
 
-  min_ansible_version: 2.2
+  min_ansible_version: "2.2"
 
   platforms:
-  - name: Debian
-    versions:
-    - jessie
+    - name: Debian
+      versions:
+        - jessie
+        - stretch
+        - buster
+
+  galaxy_tags: []
+    # Be sure to remove the '[]' above if you add dependencies
+    # to this list.
 
 dependencies: []
   # List your role dependencies here, one per line.

elasticsearch/defaults/main.yml

@@ -1,13 +1,16 @@
 ---
-elastic_stack_version: "6.x"
+elastic_stack_version: "7.x"
 
 elasticsearch_cluster_name: Null
 elasticsearch_cluster_members: Null
 elasticsearch_minimum_master_nodes: Null
 elasticsearch_node_name: "${HOSTNAME}"
-elasticsearch_network_host: "[_local_]"
+elasticsearch_network_host:
+  - "_local_"
 elasticsearch_network_publish_host: Null
 elasticsearch_http_publish_host: Null
+elasticsearch_discovery_seed_hosts: Null
+elasticsearch_cluster_initial_master_nodes: Null
 elasticsearch_custom_datadir: Null
 elasticsearch_custom_tmpdir: Null
 elasticsearch_default_tmpdir: /var/lib/elasticsearch/tmp

elasticsearch/meta/main.yml

@@ -1,19 +1,20 @@
 ---
 galaxy_info:
-  author: Evolix
+  company: Evolix
   description: Install Elasticsearch
 
   issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
 
   license: GPLv2
 
-  min_ansible_version: 2.2
+  min_ansible_version: "2.2"
 
   platforms:
-  - name: Debian
-    versions:
-    - jessie
-    - stretch
+    - name: Debian
+      versions:
+        - jessie
+        - stretch
+        - buster
 
   galaxy_tags: []
     # List tags for your role here, one per line. A tag is
@@ -23,6 +24,3 @@ galaxy_info:
     #
     # NOTE: A tag is limited to a single word comprised of
     # alphanumeric characters. Maximum 20 tags per role.
-
-dependencies:
-  - { role: evolix/java, alternative: 'openjdk' }

elasticsearch/tasks/configuration.yml

@@ -6,7 +6,7 @@
     line: "cluster.name: {{ elasticsearch_cluster_name }}"
     regexp: "^cluster.name:"
     insertafter: "^# *cluster.name:"
-  when: elasticsearch_cluster_name|default("", True)
+  when: elasticsearch_cluster_name | default("", True) | length > 0
   tags:
     - config
 
@@ -22,30 +22,66 @@
 - name: Configure network host
   lineinfile:
     dest: /etc/elasticsearch/elasticsearch.yml
-    line: "network.host: {{ elasticsearch_network_host }}"
+    line: "network.host: {{ elasticsearch_network_host  }}"
     regexp: "^network.host:"
     insertafter: "^# *network.host:"
-  when: elasticsearch_network_host|default("", True)
+  when: elasticsearch_network_host | default("", True) | length > 0
   tags:
     - config
 
 - name: Configure network publish_host
   lineinfile:
     dest: /etc/elasticsearch/elasticsearch.yml
-    line: "network.publish_host: {{ elasticsearch_network_publish_host }}"
+    line: "network.publish_host: {{ elasticsearch_network_publish_host  }}"
     regexp: "^network.publish_host:"
     insertafter: "^network.host:"
-  when: elasticsearch_network_publish_host|default("", True)
+  when: elasticsearch_network_publish_host | default("", True) | length > 0
   tags:
     - config
 
 - name: Configure http publish_host
   lineinfile:
     dest: /etc/elasticsearch/elasticsearch.yml
-    line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
+    line: "http.publish_host: {{ elasticsearch_http_publish_host  }}"
     regexp: "^http.publish_host:"
     insertafter: "^http.port:"
-  when: elasticsearch_http_publish_host|default("", True)
+  when: elasticsearch_http_publish_host | default("", True) | length > 0
+  tags:
+    - config
+
+- name: Configure discovery seed hosts
+  lineinfile:
+    dest: /etc/elasticsearch/elasticsearch.yml
+    line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml(default_flow_style=True) }}"
+    regexp: "^discovery.seed_hosts:"
+  when: elasticsearch_discovery_seed_hosts | default([], True) | length > 0
+  tags:
+    - config
+
+- name: Configure empty discovery seed hosts
+  lineinfile:
+    dest: /etc/elasticsearch/elasticsearch.yml
+    regexp: "^discovery.seed_hosts:"
+    state: absent
+  when: elasticsearch_discovery_seed_hosts | default([], True) | length <= 0
+  tags:
+    - config
+
+- name: Configure initial master nodes
+  lineinfile:
+    dest: /etc/elasticsearch/elasticsearch.yml
+    line: "cluster.initial_master_nodes: {{ elasticsearch_cluster_initial_master_nodes | to_yaml(default_flow_style=True) }}"
+    regexp: "^cluster.initial_master_nodes:"
+  when: elasticsearch_cluster_initial_master_nodes | default([], True) | length > 0
+  tags:
+    - config
+
+- name: Configure empty initial master nodes
+  lineinfile:
+    dest: /etc/elasticsearch/elasticsearch.yml
+    regexp: "^cluster.initial_master_nodes:"
+    state: absent
+  when: elasticsearch_cluster_initial_master_nodes | default([], True) | length <= 0
   tags:
     - config
 
@@ -60,17 +96,25 @@
 
 - name: JVM Heap size (min) is set
   lineinfile:
-    dest: /etc/elasticsearch/jvm.options
+    dest: /etc/elasticsearch/jvm.options.d/evolinux.options
     regexp: "^-Xms"
     line: "-Xms{{ elasticsearch_jvm_xms }}"
+    create: yes
+    owner: root
+    group: elasticsearch
+    mode: 0640
   tags:
     - config
 
 - name: JVM Heap size (max) is set
   lineinfile:
-    dest: /etc/elasticsearch/jvm.options
+    dest: /etc/elasticsearch/jvm.options.d/evolinux.options
     regexp: "^-Xmx"
     line: "-Xmx{{ elasticsearch_jvm_xmx }}"
+    create: yes
+    owner: root
+    group: elasticsearch
+    mode: 0640
   tags:
     - config
 
@@ -80,7 +124,7 @@
     line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}"
     regexp: "^discovery.zen.ping.unicast.hosts:"
     insertafter: "^#discovery.zen.ping.unicast.hosts"
-  when: elasticsearch_cluster_members|default("", True)
+  when: elasticsearch_cluster_members | default("", True) | length > 0
   tags:
     - config
 
@@ -90,8 +134,6 @@
     line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}"
     regexp: "^discovery.zen.minimum_master_nodes:"
     insertafter: "^#discovery.zen.minimum_master_nodes"
-  when: elasticsearch_minimum_master_nodes|default("", True)
+  when: elasticsearch_minimum_master_nodes | default("", True) | length > 0
   tags:
     - config
-
-

elasticsearch/tasks/datadir.yml

@@ -16,8 +16,8 @@
   tags:
     - elasticsearch
   when:
-    - elasticsearch_custom_datadir != ''
-    - elasticsearch_custom_datadir != None
+    - elasticsearch_custom_datadir is not none
+    - elasticsearch_custom_datadir | length > 0
 
 - name: Datadir is moved to custom path
   block:
@@ -44,7 +44,7 @@
   tags:
     - elasticsearch
   when:
-    - elasticsearch_custom_datadir != ''
-    - elasticsearch_custom_datadir != None
+    - elasticsearch_custom_datadir is not none
+    - elasticsearch_custom_datadir | length > 0
     - elasticsearch_custom_datadir != elasticsearch_current_real_datadir_test.stdout
     - not elasticsearch_custom_datadir_test.stat.exists

elasticsearch/tasks/logs.yml

@@ -1,7 +1,10 @@
 ---
 
 - name: Check if cron is installed
-  shell: "dpkg -l cron 2> /dev/null | grep -q -E '^(i|h)i'"
+  shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
+  args:
+    executable: /bin/bash
+  check_mode: no
   failed_when: False
   changed_when: False
   register: is_cron_installed

elasticsearch/tasks/main.yml

@@ -6,16 +6,16 @@
 
 - include: bootstrap_checks.yml
 
-- include: datadir.yml
-
 - include: tmpdir.yml
 
+- include: datadir.yml
+
 - include: logs.yml
 
 - include: additional_scripts.yml
 
 - include: plugin_head.yml
-  when: elasticsearch_plugin_head
+  when: elasticsearch_plugin_head | bool
 
 - include: curator.yml
-  when: elasticsearch_curator
+  when: elasticsearch_curator | bool

elasticsearch/tasks/packages.yml

@@ -5,17 +5,38 @@
     name: apt-transport-https
     state: present
   tags:
-  - elasticsearch
-  - packages
+    - elasticsearch
+    - packages
+
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - elasticsearch
+    - packages
+
+- name: Elastic embedded GPG key is absent
+  apt_key:
+    id: "D88E42B4"
+    keyring: /etc/apt/trusted.gpg
+    state: absent
+  when: _trusted_gpg_keyring.stat.exists
+  tags:
+    - elasticsearch
+    - packages
 
 - name: Elastic GPG key is installed
-  apt_key:
-    # url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
-    data: "{{ lookup('file', 'elasticsearch.key') }}"
-    state: present
+  copy:
+    src: elastic.asc
+    dest: /etc/apt/trusted.gpg.d/elastic.asc
+    force: yes
+    mode: "0644"
+    owner: root
+    group: root
   tags:
-  - elasticsearch
-  - packages
+    - elasticsearch
+    - packages
 
 - name: Elastic sources list is available
   apt_repository:
@@ -24,20 +45,20 @@
     state: present
     update_cache: yes
   tags:
-  - elasticsearch
-  - packages
+    - elasticsearch
+    - packages
 
 - name: Elasticsearch is installed
   apt:
     name: elasticsearch
     state: present
   tags:
-  - elasticsearch
-  - packages
+    - elasticsearch
+    - packages
 
 - name: Elasticsearch service is enabled
   service:
     name: elasticsearch
     enabled: yes
   tags:
-  - elasticsearch
+    - elasticsearch

elasticsearch/tasks/tmpdir.yml

@@ -9,9 +9,14 @@
 
 - name: Tmpdir is moved to custom path
   block:
-    - name: "Create {{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
+    - set_fact:
+        _elasticsearch_custom_tmpdir: "{{ elasticsearch_custom_tmpdir | default(elasticsearch_default_tmpdir, True) | mandatory }}"
+      tags:
+        - elasticsearch
+
+    - name: "Create {{ _elasticsearch_custom_tmpdir }}"
       file:
-        path: "{{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
+        path: "{{ _elasticsearch_custom_tmpdir }}"
         owner: elasticsearch
         group: elasticsearch
         mode: "0755"
@@ -21,10 +26,13 @@
 
     - name: change JVM tmpdir (< 6.x)
       lineinfile:
-        dest: /etc/elasticsearch/jvm.options
-        line: "-Djava.io.tmpdir={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
+        dest: /etc/elasticsearch/jvm.options.d/evolinux.options
+        line: "-Djava.io.tmpdir={{ _elasticsearch_custom_tmpdir }}"
         regexp: "^-Djava.io.tmpdir="
-        insertafter: "## JVM configuration"
+        create: yes
+        owner: root
+        group: elasticsearch
+        mode: 0640
       notify:
         - restart elasticsearch
       tags:
@@ -34,7 +42,7 @@
     - name: check if ES_TMPDIR is available (>= 6.x)
       lineinfile:
         dest: /etc/default/elasticsearch
-        line: "ES_TMPDIR={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
+        line: "ES_TMPDIR={{ _elasticsearch_custom_tmpdir }}"
         regexp: "^ES_TMPDIR="
         insertafter: "JAVA_HOME"
       notify:
@@ -43,6 +51,7 @@
         - elasticsearch
       when: elastic_stack_version is version('6', '>=')
 
+    # Note : Should not do any changes as -Djava.io.tmpdir=${ES_TMPDIR} is already here in the default config.
     - name: change JVM tmpdir (>= 6.x)
       lineinfile:
         dest: /etc/elasticsearch/jvm.options
@@ -54,4 +63,4 @@
       tags:
         - elasticsearch
       when: elastic_stack_version is version('6', '>=')
-  when: (elasticsearch_custom_tmpdir != '' and elasticsearch_custom_tmpdir != None) or fstab_tmp_noexec.rc == 0
+  when: (elasticsearch_custom_tmpdir is not none and elasticsearch_custom_tmpdir | length > 0) or fstab_tmp_noexec.rc == 0

elasticsearch/templates/rotate_elasticsearch_logs.j2

@@ -5,5 +5,10 @@ LOG_DIR=/var/log/elasticsearch
 USER=elasticsearch
 MAX_AGE={{ elasticsearch_log_rotate_days | mandatory }}
 
-find ${LOG_DIR} -type f -user ${USER} \( -name "*.log.????-??-??" -o -name "*-????-??-??.log" \) -exec gzip --best {} \;
-find ${LOG_DIR} -type f -user ${USER} \( -name "*.log.????-??-??.gz" -o -name "*-????-??-??.log.gz" \) -ctime +${MAX_AGE} -delete
+# Compress logs
+find ${LOG_DIR} -type f -user ${USER} -name "*.log.????-??-??" -exec gzip --best {} \;
+find ${LOG_DIR} -type f -user ${USER} -name "*-????-??-??.log" -exec gzip --best {} \;
+find ${LOG_DIR} -type f -user ${USER} -name "*.log.??" -not -name "*.gz" -exec gzip --best {} \;
+
+# Delete old logs
+find ${LOG_DIR} -type f -user ${USER} -name "*gz" -ctime +${MAX_AGE} -delete

etc-git/defaults/main.yml

@@ -1,4 +1,6 @@
 ---
-commit_message: Ansible run
+etc_git_default_commit_message: Ansible run
 
 etc_git_monitor_status: True
+etc_git_purge_index_lock_enabled: True
+etc_git_purge_index_lock_age: 86400

etc-git/files/etc-git-optimize

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -u
+
+repositories="/etc /etc/bind/ /usr/share/scripts"
+
+for repository in ${repositories}; do
+    if [ -d "${repository}/.git" ]; then
+        git --git-dir="${repository}/.git" gc --quiet
+    fi
+done

etc-git/files/etc-git-status

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -u
+
+repositories="/etc /etc/bind/ /usr/share/scripts"
+
+for repository in ${repositories}; do
+    if [ -d "${repository}/.git" ]; then
+        git --git-dir="${repository}/.git" --work-tree="${repository}" status --short
+    fi
+done

etc-git/files/evocommit

@@ -0,0 +1,265 @@
+#!/bin/sh
+
+set -u
+
+VERSION="21.10"
+
+show_version() {
+    cat <<END
+evocommit version ${VERSION}
+
+Copyright 2021 Evolix <info@evolix.fr>,
+               Jérémy Lecour <jlecour@evolix.fr>
+               and others.
+
+evocommit comes with ABSOLUTELY NO WARRANTY.  This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public Licence for details.
+END
+}
+
+show_help() {
+    cat <<END
+evocommit helps properly committing changes in a repository
+
+END
+    show_usage
+}
+show_usage() {
+    cat <<END
+Usage: evocommit --repository /path/to/repository --message "add new host"
+
+Options
+     --repository PATH   set the path for the repository
+     --message MESSAGE   set the commit message
+ -V, --version           print version number
+ -v, --verbose           increase verbosity
+ -n, --dry-run           actions are not executed
+     --help              print this message and exit
+     --version           print version and exit
+END
+}
+
+syslog() {
+    if [ -x "${LOGGER_BIN}" ]; then
+        ${LOGGER_BIN} -t "evocommit" "$1"
+    fi
+}
+get_system() {
+    uname -s
+}
+is_repository_readonly() {
+    if [ "$(get_system)" = "OpenBSD" ]; then
+        partition=$(stat -f '%Sd' $1)
+        mount | grep "${partition}" | grep -q "read-only"
+    elif command -v findmnt >/dev/null; then
+        mountpoint=$(stat -c '%m' $1)
+        findmnt "${mountpoint}" --noheadings --output OPTIONS -O ro
+    else
+        grep /usr /proc/mounts | grep -E '\bro\b'
+    fi
+}
+remount_repository_readwrite() {
+    if [ "$(get_system)" = "OpenBSD" ]; then
+        partition=$(stat -f '%Sd' $1)
+        mount -u -w /dev/${partition} 2>/dev/null
+    else
+        mountpoint=$(stat -c '%m' $1)
+        mount -o remount,rw ${mountpoint}
+        syslog "Re-mount ${mountpoint} as read-write to commit in repository $1"
+    fi
+}
+remount_repository_readonly() {
+    if [ "$(get_system)" = "OpenBSD" ]; then
+        partition=$(stat -f '%Sd' $1)
+        mount -u -r /dev/${partition} 2>/dev/null
+    else
+        mountpoint=$(stat -c '%m' $1)
+        mount -o remount,ro ${mountpoint} 2>/dev/null
+        syslog "Re-mount ${mountpoint} as read-only after commit to repository $1"
+    fi
+}
+is_dry_run() {
+    test "${DRY_RUN}" = "1"
+}
+is_verbose() {
+    test "${VERBOSE}" = "1"
+}
+is_ansible() {
+    test "${ANSIBLE}" = "1"
+}
+main() {
+    rc=0
+    lock="${GIT_DIR}/index.lock"
+    if [ -f "${lock}" ]; then
+        limit=$(date +"%s" -d "now - 1 hour")
+        updated_at=$(stat -c "%Y" "${lock}")
+        if [ "$updated_at" -lt "$limit" ]; then
+            rm -f "${lock}"
+        fi
+    fi
+
+    git_status=$(${GIT_BIN} status --porcelain)
+
+    if [ -n "${git_status}" ]; then
+        if is_dry_run; then
+            ${GIT_BIN} status
+        else
+            readonly_orig=0
+            # remount mount point read-write if currently readonly
+            if is_repository_readonly "${REPOSITORY}"; then
+                readonly_orig=1;
+                remount_repository_readwrite "${REPOSITORY}";
+            fi
+            author=$(logname)
+            email=$(git config --get user.email)
+            email=${email:-"${author}@evolix.net"}
+
+            # commit changes
+            git_add_result=$(${GIT_BIN} add --all)
+            git_add_rc=$?
+
+            if is_ansible; then
+                if [ ${git_add_rc} -ne 0 ]; then
+                    printf "FAILED: %s\n%s" "can't add changes in ${REPOSITORY}" "${git_add_result}"
+                    rc=1
+                fi
+            fi
+
+            git_commit_result=$(${GIT_BIN} commit --message "${MESSAGE}" --author "${author} <${email}>")
+            git_commit_rc=$?
+
+            if is_ansible; then
+                if [ ${git_commit_rc} -eq 0 ]; then
+                    printf "CHANGED: %s\n" "commit done in ${REPOSITORY} with \`${MESSAGE}'"
+                else
+                    printf "FAILED: %s\n%s" "can't commit in ${REPOSITORY} \`${MESSAGE}'" "${git_commit_result}"
+                    rc=1
+                fi
+            fi
+
+            # remount mount point read-only if it was before
+            if [ ${readonly_orig} -eq 1 ]; then
+                remount_repository_readonly "${REPOSITORY}"
+            fi
+        fi
+    else
+        if is_ansible; then
+            printf "INFO: %s\n" "no commit in ${REPOSITORY}'"
+        fi
+    fi
+
+    unset GIT_DIR
+    unset GIT_WORK_TREE
+
+    exit ${rc}
+}
+# Parse options
+# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+while :; do
+    case ${1:-''} in
+        -h|-\?|--help)
+            show_help
+            exit 0
+            ;;
+        -V|--version)
+            show_version
+            exit 0
+            ;;
+        --message)
+            # message options, with value speparated by space
+            if [ -n "$2" ]; then
+                MESSAGE=$2
+                shift
+            else
+                printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --message=?*)
+            # message options, with value speparated by =
+            MESSAGE=${1#*=}
+            ;;
+        --message=)
+            # message options, without value
+            printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+        --repository)
+            # repository options, with value speparated by space
+            if [ -n "$2" ]; then
+                REPOSITORY=$2
+                shift
+            else
+                printf 'ERROR: "--repository" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --repository=?*)
+            # repository options, with value speparated by =
+            REPOSITORY=${1#*=}
+            ;;
+        --repository=)
+            # repository options, without value
+            printf 'ERROR: "--repository" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+        -n|--dry-run)
+            # disable actual commands
+            DRY_RUN=1
+            ;;
+        -v|--verbose)
+            # print verbose information
+            VERBOSE=1
+            ;;
+        --ansible)
+            # print information for Ansible
+            ANSIBLE=1
+            ;;
+        --)
+            # End of all options.
+            shift
+            break
+            ;;
+        -?*|[[:alnum:]]*)
+            # ignore unknown options
+            printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
+            ;;
+        *)
+            # Default case: If no more options then break out of the loop.
+            break
+            ;;
+    esac
+
+    shift
+done
+
+if [ -z "${MESSAGE}" ]; then
+    echo "Error: missing message parameter" >&2
+    show_usage
+    exit 1
+fi
+if [ -z "${REPOSITORY}" ]; then
+    echo "Error: missing repository parameter" >&2
+    show_usage
+    exit 1
+fi
+DRY_RUN=${DRY_RUN:-0}
+VERBOSE=${VERBOSE:-0}
+ANSIBLE=${ANSIBLE:-0}
+
+GIT_BIN=$(command -v git)
+readonly GIT_BIN
+
+LOGGER_BIN=$(command -v logger)
+readonly LOGGER_BIN
+
+export GIT_DIR="${REPOSITORY}/.git"
+export GIT_WORK_TREE="${REPOSITORY}"
+
+if [ -d "${GIT_DIR}" ]; then
+    main
+else
+    echo "There is no Git repository in '${REPOSITORY}'" >&2
+    exit 1
+fi

etc-git/files/optimize-etc-git

@@ -1,3 +0,0 @@
-#!/bin/sh
-
-git --git-dir /etc/.git gc --quiet

etc-git/meta/main.yml

@@ -1,17 +1,28 @@
 galaxy_info:
-  author: Evolix
+  company: Evolix
   description: Put /etc under Git version control.
 
   issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
 
   license: GPLv2
 
-  min_ansible_version: 2.2
+  min_ansible_version: "2.2"
 
   platforms:
-  - name: Debian
-    versions:
-    - jessie
+    - name: Debian
+      versions:
+        - jessie
+        - stretch
+        - buster
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is
+    # a keyword that describes and categorizes the role.
+    # Users find roles by searching for tags. Be sure to
+    # remove the '[]' above if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of
+    # alphanumeric characters. Maximum 20 tags per role.
 
 dependencies: []
   # List your role dependencies here, one per line.

etc-git/tasks/commit.yml

@@ -1,57 +1,52 @@
 ---
-- name: is /etc clean?
-  command: git status --porcelain
-  args:
-    chdir: /etc
-  changed_when: False
-  register: git_status
-  when: not ansible_check_mode
+
+# /etc
+- name: Is /etc a git repository
+  stat:
+    path: /etc/.git
+  register: _etc_git
+
+- name: "evocommit /etc"
+  command: "/usr/local/bin/evocommit --ansible --repository /etc --message \"{{ commit_message | mandatory }}\""
+  changed_when:
+    - _etc_git_commit.stdout
+    - "'CHANGED:' in _etc_git_commit.stdout"
   ignore_errors: yes
-  tags:
-    - etc-git
-    - commit-etc
-
-- debug:
-    var: git_status
-    verbosity: 3
-  tags:
-    - etc-git
-    - commit-etc
-
-- name: fetch current Git user.email
-  git_config:
-    name: user.email
-    repo: /etc
-  register: git_config_user_email
-  ignore_errors: yes
-  tags:
-    - etc-git
-    - commit-etc
-
-- name: "set commit author"
-  set_fact:
-    commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
-    commit_email:  '{% if git_config_user_email.config_value is not defined or not git_config_user_email.config_value %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' # noqa 204
-  tags:
-    - etc-git
-    - commit-etc
-
-- name: "/etc modifications are committed"
-  shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
-  args:
-    chdir: /etc
-  register: etc_commit_end_run
+  register: _etc_git_commit
   when:
-    - not ansible_check_mode
-    - git_status.stdout
-  ignore_errors: yes
-  tags:
-    - etc-git
-    - commit-etc
+    - _etc_git.stat.exists
+    - _etc_git.stat.isdir
 
-- debug:
-    var: etc_commit_end_run
-    verbosity: 4
-  tags:
-    - etc-git
-    - commit-etc
+# /etc/bind
+- name: Is /etc/bind a git repository
+  stat:
+    path: /etc/bind/.git
+  register: _etc_bind_git
+
+- name: "evocommit /etc/bind"
+  command: "/usr/local/bin/evocommit --ansible --repository /etc/bind --message \"{{ commit_message | mandatory }}\""
+  changed_when:
+    - _etc_bind_git_commit.stdout
+    - "'CHANGED:' in _etc_bind_git_commit.stdout"
+  ignore_errors: yes
+  register: _etc_bind_git_commit
+  when:
+    - _etc_bind_git.stat.exists
+    - _etc_bind_git.stat.isdir
+
+# /usr/share/scripts
+- name: Is /usr/share/scripts a git repository
+  stat:
+    path: /usr/share/scripts/.git
+  register: _usr_share_scripts_git
+
+- name: "evocommit /usr/share/scripts"
+  command: "/usr/local/bin/evocommit --ansible --repository /usr/share/scripts --message \"{{ commit_message | mandatory }}\""
+  changed_when:
+    - _usr_share_scripts_git_commit.stdout
+    - "'CHANGED:' in _usr_share_scripts_git_commit.stdout"
+  ignore_errors: yes
+  register: _usr_share_scripts_git_commit
+  when:
+    - _usr_share_scripts_git.stat.exists
+    - _usr_share_scripts_git.stat.isdir

etc-git/tasks/main.yml

@@ -7,6 +7,18 @@
   tags:
     - etc-git
 
+- include_role:
+    name: evolix/remount-usr
+
+- name: "evocommit script is installed"
+  copy:
+    src: evocommit
+    dest: /usr/local/bin/evocommit
+    mode: "0755"
+    force: yes
+  tags:
+    - etc-git
+
 - include: repository.yml
   vars:
     repository_path: "/etc"
@@ -32,36 +44,71 @@
     - _usr_share_scripts.stat.isdir
     - ansible_distribution_major_version is version('10', '>=')
 
+- name: "etc-git-optimize script is installed"
+  copy:
+    src: etc-git-optimize
+    dest: /usr/share/scripts/etc-git-optimize
+    mode: "0755"
+    force: yes
+  tags:
+    - etc-git
+
+- name: "etc-git-status script is installed"
+  copy:
+    src: etc-git-status
+    dest: /usr/share/scripts/etc-git-status
+    mode: "0755"
+    force: yes
+  tags:
+    - etc-git
+
 - name: Check if cron is installed
-  shell: "dpkg -l cron 2> /dev/null | grep -q -E '^(i|h)i'"
+  shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
+  args:
+    executable: /bin/bash
   failed_when: False
   changed_when: False
   check_mode: no
   register: is_cron_installed
 
-- name: Optimize script is installed in monthly crontab
-  copy:
-    src: optimize-etc-git
-    dest: /etc/cron.monthly/optimize-etc-git
-    mode: "0750"
-    force: no
+- block:
+  - name: Legacy cron jobs for /etc/.git status are absent 
+    file:
+      dest: "{{ item }}"
+      state: absent
+    loop:
+      - /etc/cron.monthly/optimize-etc-git
+      - /etc/cron.d/etc-git-status
+
+  - name: Cron job for monthly git optimization
+    cron:
+      name: "Monthly optimization"
+      cron_file: etc-git
+      special_time: "monthly"
+      user: root
+      job: "/usr/share/scripts/etc-git-optimize"
+
+  - name: Cron job for hourly git status
+    cron:
+      name: "Hourly warning for unclean Git repository if nobody is connected"
+      cron_file: etc-git
+      special_time: "hourly"
+      user: root
+      job: "who > /dev/null || /usr/share/scripts/etc-git-status"
+      state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
+
+  - name: Cron job for daily git status
+    cron:
+      name: "Daily warning for unclean Git repository"
+      cron_file: etc-git
+      user: root
+      job: "/usr/share/scripts/etc-git-status"
+      minute: "21"
+      hour: "21"
+      weekday: "*"
+      day: "*"
+      month: "*"
+      state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
   when: is_cron_installed.rc == 0
   tags:
-    - etc-git
-
-- name: Cron job for /etc/.git status is installed
-  template:
-    src: etc-git-status.j2
-    dest: /etc/cron.d/etc-git-status
-    mode: "0644"
-  when: is_cron_installed.rc == 0 and etc_git_monitor_status
-  tags:
-    - etc-git
-
-- name: Cron job for /etc/.git status is removed
-  file:
-    dest: /etc/cron.d/etc-git-status
-    state: absent
-  when: is_cron_installed.rc == 0 and not etc_git_monitor_status
-  tags:
-    - etc-git
+    - etc-git

etc-git/tasks/repository.yml

@@ -46,7 +46,7 @@
   lineinfile:
     dest: "{{ repository_path }}/.gitignore"
     line: "{{ item }}"
-  with_items: "{{ gitignore_items | default([]) }}"
+  loop: "{{ gitignore_items | default([]) }}"
   tags:
     - etc-git
 
@@ -68,6 +68,6 @@
     chdir: "{{ repository_path }}"
     warn: no
   register: git_commit
-  when: git_log.rc != 0 or (git_init is defined and git_init.changed)
+  when: git_log.rc != 0 or (git_init is defined and git_init is changed)
   tags:
-    - etc-git
+    - etc-git

etc-git/templates/etc-git-status.j2

@@ -1,4 +0,0 @@
-# {{ ansible_managed }}
-
-@hourly root who > /dev/null || git --git-dir=/etc/.git --work-tree=/etc status --short
-21 21 * * * root git --git-dir=/etc/.git --work-tree=/etc status --short

evoacme/defaults/main.yml

@@ -5,7 +5,7 @@ evoacme_dhparam_size: 2048
 evoacme_acme_dir: /var/lib/letsencrypt
 evoacme_csr_dir: /etc/ssl/requests
 evoacme_crt_dir: /etc/letsencrypt
-evoacme_hooks_dir: "{{ evoacme_crt_dir }}/hooks"
+evoacme_hooks_dir: "{{ evoacme_crt_dir }}/renewal-hooks/deploy"
 evoacme_log_dir: /var/log/evoacme
 evoacme_ssl_minday: 30
 evoacme_ssl_ct: 'FR'
@@ -14,3 +14,5 @@ evoacme_ssl_loc: 'Marseille'
 evoacme_ssl_org: 'Evolix'
 evoacme_ssl_ou: 'Security'
 evoacme_ssl_email: 'security@evolix.net'
+
+evoacme_disable_debian_check: False

evoacme/files/evoacme.cron

@@ -15,12 +15,13 @@ find "${CRT_DIR}" \
     -maxdepth 1 \
     -mindepth 1 \
     -type d \
-    ! -path "*accounts" \
-    ! -path "*archive" \
-    ! -path "*csr" \
-    ! -path "*hooks" \
-    ! -path "*keys" \
-    ! -path "*live" \
-    ! -path "*renewal" \
+    ! -path "${CRT_DIR}/accounts" \
+    ! -path "${CRT_DIR}/archive" \
+    ! -path "${CRT_DIR}/csr" \
+    ! -path "${CRT_DIR}/hooks" \
+    ! -path "${CRT_DIR}/keys" \
+    ! -path "${CRT_DIR}/live" \
+    ! -path "${CRT_DIR}/renewal" \
+    ! -path "${CRT_DIR}/renewal-hooks" \
     -printf "%f\n" \
         | xargs --max-args=1 --no-run-if-empty evoacme

evoacme/files/evoacme.sh

@@ -14,7 +14,7 @@ show_version() {
     cat <<END
 evoacme version ${VERSION}
 
-Copyright 2009-2019 Evolix <info@evolix.fr>,
+Copyright 2009-2021 Evolix <info@evolix.fr>,
                     Victor Laborie <vlaborie@evolix.fr>,
                     Jérémy Lecour <jlecour@evolix.fr>,
                     Benoit Série <bserie@evolix.fr>
@@ -208,6 +208,7 @@ main() {
     [ "${TEST}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --test-cert"
     [ "${QUIET}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --quiet"
     [ "${DRY_RUN}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --dry-run"
+    [ "${CERTBOT_SELF_UPGRADE}" = "0" ] && CERTBOT_MODE="${CERTBOT_MODE} --no-self-upgrade"
 
     local CERTBOT_REGISTRATION="--agree-tos"
     if [ -n "${SSL_EMAIL}" ]; then
@@ -284,13 +285,19 @@ main() {
     export EVOACME_CHAIN="${LIVE_CHAIN}"
     export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}"
 
+    # emulate certbot hooks environment variables
+    export RENEWED_LINEAGE="${LIVE_DIR}"
+    export RENEWED_DOMAINS="${VHOST}"
+
     # search for files in hooks directory
-    for hook in $(find ${HOOKS_DIR} -type f); do
+    for hook in $(find ${HOOKS_DIR} -type f -executable | sort); do
+        set +e
         # keep only executables files, not containing a "."
-        if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF "."); then
+        if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF ".disable"); then
             debug "Executing ${hook}"
             ${hook}
         fi
+        set -e
     done
 }
 
@@ -303,7 +310,7 @@ readonly QUIET=${QUIET:-"0"}
 readonly TEST=${TEST:-"0"}
 readonly DRY_RUN=${DRY_RUN:-"0"}
 
-readonly VERSION="20.06.1"
+readonly VERSION="21.01"
 
 # Read configuration file, if it exists
 [ -r /etc/default/evoacme ] && . /etc/default/evoacme
@@ -314,8 +321,9 @@ readonly ACME_DIR=${ACME_DIR:-"/var/lib/letsencrypt"}
 readonly CSR_DIR=${CSR_DIR:-"/etc/ssl/requests"}
 readonly CRT_DIR=${CRT_DIR:-"/etc/letsencrypt"}
 readonly LOG_DIR=${LOG_DIR:-"/var/log/evoacme"}
-readonly HOOKS_DIR=${HOOKS_DIR:-"${CRT_DIR}/hooks"}
+readonly HOOKS_DIR=${HOOKS_DIR:-"${CRT_DIR}/renewal-hooks/deploy"}
 readonly SSL_MINDAY=${SSL_MINDAY:-"30"}
 readonly SSL_EMAIL=${SSL_EMAIL:-""}
+readonly CERTBOT_SELF_UPGRADE=${CERTBOT_SELF_UPGRADE:-"0"}
 
 main ${ARGS}

evoacme/files/hooks/commit

@@ -1,18 +0,0 @@
-#!/bin/sh
-
-git_bin=$(command -v git)
-letsencrypt_dir=/etc/letsencrypt
-export GIT_DIR="/etc/.git"
-export GIT_WORK_TREE="/etc"
-
-if test -x "${git_bin}" && test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then
-  changed_lines=$(${git_bin} status --porcelain -- ${letsencrypt_dir} | wc -l | tr -d ' ')
-
-  if [ "${changed_lines}" != "0" ]; then
-      ${git_bin} add --all ${letsencrypt_dir}
-      message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
-      ${git_bin} commit --message "${message}" --quiet
-  else
-      echo "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
-  fi
-fi

evoacme/files/hooks/reload_apache

@@ -1,30 +0,0 @@
-#!/bin/sh
-
-readonly PROGNAME=$(basename "$0")
-# shellcheck disable=SC2124,SC2034
-readonly ARGS=$@
-
-readonly VERBOSE=${VERBOSE:-"0"}
-readonly QUIET=${QUIET:-"0"}
-
-error() {
-    >&2 echo "${PROGNAME}: $1"
-    exit 1
-}
-debug() {
-    if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
-        >&2 echo "${PROGNAME}: $1"
-    fi
-}
-
-if [ -n "$(pidof apache2)" ]; then
-    # shellcheck disable=SC2091
-    if $($(command -v apache2ctl) -t 2> /dev/null); then
-        debug "Apache detected... reloading"
-        service apache2 reload
-    else
-        error " Apache config is broken, you must fix it !"
-    fi
-else
-    debug "Apache is not running. Skip."
-fi

evoacme/files/hooks/reload_dovecot

@@ -1,35 +0,0 @@
-#!/bin/sh
-
-readonly PROGNAME=$(basename "$0")
-# shellcheck disable=SC2124,SC2034
-readonly ARGS=$@
-
-readonly VERBOSE=${VERBOSE:-"0"}
-readonly QUIET=${QUIET:-"0"}
-
-error() {
-    >&2 echo "${PROGNAME}: $1"
-    exit 1
-}
-debug() {
-    if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
-        >&2 echo "${PROGNAME}: $1"
-    fi
-}
-
-if [ -n "$(pidof dovecot)" ]; then
-    # shellcheck disable=SC2091
-    if $($(command -v doveconf) > /dev/null); then
-        # shellcheck disable=SC2091
-        if $($(command -v doveconf)|grep -E "^ssl_cert[^_]"|grep -q "letsencrypt"); then
-            debug "Dovecot detected... reloading"
-            service dovecot reload
-        else
-            debug "Dovecot doesn't use Let's Encrypt certificate. Skip."
-        fi
-    else
-        error "Dovecot config is broken, you must fix it !"
-    fi
-else
-    debug "Dovecot is not running. Skip."
-fi

evoacme/files/hooks/reload_nginx

@@ -1,30 +0,0 @@
-#!/bin/sh
-
-readonly PROGNAME=$(basename "$0")
-# shellcheck disable=SC2124,SC2034
-readonly ARGS=$@
-
-readonly VERBOSE=${VERBOSE:-"0"}
-readonly QUIET=${QUIET:-"0"}
-
-error() {
-    >&2 echo "${PROGNAME}: $1"
-    exit 1
-}
-debug() {
-    if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
-        >&2 echo "${PROGNAME}: $1"
-    fi
-}
-
-if [ -n "$(pidof nginx)" ]; then
-    # shellcheck disable=SC2091
-    if $($(command -v nginx) -t 2> /dev/null); then
-        debug "Nginx detected... reloading"
-        service nginx reload
-    else
-        error "Nginx config is broken, you must fix it !"
-    fi
-else
-    debug "Nginx is not running. Skip."
-fi

evoacme/files/hooks/reload_postfix

@@ -1,35 +0,0 @@
-#!/bin/sh
-
-readonly PROGNAME=$(basename "$0")
-# shellcheck disable=SC2124,SC2034
-readonly ARGS=$@
-
-readonly VERBOSE=${VERBOSE:-"0"}
-readonly QUIET=${QUIET:-"0"}
-
-error() {
-    >&2 echo "${PROGNAME}: $1"
-    exit 1
-}
-debug() {
-    if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
-        >&2 echo "${PROGNAME}: $1"
-    fi
-}
-
-if [ -n "$(pidof master)" ]; then
-    # shellcheck disable=SC2091
-    if $($(command -v postconf) > /dev/null); then
-        # shellcheck disable=SC2091
-        if $($(command -v postconf)|grep -E "^smtpd_tls_cert_file"|grep -q "letsencrypt"); then
-            debug "Postfix detected... reloading"
-            service postfix reload
-        else
-            debug "Postfix doesn't use Let's Encrypt certificate. Skip."
-        fi
-    else
-        error "Postfix config is broken, you must fix it !"
-    fi
-else
-    debug "Postfix is not running. Skip."
-fi

evoacme/files/make-csr.sh

@@ -13,7 +13,7 @@ show_version() {
     cat <<END
 make-csr version ${VERSION}
 
-Copyright 2009-2019 Evolix <info@evolix.fr>,
+Copyright 2009-2021 Evolix <info@evolix.fr>,
                     Victor Laborie <vlaborie@evolix.fr>,
                     Jérémy Lecour <jlecour@evolix.fr>,
                     Benoit Série <bserie@evolix.fr>
@@ -112,9 +112,9 @@ openssl_selfsigned() {
     [ -r "${key}" ] || error "File ${key} is not readable"
     [ -w "${crt_dir}" ] || error "Directory ${crt_dir} is not writable"
     if grep -q SAN "${cfg}"; then
-        "${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -extensions SAN -extfile "${cfg}" -signkey "${key}" -out "${crt}" 2> /dev/null
+        "${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -extensions SAN -extfile "${cfg}" -signkey "${key}" -out "${crt}" 2>/dev/null
     else
-        "${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -signkey "${key}" -out "${crt}" 2> /dev/null
+        "${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -signkey "${key}" -out "${crt}" 2>/dev/null
     fi
 
     [ -r "${crt}" ] || error "Something went wrong, ${crt} has not been generated"
@@ -126,7 +126,7 @@ openssl_key(){
 
     [ -w "${key_dir}" ] || error "Directory ${key_dir} is not writable"
 
-    "${OPENSSL_BIN}" genrsa -out "${key}" "${size}" 2> /dev/null
+    "${OPENSSL_BIN}" genrsa -out "${key}" "${size}" 2>/dev/null
 
     [ -r "${key}" ] || error "Something went wrong, ${key} has not been generated"
 }
@@ -265,7 +265,7 @@ readonly ARGS=$@
 readonly VERBOSE=${VERBOSE:-"0"}
 readonly QUIET=${QUIET:-"0"}
 
-readonly VERSION="20.06.1"
+readonly VERSION="21.01"
 
 # Read configuration file, if it exists
 [ -r /etc/default/evoacme ] && . /etc/default/evoacme

evoacme/files/vhost-domains.sh

@@ -13,7 +13,7 @@ show_version() {
     cat <<END
 vhost-domains version ${VERSION}
 
-Copyright 2009-2019 Evolix <info@evolix.fr>,
+Copyright 2009-2021 Evolix <info@evolix.fr>,
                     Victor Laborie <vlaborie@evolix.fr>,
                     Jérémy Lecour <jlecour@evolix.fr>,
                     Benoit Série <bserie@evolix.fr>
@@ -170,7 +170,7 @@ readonly ARGS=$@
 readonly VERBOSE=${VERBOSE:-"0"}
 readonly QUIET=${QUIET:-"0"}
 
-readonly VERSION="20.06.1"
+readonly VERSION="21.01"
 
 readonly SRV_IP=${SRV_IP:-""}
 

evoacme/meta/main.yml

@@ -1,18 +1,28 @@
 galaxy_info:
-  author: Evolix
+  company: Evolix
   description: Install evoacme ; a wrapper for Certbot (Let's Encrypt)
 
   issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
 
   license: GPLv2
 
-  min_ansible_version: 2.2
+  min_ansible_version: "2.2"
 
   platforms:
-  - name: Debian
-    versions:
-    - jessie
-    - stretch
+    - name: Debian
+      versions:
+        - jessie
+        - stretch
+        - buster
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is
+    # a keyword that describes and categorizes the role.
+    # Users find roles by searching for tags. Be sure to
+    # remove the '[]' above if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of
+    # alphanumeric characters. Maximum 20 tags per role.
 
 dependencies: []
   # List your role dependencies here, one per line.

evoacme/tasks/acme.yml

@@ -1,61 +0,0 @@
----
-- name: Create acme group
-  group:
-    name: acme
-    state: present
-
-- name: Create acme user
-  user:
-    name: acme
-    group: acme
-    state: present
-    createhome: no
-    home: "{{ evoacme_acme_dir }}"
-    shell: /bin/false
-    system: yes
-
-- name: Fix crt dir's right
-  file:
-    path: "{{ evoacme_crt_dir }}"
-    mode: "0755"
-    owner: acme
-    group: acme
-    state: directory
-
-- name: "Fix hooks directory permissions"
-  file:
-    path: "{{ evoacme_hooks_dir }}"
-    mode: "0700"
-    owner: acme
-    group: acme
-    state: directory
-
-- name: Fix log dir's right
-  file:
-    path: "{{ evoacme_log_dir }}"
-    mode: "0755"
-    owner: acme
-    group: acme
-    state: directory
-
-- name: Fix challenge dir's right
-  file:
-    path: "{{ evoacme_acme_dir }}"
-    mode: "0755"
-    owner: acme
-    group: acme
-    state: directory
-
-- name: Is /etc/aliases present?
-  stat:
-    path: /etc/aliases
-  register: etc_aliases
-
-- name: Set acme aliases
-  lineinfile:
-    state: present
-    dest: /etc/aliases
-    line: 'acme: root'
-    regexp: 'acme:'
-  when: etc_aliases.stat.exists
-  notify: "newaliases"

evoacme/tasks/apache.yml

@@ -1,25 +0,0 @@
-- name: Create conf dirs
-  file:
-    path: "/etc/apache2/{{ item }}"
-    state: directory
-  with_items:
-    - 'conf-available'
-    - 'conf-enabled'
-
-- name: Copy acme challenge conf
-  template:
-    src: templates/apache.conf.j2
-    dest: /etc/apache2/conf-available/letsencrypt.conf
-    owner: root
-    group: root
-    mode: "0644"
-  notify: reload apache2
-
-- name: Enable acme challenge conf
-  file:
-    src: /etc/apache2/conf-available/letsencrypt.conf
-    dest: /etc/apache2/conf-enabled/letsencrypt.conf
-    state: link
-    owner: root
-    group: root
-  notify: reload apache2

evoacme/tasks/certbot.yml

@@ -1,45 +1,24 @@
 ---
+- name: Do no install certbot crontab
+  set_fact:
+    certbot_custom_crontab: False
 
-- name: Use backports for jessie
-  block:
-    - name: install jessie-backports
-      include_role:
-        name: evolix/apt
-        tasks_from: backports.yml
-
-    - name: Add exceptions for certbot dependencies
-      copy:
-        src: backports-certbot
-        dest: /etc/apt/preferences.d/z-backports-certbot
-      notify: apt update
-
-    - meta: flush_handlers
-  when: ansible_distribution_release == "jessie"
-
-- name: Install certbot with apt
-  apt:
-    name: certbot
-    state: latest
+- include_role:
+    name: evolix/certbot
 
 - include_role:
     name: evolix/remount-usr
 
-- name: Remove certbot symlink for apt install
-  file:
-    path: /usr/local/bin/certbot
-    state: absent
 
 - name: Disable /etc/cron.d/certbot
-  command: mv /etc/cron.d/certbot /etc/cron.d/certbot.disabled
+  command: mv -f /etc/cron.d/certbot /etc/cron.d/certbot.disabled
   args:
     removes: /etc/cron.d/certbot
-    creates: /etc/cron.d/certbot.disabled
 
 - name: Disable /etc/cron.daily/certbot
-  command: mv /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
+  command: mv -f /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
   args:
     removes: /etc/cron.daily/certbot
-    creates: /etc/cron.daily/certbot.disabled
 
 - name: Install evoacme custom cron
   copy:

evoacme/tasks/conf.yml

@@ -4,7 +4,7 @@
     section: 'req'
     option: "{{ item.name }}"
     value: "{{ item.var }}"
-  with_items:
+  loop:
      - { name: 'default_bits', var: "{{ evoacme_ssl_key_size }}" }
      - { name: 'encrypt_key', var: 'yes' }
      - { name: 'distinguished_name', var: 'req_dn' }
@@ -16,7 +16,7 @@
     section: 'req_dn'
     option: "{{ item.name }}"
     value: "{{ item.var }}"
-  with_items:
+  loop:
      - { name: 'C', var: "{{ evoacme_ssl_ct }}" }
      - { name: 'ST', var: "{{ evoacme_ssl_state }}" }
      - { name: 'L', var: "{{ evoacme_ssl_loc }}" }

evoacme/tasks/evoacme_hook.yml

@@ -1,5 +1,10 @@
 ---
 
+- name: "Create {{ hook_name }} hook directory"
+  file:
+    dest: "{{ evoacme_hooks_dir }}"
+    state: directory
+
 - name: "Search for {{ hook_name }} hook"
   command: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)"
   check_mode: no
@@ -11,4 +16,4 @@
     src: "hooks/{{ hook_name }}"
     dest: "{{ evoacme_hooks_dir }}/{{ hook_name }}"
     mode: "0750"
-  when: _find_hook.stdout == ""
+  when: _find_hook.stdout | length == 0

evoacme/tasks/main.yml

@@ -1,42 +1,23 @@
 ---
 
-- fail:
-    msg: only compatible with Debian >= 8
-  when:
-  - ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
+- name: Verify Debian version
+  assert:
+    that:
+      - ansible_distribution == "Debian"
+      - ansible_distribution_major_version is version('9', '>=')
+    msg: only compatible with Debian >= 9
+  when: not (evoacme_disable_debian_check | bool)
 
 - include: certbot.yml
 
-- include: acme.yml
+- include: permissions.yml
 
-- include: evoacme_hook.yml
-  vars:
-    hook_name: "{{ item }}"
-  with_items:
-    - reload_apache
-    - reload_nginx
-    - reload_dovecot
-    - reload_postfix
-    - commit
+# Enable this task if you want to deploy hooks
+# - include: evoacme_hook.yml
+#   vars:
+#     hook_name: "{{ item }}"
+#   loop: []
 
 - include: conf.yml
 
 - include: scripts.yml
-
-- name: Determine Apache presence
-  stat:
-    path: /etc/apache2/apache2.conf
-  check_mode: no
-  register: sta
-
-- name: Determine Nginx presence
-  stat:
-    path: /etc/nginx/nginx.conf
-  check_mode: no
-  register: stn
-
-- include: apache.yml
-  when: sta.stat.isreg is defined and sta.stat.isreg
-
-- include: nginx.yml
-  when: stn.stat.isreg is defined and stn.stat.isreg

evoacme/tasks/nginx.yml

@@ -1,35 +0,0 @@
----
-
-- name: move acme challenge conf if missplaced
-  command: mv /etc/nginx/letsencrypt.conf /etc/nginx/snippets/letsencrypt.conf
-  args:
-    removes: /etc/nginx/letsencrypt.conf
-    creates: /etc/nginx/snippets/letsencrypt.conf
-
-- name: Copy acme challenge conf
-  template:
-    src: templates/nginx.conf.j2
-    dest: /etc/nginx/snippets/letsencrypt.conf
-    owner: root
-    group: root
-    mode: "0644"
-
-- name: look for old path
-  command: grep -r /etc/nginx/letsencrypt.conf /etc/nginx
-  changed_when: False
-  failed_when: False
-  check_mode: no
-  register: grep_letsencrypt_old_path
-
-- name: Keep a symlink for vhosts with old path
-  file:
-    src: /etc/nginx/snippets/letsencrypt.conf
-    dest: /etc/nginx/letsencrypt.conf
-    state: link
-  when: grep_letsencrypt_old_path.rc == 0
-
-- name: Remove symlink if no vhost with old path
-  file:
-    dest: /etc/nginx/letsencrypt.conf
-    state: absent
-  when: grep_letsencrypt_old_path.rc == 1