From 5917a8eefc169b2ac5194905db33b6a41dbfbc7e Mon Sep 17 00:00:00 2001
From: Alexander Olofsson <ace@haxalot.com>
Date: Fri, 7 Aug 2020 23:23:34 +0200
Subject: [PATCH] Save work on WIP Matrix Synapse chart

---
 charts-wip/matrix-synapse/.helmignore         |  22 +
 charts-wip/matrix-synapse/Chart.lock          |   9 +
 charts-wip/matrix-synapse/Chart.yaml          |  18 +
 .../charts/postgresql-8.9.9.tgz               | Bin 0 -> 33147 bytes
 .../charts/postgresql/.helmignore             |  21 +
 .../charts/postgresql/Chart.yaml              |  23 +
 .../charts/postgresql/README.md               | 580 ++++++++++++++++++
 .../postgresql/ci/commonAnnotations.yaml      |   4 +
 .../charts/postgresql/ci/default-values.yaml  |   1 +
 .../ci/shmvolume-disabled-values.yaml         |   2 +
 .../charts/postgresql/files/README.md         |   1 +
 .../charts/postgresql/files/conf.d/README.md  |   4 +
 .../docker-entrypoint-initdb.d/README.md      |   3 +
 .../charts/postgresql/templates/NOTES.txt     |  60 ++
 .../charts/postgresql/templates/_helpers.tpl  | 452 ++++++++++++++
 .../postgresql/templates/configmap.yaml       |  29 +
 .../templates/extended-config-configmap.yaml  |  24 +
 .../templates/initialization-configmap.yaml   |  27 +
 .../templates/metrics-configmap.yaml          |  16 +
 .../postgresql/templates/metrics-svc.yaml     |  29 +
 .../postgresql/templates/networkpolicy.yaml   |  41 ++
 .../templates/podsecuritypolicy.yaml          |  40 ++
 .../postgresql/templates/prometheusrule.yaml  |  26 +
 .../charts/postgresql/templates/role.yaml     |  22 +
 .../postgresql/templates/rolebinding.yaml     |  22 +
 .../charts/postgresql/templates/secrets.yaml  |  26 +
 .../postgresql/templates/serviceaccount.yaml  |  14 +
 .../postgresql/templates/servicemonitor.yaml  |  37 ++
 .../templates/statefulset-slaves.yaml         | 302 +++++++++
 .../postgresql/templates/statefulset.yaml     | 457 ++++++++++++++
 .../postgresql/templates/svc-headless.yaml    |  22 +
 .../charts/postgresql/templates/svc-read.yaml |  46 ++
 .../charts/postgresql/templates/svc.yaml      |  44 ++
 .../charts/postgresql/values-production.yaml  | 556 +++++++++++++++++
 .../charts/postgresql/values.schema.json      | 103 ++++
 .../charts/postgresql/values.yaml             | 562 +++++++++++++++++
 .../matrix-synapse/charts/redis-10.6.19.tgz   | Bin 0 -> 56701 bytes
 charts-wip/matrix-synapse/templates/NOTES.txt |  14 +
 .../matrix-synapse/templates/_helpers.tpl     | 219 +++++++
 .../templates/configuration.yaml              | 228 +++++++
 .../matrix-synapse/templates/deployment.yaml  | 246 ++++++++
 .../matrix-synapse/templates/ingress.yaml     |  77 +++
 .../matrix-synapse/templates/secrets.yaml     |  83 +++
 .../matrix-synapse/templates/service.yaml     |  59 ++
 .../templates/signing-key-job.yaml            | 115 ++++
 .../templates/tests/test-connection.yaml      |  16 +
 .../matrix-synapse/templates/well-known.yaml  | 101 +++
 charts-wip/matrix-synapse/values.yaml         | 312 ++++++++++
 48 files changed, 5115 insertions(+)
 create mode 100644 charts-wip/matrix-synapse/.helmignore
 create mode 100644 charts-wip/matrix-synapse/Chart.lock
 create mode 100644 charts-wip/matrix-synapse/Chart.yaml
 create mode 100644 charts-wip/matrix-synapse/charts/postgresql-8.9.9.tgz
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/.helmignore
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/Chart.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/README.md
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/ci/commonAnnotations.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/ci/default-values.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/ci/shmvolume-disabled-values.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/files/README.md
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/files/conf.d/README.md
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/files/docker-entrypoint-initdb.d/README.md
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/NOTES.txt
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/_helpers.tpl
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/configmap.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/extended-config-configmap.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/initialization-configmap.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/metrics-configmap.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/metrics-svc.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/networkpolicy.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/podsecuritypolicy.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/prometheusrule.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/role.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/rolebinding.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/secrets.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/serviceaccount.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/servicemonitor.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/statefulset-slaves.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/statefulset.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/svc-headless.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/svc-read.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/templates/svc.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/values-production.yaml
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/values.schema.json
 create mode 100755 charts-wip/matrix-synapse/charts/postgresql/values.yaml
 create mode 100644 charts-wip/matrix-synapse/charts/redis-10.6.19.tgz
 create mode 100644 charts-wip/matrix-synapse/templates/NOTES.txt
 create mode 100644 charts-wip/matrix-synapse/templates/_helpers.tpl
 create mode 100644 charts-wip/matrix-synapse/templates/configuration.yaml
 create mode 100644 charts-wip/matrix-synapse/templates/deployment.yaml
 create mode 100644 charts-wip/matrix-synapse/templates/ingress.yaml
 create mode 100644 charts-wip/matrix-synapse/templates/secrets.yaml
 create mode 100644 charts-wip/matrix-synapse/templates/service.yaml
 create mode 100644 charts-wip/matrix-synapse/templates/signing-key-job.yaml
 create mode 100644 charts-wip/matrix-synapse/templates/tests/test-connection.yaml
 create mode 100644 charts-wip/matrix-synapse/templates/well-known.yaml
 create mode 100644 charts-wip/matrix-synapse/values.yaml

diff --git a/charts-wip/matrix-synapse/.helmignore b/charts-wip/matrix-synapse/.helmignore
new file mode 100644
index 0000000..50af031
--- /dev/null
+++ b/charts-wip/matrix-synapse/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts-wip/matrix-synapse/Chart.lock b/charts-wip/matrix-synapse/Chart.lock
new file mode 100644
index 0000000..f4bdde0
--- /dev/null
+++ b/charts-wip/matrix-synapse/Chart.lock
@@ -0,0 +1,9 @@
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 8.9.9
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 10.6.19
+digest: sha256:41471dd6c6a7864a2fc5e7e2db8c904d9bda794126c654980dc3d4c09abb0720
+generated: "2020-08-07T11:25:38.491636877+02:00"
diff --git a/charts-wip/matrix-synapse/Chart.yaml b/charts-wip/matrix-synapse/Chart.yaml
new file mode 100644
index 0000000..701e163
--- /dev/null
+++ b/charts-wip/matrix-synapse/Chart.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: v2
+name: matrix-synapse
+description: Matrix reference homeserver
+appVersion: 1.18.0
+
+type: application
+version: 0.1.0
+
+dependencies:
+  - name: postgresql
+    version: ~8.9.4
+    repository: https://charts.bitnami.com/bitnami
+    condition: postgresql.enabled
+  - name: redis
+    version: ~10.6.10
+    repository: https://charts.bitnami.com/bitnami
+    condition: redis.enabled
diff --git a/charts-wip/matrix-synapse/charts/postgresql-8.9.9.tgz b/charts-wip/matrix-synapse/charts/postgresql-8.9.9.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..6cfc3bb5983b9bfebaf90f9b957dec032ce546df
GIT binary patch
literal 33147
zcmV)@K!Lv>iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POw!d)qd$D2|_>^;gVQdT#92lq~11)ji#F9otR)Z0z{hPI~vr
z_G>{TBw<4mECAY3<9z@2&x1D-q)3U9<(F*DXScCPybK0|nZaOYkWenh4D&z2?%o73
z(V3zs{EziM+uPgQuU@=R|88$@m;decp6~oe@7c?jy=O09?7V#OAKSfW&wD%n0o!Ya
zqw-0)K<q!ZZ`@aTaNo#-67m5vPH5bR%U%m5N%phX>-^Z+ZUvb8j3h$6Q#1l2%HTv3
z&e{LG-2xN?9sUdZ!ecl@vLp&2KmrXB#}J_yjd6ry0es2@j#>a4?@sq$ADwN&6%i9z
zA4kaqal(PdfIkZyb220$5mP{MAYXEU;sCLLdp?blkf7MdofeMAB*uLhQ;~$N35{?c
zCPE~<-|b#qU3GHu?oc-FwumoBVM`2&h*3m3K8?DFb1Zn53*>*|U1wR4Xzcv-Q~|Ho
z+y30^z3L?Kxb+E7uP6(6zvV$*(D~8wGGw$o(BBwNLgFi2wLI{{lncyS5hAfbB*sj&
zh9gA6KKRtW{J##wEr1xw@xIpYobote#Q(nm=CZj6F+t+ah-DQDA6ojI130HC^RWWJ
zB5F*;BpoU|83^pZUO@d%n0Ze9OG`jMc7E#o)Vgm9e|+XW4xwM7Fva{91i*a$|NQy(
zv+XkffBE9sBmcjP=gAXz6Vf3HVP7p|AQ2j4NDxC27MStYlP7QzV#M(l#8hAq6C^-P
z2!|^YhCnYdV<eF8@l53{Ah92&0g1;D-~`73j(vjpmgH$8GENx|Ku}1zu0PhGC`yza
z@1=}Mxq&Vb3DGdjO4I<`*Kbbom~g?g>`-q`(l9*3KEpx|sHI!!x4_|hefaXV^#q{U
zL?5E5{reb2I4|Ke*;j7?Jg4yA@l=1!YH>js8sohXaW0!ZbAGqvXbmHGM5`H~;i$3<
z!=qe&NuI3vuVT$CW6sX17HG`7a?GkJIb@a%&D14Sy-g@5g39-^&9ndn8e5&f3-FMj
z*z0Y3?0E~|$rCtBuun!)Ksj<wXh{62{=APzC=CUdll^ozyh2m{6v)VoPoOan4o^cQ
zFc(j^0EZj{$3hi9934|}!Z63Nc&eMru+Z;zKcz#=Vk|K45ZVo>&$}td%p0d9z+Ke=
z?><Qw_L4LVNj&!SJJph;fDF_=xLxU<-X&U{38%pA5Mw}$p()VO3?+07HuNuuQZ8Vq
zRG?I~;WLZ`4uHgp-lgp236h#jaa_E5U;^<^yqm2ZFQI{#X$M_75<NICVdN4C?Af{Q
z+R;8y<IU(+zL-b1b~tJ#1WU1;v?)#Dil$)zA^C*m7ml&i+86>7k0^_jUL&=(kd8H?
z;ZT4`S<K<}?%A(uVIJ=u9YTPI>3A&p1BoFbF$wU{!Noic#FX|_$GrPQHt*5c8zMgO
zvUXdb`{=_6g&eDeb|#qYQBcV`1W_}S@i9kb9Hn6>rw9a&5=oq}p?IEE)6^U?thl3^
z%T2k^o~S?HnfCgn9%Y*id((~C*M$aUn};zGj&A6(LHYTThG~RPFpCJ6+=DCaJsxXL
zORr+gBn8VKiR3R_m?{v_G!_XZv6}VMG~VU!IcEJ4f5T{+$nIwwZvo&~vgp8K+VDyF
zrH<)Tvz?p_4A&WI?O6U^z-rdcY}Uzc%n~fJ91WlCX$5w(I>WhrmXnQmhV3k3Jep?|
zC|nLQWpYcnM`M9M8xDO;1@5cC`4f5-Tbh<TE*Q};kZJ;lfX0SX={8Ig9cHOpHzxT~
zOoeJ;h(mfcyNo&un)q#kW60jgz71`u3ANe{v{5Q(TPjF}F)IEdRTn|QpIlKjZMtE1
zM1q2>AIRk%kr)S3g<}7EEZ652q+Bu^pGFai1Kx)L3BXGSef94fxCTEJ;00}HgE!h4
z=;k#*5?*W|4X3izQ5vcZ|GNaoXA?3Ka5W+R1SW_B_kF#C52kYE`U(mXaM+ND+?I_=
zY@#rvS2)--Qtlr#g$PaI3TY0bwLij_!S&A;+*potNMbE=Brv*@ga$K{Z5Y(gia)8j
z=9B1y>a^oeA{rD+SeaRB#xS&uEyA{9@$XfWfI@*;EM*1vCpbt$%(eh`#vN!&1@Ke5
zGo!}Ut~wM*Rw#L&XDkHHLX6T-kR-%j){oZnp5z_NmDF!3=uT)byMAuG{4HkGEBsj~
z04mUxNd~Dxv;d4G=|gXOyVoipQ@zO{W|zdru<QF$Cfyw1{5{uAdq_9kZJ8IQt4et$
zxs4RibfjmRVH8XOe<obW1!r0S(_}~LP3nUtZnf+K!eygeaTrO$QdjcJRW;itG*&A{
zn{8&N(MY`pNbzax<3#XoqN;QyQnI--?^+2@<fyg8aMh(f^@anZAy%y5tbi(6<P`sr
z61kaEropq578@eJqBY0tRf*wL(SR&<k!p^bAkMES3(Q;lQ!dL8UE)*SAn!vj*H!s6
z_9u+SH06p55&;nna35&A1#~pp0)`_h@C8beaGL$PVnk@R5K<q76)Jg!Nm1eVr_ReR
zOJhMI>}eA7u29&Sh$wvW=KY@c+wNQM?ZJnGw-W3exIG11AKG*@YU}QPVKmZ`I*o=}
zLmLzZI)DI=6vszHdWpBRbSYF26Uxm#U5S$ky2J&XxW-3K)$h&^`cg&rQ7jqu5X0Y!
z_-%pg;4E(>NBp*K<1}v+_B6KwiC_Cp5^+azNh?s)IOOuMoXmv_6jc(XH#w~+jt0^6
z!g*&FMz&{GTr;B^*ho1J;7Us6K|Xhq*+_^6Rz_vt2AeZ0Y8mrqcNo%PH$sYApC0V)
zA02d};E7()@z_J2wFP@hZ=|s|B8&@<r7>*CjZ{np{$HD|C(ho$jE<k!#ZVrzYzj7%
zNKO;X)K969kr0nDm&$Ky1}w*W%VXu5?RjE?Jw~bU>|7KE+nSw>+zeeFU$*S;4_qZ$
zohhlCij45I7UoC?socuK_LWw5`}T|cbfmby)0+MUhy#KV2{DkE3ycD}&Sg)ki};c-
z8mkkQOT>uesjVk+#x0P)kg$TI1Io`O?ug{)VRYXVn!%`2d;`L60Z0i$5rTcf`cP#^
zlTawgcI}2tD&aw33?EgKpp2)#PzLxjijolb_3R6V4&qDoLvDdI<^S^ToqhpYQ|Lo`
zh*(=ADX)|L1s{J`&}0gU)apiLe1sCaozUcGfRjM+Vrw4|<9kQOKw);9)`~+!Fa*TL
z{FadJPW++jZI_LC5f%h~$_0&-I95VIiVZ329O4iR#T@zSb4bT`2JUYtl%!IoRjXiX
z$>a>is0YOYj?G3d@qqXu+rOa*hkMHKF82?zu`g{tK@114)6obs-tI&D#rF2m>-JYg
zm}cuiF0s^VrZkoE9FkPXznN=ml2AYztF7b&E6&2Za*bhMP&TVm)+s)|HqdvukZNp6
z2U7Y^8GC!~_-D|kj(!6i%;IsETZLzs3Xt+&6}(V}$q80Axr$l~Q1X2>CgjUbP(sKm
z6!k=HeLW*$xF@JL#9l~IfCF#DXymC5Jt`)cd18WMC58fR!Ezds5S3ARV2~wII!lNl
zQ70#<nBZ7gt*Vwh)dnusNBhb6VlqS>)1@`1^&y~2Q_?DZxzs}9%Ztw?JV?gB4pEUx
z;M!9sC`v5{6zcyAmU5xqPbe4JYgI_SDHVvOxl6*7D;25t(@v-N^2g40XS=)e9HQWb
z7LOSxRmP2Z%Uf&C=d;IQH59M57qdfbJt;PwLC{|SP~C#bKFF%2)(m&oZXMjE0?B>|
zjS*AUMpHnpupyQV43GdNzF|nIXfo@ziSmq_g@R+jrpnUnX`nhmVa>HHuxGj*eb5$7
zFXY<`-FSyj`fzPd;NZ#s>JCZV<rDh?`x6T7eF~gLSWHMf?zF3L+F-D?b6tS3408$j
zTIp-lCu~TTCh0Xd5pv)-=0qagJ!{!4!6zr-in33DLaNSI9Dsnb8VJjv8wIr>luP0_
z+g2#LwyLk7fInkD73NsDL~!PXGWcY_iVC$gghOB#4vD2QOyfY?P7)eGjB%i_r>&rp
zD~%cQu{vXEWM|6^BNADXE%R<d^?$lgY^#LE9vyk|gQiL6!yDP(31)-_XBxUbJktij
zxBI&%GYq2@1}LdEeXy_(?Y6QvvP;a&kAyN||73VXKHEa+DE}du+WxWqLE@nBBQu)x
zRpW^HlM5sS%eqr<MntY<`_7+Wsg<f9BINGop|CsAW~<^T&D*}V3!G3c`Jh`|OcOa`
z`A^^43Jy<{smr&&`fyBRoFU-F^JhD);!(3Qde8u$P$rCZ&FY75DGFYr5XC-b`mE8G
zb3xz@PhB%2F_pO&V<8EK#AExe`$V?rNq8i{`Ejd-uy3G0Vf0e+3=~i0?tvIGS9TYL
zK5p#m5t=HlU@U7LIFMshhdD}Bw5Nm}+n3XX@@2@6Zp#>Pksy~3i4_+QfyQ#(tPv@;
zWu@|XLjypLozMa6@WkRs0t-2`+8=EJ0vcG;eIIk~IhLaetGXZ3H1HBVNlb25@f8Zg
z?h}T&V8j=mX=X&38k8NAH7Hk)?M#i~6vbm~PTf7|ZFltlr0!u(i4hZ^_aFLrB1D&X
zgKtW1C;yRBgQfyP5)n%+GzLD2Ai@!4n(4isf>9vNVXJB@GlB>DbS9yklVLaorF%L@
zP)3R8N~WluV9*WlWtUH)fh3o~%jZV}ZL3lT8)BmD2Omvmg!2^tzEPnr8>t_XAwz7M
zZLYhj2Jb%az1&ow+6Env>l@7rxqq4_pS^tXd~-`SrWcj3+!lt)$Obs3>39NUR1#?V
zC_M~usAQ<zoJ}ygBwD7lvNNN8zQhLkL6TwY8dHL$SpB8W)B!<^uRuh}$R2jdZwyED
z(wr}-qk?>Tv&CILLCL)`@;(OY3=3YpdIkA>NtIJc*gcCJvtE>*Koc!nIgofv84e^i
z2D9gI*`NrAff5A+3z_OvpNSQLtg_;qXio#V)6nPw;{^rU4eH4gI2>6E_g2AWN}GQF
z%YF4XQ{Eh~w!L;$m3Di}%zk$GVvj4;I+r6P@z}H_HC1h2-%!WMdLeB}rO9*?r(w7S
zF`em3o$vzT+K$7q*aCk-Dc46pSzCFpm~{X)#>tMHrQP4owlXhg(7OwOH-A6alAqvz
z>jPMU{7=fuB(a#(g0_M_c5^QP?SdUtpkFSxy%3SeoVYv4Kl!ki`4d<-f~>_M9#MuZ
z5i50gh+#<6II!e}jZh{Wa5d-N0#3J-&^89Lt;|V5X|UR5P$H*uYP@VHgN|}S&-tu1
zr>bFC5hA-!keH|jOHit{C}B~i7Ihw>jt8{aB_N{_W|;$6*%^;#OHws+g2bfKUg*HV
z(_yx$vF-`^>erk>&<qwL2Y%@q6nXBPKw}Ii9~92AV-qWZGst*4)Nr-i3XGELVcU~h
zot9%qG{D9o!-G?dg5MYs_+6|787F_@KK%HGRA?8HJkumV0-p(n1RhUIVF6N_2{|Ci
zr<5b6;98(@_tUI_v6-4Kc|D_{I`-zKIgUm5i3ZB!8Y+T$s|aR4(>zb9a?p9NK3lIU
zX8=c95Ep!5TUt8zt?x;Iw*ZYslEF^5K+q6tC75sN9T6jx5i#{8=E0hQw3UU*)xgPE
zP4SXSS3%+K>SokYw^TQ~Pvn0&4i(9*w`Dt455<9pVnICnX1)DLQ6;$Q#X+h!!~%IE
zj6}-tjXIP)*~#$|hH;db<51cEnZcdWqwNsQPX{1nh6f1I5QkRlp4Gz>8oYH&BsAEa
zEo7i6NG?6bgUl%J`1{#Uig9M#&{+2mU4hRHwdRKn0rfI-i2Y{W^<bFt>5zWT-y27w
zK74!{(5GAQG^_hm4!){GbvmJ?P`<~RU0NR;hr`SvSGA|VsN*n;<YtXkHB)Q>I0>+i
z7`LY5ga!`&3g<QIjV(We#wksi@qUXlr!@zY`S;SNlPU*5Q$TJX^RB?@PJSu&qi4rp
zUF|ZVxAW||V%-Mjd?wzxp8AzLcP&<sakezRPkJwJHk6ukmNvG<eR~BXJ(FC&#7C7R
zcx0oGZ1j%UXeF1rHlC<8d{H~8&ag%OdI49g<yLwztcUZtZ9Ou+8!|q{k#5HKz#i&g
zU|8F&lmQQO!L?(V+}RgZ-i1EpK8=!8IaV7>nDVmBe(8`N-G^4>wJE3%J1<@y5%tDT
zQu%W`(hdwkP_Q=&s?XEZ7Bva!6bBjjidRcgr?FaV#N7fIi=UZLqmZbLXy(8u_dCaK
zvApFDyo<vr9L93P#6d90ALRZSv?<zn6UOvv)(T>*(b*Quv>nj^hiW`Y5>7kX7u#&x
zRh2De;*^BX^%0En8>dX}&U9<$+*Gk5$9>KW)$E$`1;h&8I?8q<_t%+TMPmbn+?Q{;
zWmVg<xkPDoG4}Orj2MlSby%ZGH?vU&76L3cz1CNbiOt*&9ESAj;IlToT3d{2g^U1y
zPD0`n<z%k{0k~z-5_o0riN}ty<I7irGJ}^Bs?J}K0K{+>Rp3tWQ=Uf|<oi}tB|^fV
zSbL+~XEK8HmY>GhG^?<!VgV@)^fYWKV*ta**C^P3ZA@6NQ=yObNQC(oTw&u<uF9BG
zH9cWO(xjkf6b8u}kPKKAt*8xfzVf=b(pCuTo^EW@5~2)eDxyICEj#77(3l%7IR{6;
zC(0;^LaqR|GZd=x0UUH37JX1)&-HVeaZ!bFBQ$gF$*6J%W9rO5D3m?;oXFK^Lwa-t
z559cD)4r;=1vHUjTT1oAcuU)OB)7HA{r*+SpjyzZ@gQfF+UH1{BDGQ%l1m)RbtXxN
zVH6PcD`9kq8yO6mdV$-HysQ&XchY_0R90^`Tek3t{9R>qliCeI;XV%0)IALZNQx(f
zJ^4;jEloxC@<j_^gh-e&d_G~APiPqQ;ia<YC?a;=_FAnB;^n}3aXZiyCN#o=5uZyc
zpiFKio;+!pch!FNxlk|y*EvG0Iwve@hb^rSBupt_I8|i8eTHPUwnRp|vWPia{i*lk
zD_x*`8kNCuL}Ox>RR#Fq9OM-gRO`F1RzM#j-Ab-os?)Jc$)ulcn-DP2aG&ehkaJ`B
z&YpIKJIO|HnrfCd#MWecW5cVi*2wZ&>tyFshAHpnnD#8cc%r@e>{M&_Z#9E0cV^_c
zmPfRM=62i0ww)`UECtoSQZDRRIj}U83_8&RLjg(@kB%fdmD`GPEXYFSj?gCzToSgF
zAT;KJA!6i=YRaku#v9J@{jmg;hug{WefvwYRup1MhQFp`?6}asMdQ4X;-{<+$@s!?
zk-rGh_={=(=k}K`d6a6qBC50v9r*gyGt0336}s^3<@PrGO$AP59gQT1?nUmaFcTk+
z`pxkrW@;}d1v$~-6502e)tS{RWRr3I{UtFr8$(&)LOOnUIF<D!9=_9b{Pk;FmY&d*
zZSc)b3H~&SkW`YL#$0fgZCKB%*>kKI_i9J%WqdP>fZZ;K-S>Jw&4iMcqSqe-N@oH}
z_Z6db{Vt4$u~`=LS=$w(DdsT_vzfZEGxbC^8IQdfU)d$*T@vIW8xAxg+DL0UJj$h^
z1UngD1ey1{eg*JHiY0Zl&ko)m?43i<36R<a!|s_v`xfl&o*lq%zaAXR27Dw?NXMNC
z;#p%CSq#WVR(%Ve?!7xcKG-{dx(Vl{$_^kGoc!rj+k}I+X9uti2gmyo0{InwIem9j
zQyo;y4O4-*3hI~&Ni-Wz?GoR9x&_&fp8R3a`gF6MVIeAF$}tN#Z{(A5WqN48-F<!V
zwq5#IU^{K=GjHRBCA{rI2Xb^5!>Pc$uA4Wz@82BE@8(RRsML)_foivHj~6TAGS{$<
zW+OA_1+!L2+Hy$d8em#c?bhng%DV-C8NGd0Ri2|PSF6j_3Ui&xT%$At%qsB@1h)Im
zOZ52M&EsYYGOU<)kKdgioOQ%!v7SEW=l|+$zj#^B|M;S}^O*nfPM+_-H`%?Ul9wQ%
zjC@xU5@M5512G|$;UP9TytH}v`|n#VH!K3hxvdQca7mE1jn--O@}tq_b&3lZ(J-V}
zvXlK|t>0)P-4ziN66<Z5F}5ooA85E+=zRH-?O{8aIZA%umwv~z*wK+C+5@JmTwolV
zZ0pMx56B2QA9RL1XP;ml<KXMpC16rwZ+XCsA+`vY+@^p1+OjZ85oqD8j~|8&sf}&m
zKPt-FVB8%3_U5MQ;+(?RxD#id{!;$t1*O(tW=CtraPsc#{LSgX*~RYu(c$sM$?n<N
zZ|_d`fBtSmst>*hRg)&l)$?+zXdQNHQOq-4-w>8Z;a{A_2@;c^+h3#}i=1I*u~k{P
z@7Fe5D^L2D&%yHo?9%{m7I0jPfI66LbcBXz9(o=UV&>vQBEgVgW-iH;Tb7m=vppr%
zqqakn<r*#(bMD}IECSCHVhSFSzp&)n;^(Kw_!6_H%`oKYon>v;>Z?VPhvUni+b3`G
znVFfaHaM$p!!D(QrQb4$O}*r*%M?y*HVrTFJZ*SsY}(P7`dQgKAtzh#JTnR4d64iw
zLhw8l5ZBP$;=NZGt!EUnOaLV&IUCn)XmoA?1$L;*+5+xSk_Hk*^1@r06rE}6jKn@J
zooNzowf30<MtzXD$`o36Rb<bu@>Qn}sS3fKT3VF3RqaC6=U=Jd_E_AsPzc+aS;f4c
z$(bx1t!+bV+8G|L%~OS!NJt!pcl>Vu;NtM4#O9QvO~W-@WL`wzh=1Jvy~70(Des^l
zU{VKB@63;{?adhwPTrlKmw;HMd!Arlk)G<$x(0l0XFj<NXMWRa4`c)zI%jH$ybV*9
z#Ww-IesvgAyP7i@LU337cLx37c?uQZWw>}it6bBV`d%P3H-u>}v1Qq8A~XeoK4CyG
z!dDQHI2D*zM~NMt*aKsmYqry}W}V;ExwY~hQB<Z@b|0P=B=x1=kb<rn(!|rk!Z|xQ
z{cyNfv344F+?3sWd8sd7r0`)XYvcxr1N<56LUYf`I>h*JY;UUB?a2R_*=&Ec%datY
zuS(oGiY$FM*nT{Gy3Y<i7jRfh6moFhh_Wlhf@YM#Fa2&q>R61?egmZc?>ixg-p;Ge
zc4xcOdq9)iT!krZ?JAITi9!+}fi*O;rdQetZsb&C51DczQrd1OKZr8g&_?mQKx4QD
zK}`nRYhZYcKmS7F0NNh==RboVzPsiVwDaO+-|iEC+dVx#Jbse}Sg4e%0T$R7IDicY
zfn^X3`OHG__3LJKUYq;X5M`R+g3)*!PJv;mr|5JDf&#jv#Aab)IV2oN3<wfNgH)%D
zaUyLxtsh7{qM405pg!-o*F@z0_uUD-@&xUw)CMYU%QL-rvKP-OS(wiIw)hmEO8ei%
z1cwP`yd#ozTm>-S{`c(pvlnIi-^=aZ%SZd)T|8gDbiap767`kC--v`*%9NiYi57o?
z`|y4D>(`bn)jIf`nBZJ(o--#~%0$>{nR1?SMkz2VEkC@xfC_`u-XuyA<y$Z((Y0hd
zERB75`Aq#uqBE8A0NP&Om|Rqb>vg|x<$29aA3EFiA1MmSh~NNFlITQ)t>3V2U6mKI
z4>=GHL+qoJW93%}f6tD%j75^*FyP9gM0xURMx%CP8$+Fuz*sL;#<v9foAWV~OIJG}
zNB)#Ee`jTC3pB!*luh=>cWPMupPNsL17{{&bSnkjB8Ro`c4+_;Mq)97_J4BkKc$E(
zw5I!AhD_@J{uZf6hw4-i(dyIsU6zI3slBmy7B&}C?E(vW&5Y*&we@h@Hz6Xoy;bQ(
z6U!+UDbv<Ylq8HMj3{Er?$grF>)K4DQ|vBal11xN)=q&na2#D?wnw8xQc?SFKleJ%
zz3naduU_Ysx7~)$9!ik9IE!H3kpyU3>AWGr0w&vQn@hH6%)6JpAr`3DF6=)_J^lZd
z?jTPG()skGauK++UDP7gtU!J0l%*9i*Pj65pmMpIwW3QY``UcWs)FrWmf|iA{kI**
zwQ>oQo22#+ZD?OKB)vL1kyL`&?DZ}xv}N7^j9ofgqs+OGMy}JcI&E&hamrf-yRJs2
zfM<22);&|Ov>C`a=dU=7V5igT0Z$WU4$})Gi_6m)Dz*EZRL!##nOQbtrIcr}_rQIc
z;H}m$6<`|wNzuYir?(9O#XNp0Y-d2k7H|qzSUGO0j5bjc>MQ3IdnF@J(RE12#P76r
zLr$%G|5KqH{1M1~La0dJGVu`oIkg_N#wSo^vyYAUNj_%|Ycm%VW#@qvA3McMicC>k
zJSWfYfAYSf(0R4XldC4qbGpws;rvdDM76k8cMZEe+^F?NEZ5DoYu1R)f1D)=p0}3l
zpN@&4LO>Z*SJbOGOm#-SQvCuREA0=JRmy!f?ZK_fP#o-r$pjsz5%jiKn}kMaUm4r0
zVtEPdHpJ?kV6%_|y$NPrU1~`zJ5`rMb5+GUJXgV2iRs#cw}xwbJU<t|`5FF_l<OE5
zm!jOPUhUZD7&7Ogp$W}3!ihUoOXA0=s_w^GmflpQg_tP=xT17nVu37i^~$-!HWqu8
zgRs$%-3kkbYtI9cLg^)jYQ6fieDL#zow-aeyCNJb`BEz)tGAe!7mC)em)RDZZ1ju*
zpKI;<mZt1dHIvjS$rGo|#p7(6wWf-GP0giL|N1r-ZU*YAK5h>lw+HvWJ*eJk+mO_T
zJ8n~a;eyOeWbG`xE1!@;BTKE#a?RQmnRTykGpy_TabZ3#%==rIZ^}Ni+9P$o(a!Z+
zZKP%tZ`FayVYOjHBw_PLzT2!-IZ7p~(OBwlLF=_`R2}|1ei@rfFh_HRFS4G+boejq
z3!8%?&-6LppsLE~QLH>W4Ut-j9W{*RgjdY<lPCVyXE}36TDX+qsB*B?7dKQMJ`|{-
zrd}0Ql+4zJn(Ltti>m7TB$mRNd-KF1+*RIEu^4sL)f!;VR=f=q&MYzAM}!h*dD+~v
z^Dh>etD49b=HZqy*y#L1Ld-jFLOO)DzH*~P)$PsdQu#G4?ahjfQ}HsB?EB1xCX1+i
z^~G$0A<3V*AA5(!G89_8{i2#Ot8d6yOqw<I8qlV!>6ziIcTv}%%y8Ky@l|H~%`j0R
z@+v{KdipZcY3jHW>7dnSyjTIFb^D5ao#_5h?Ikje&J0m`RxUoybCNE!?^PjJy74+R
za@Ei+>Ev_taR-sIWcgjcWvs<x+@yM*bnwd;?TYy&cinSU7RpLzqfS1Gnq62`i8@nC
zviztjD=r*Qv5k6wmv5`#&=zC7yk&XB{(WJ;l4X}NF4$n91qTRj-h(||L-RoouI+NK
z<k-3Oxnn}*@Mr8pGQJ>OU&yV!y{qcF@tD`}M@mKR`rV*6x5~tIFK^`2{Uvt{UklJH
zLXb~wA<AH}f4GMGBX}d|(nM6<kt(93+sU*I9Ki2zeQl~#6fYKSre3>pxOjKSTx)`J
z0m3&dZs!O|Z?5Ia9si6`Nv<^fhw@>XQ*E<QuWYB7y>{iF?SHo0GkxU?plLf5mbAH}
zu~akHj^>^n<rk^cH#`?vbuG+dY&E>i$KJ9yTynfFI%`op&#1U8s&9<syC=)W<C=@O
zIh;?0nB<ITf}Hyx^J~!FtJGAj8Zjc0P=VWq4Ry~av@i9~Y!paLI)Zk@1nXDOHp!#f
za^Lp#>s$_-H(#23F-`CxmndW;9=D-mljs#Nqc)EEOULvI<waakWy93D20{OUqHwdi
z_N+Ryj1#YOz03lewNtQ}1Mh$JI=$yh`PF7r32l@l)_Help67E`vWZ`_1dW7PWdy%M
zELImSkXQ*nv#pCTmz1WjX7FXf5h4qGaLci3*+G_Rj6?rtl{>roi@xsJc~_~d6+7vK
z0ZIx+sUs{VG$?HKZ{AD7llm6zg?;(U_UzbY!GBQ_L;Ig`+bQZf(R^9ivW4TH@rT{F
z?+?!4!|vO|{oV7!cgOvI#_H_GR=HO5(_rpDn30*J&Qkd~$;J&H9F9QZw3D(>Zs3(O
zwwPd*od*IMKNUugnP8J#yKq&9th)q})X$%@p4@yl3N{-~pzb&{X>OuKOpB#b7H)3V
zf7Um!Zt8f(9Ke1y{4H?GDL(TLef6=@?y!I%6%!cP;sXWez^O9;lNX#THxd$=aC4K4
zDY3VNLK>4lQVdsUYH~oBG<a|KcTaScBg*t$z_Q7v7q+8ROgsgTx}^Qaba8Ta;$*>q
z)7QIuj@8?~7L+bS0BUK~Om@N(a}HHZ;=zW<Hy>tZFR!x&PC13e8i>iv&`1oF1(@mU
z&dyZYfGf&A&6$jO_o?X65OtACmb1~kdm<-^GV&*h$NC+?ytxy^9Eq0Dz;-q#G^Jdo
zxk%eyRisr!rOXv<22-<TXAyMYk(Lkhsf_>44z4;=6x}=mcz*ov_Rh|WXXW_cXOHo}
zck?)@k{-mlVJRh3_35Ev>^V2;!)34aiNrxaKQ?MbSfBt2)Nes<;B1tGsc;foOn;7&
zq`sZJ4OLb}oz<5%L1|fWrb8<GGg&$uo1ZE;!Hfu%gV-&3X0A0V6rOQZ$gc4*H~)N{
zy=bc@*Tllz<80&3?h!WO8e$R$I2Q0c2hMEF^gP*(e<K=HyuDf3&aOF!g=;V%?9@4+
z)Di4gecxE2<-RdgYrFe*pYU|cW{7t@^AxfgHLnt)$Y$Ugc#J+_U%N{G>}H;?GSBCt
zc=5`dgEzO_QaGDE{MYEp8`P+pS0n4@`OL^3X5x&0lc!Stm%L=W8|niK<bUr)?|D)F
z@ARI%c$EKl@;E!IIt4(^ekbUDUoYGb9Cxge0I&4a+Pp>aUG3rZD97(sjw|=Jg|uY&
z`&?m@NdevDT-wtBQImM0fspR3NAiBd0;-b#7yZR<%KjJf|5wj<X88Z}7mxh^E}jPb
zUq`lhI2LT0P!bDId-kby{Dn`p_#dJCe`oyXS4TV)-2X~aq1s9ER=0JocjcorxC?18
zPY%qbDNRdCIt)pS*mOUWD~63HNKCfiJ9Uwc!^gjTQTfXCcli2MA@e)iJr?G}H4I-q
z$Fc9CwVI<Z7HCZt$JeC<omZ4}g{5NJ(Py2?9cWH7jigc~|F<_-t;r6!i2wJVy(roL
zUcGv`{mB3C;;A@Uv0jMwz@z-WaD&-eS+?WIZC3Ono4zBZ9n8ga)?Hq$c#S~AZ01ry
zH7C7q;(mM<K6Cj$zx3B}0<=*7-+5I&|9RPa^~nG4;wf>dGVibB?uO&7u8!vyZhpfo
zzI4rPGma1U!{#%uxoUQ9GsrkYDmTXy?8{;5>$n|rez^^sl^zP$<2aX1RaPk8@32{0
zxOhpoQ4@+6ch3W^s(JxU$_-qTqYaIi2$47xD<6G#_)onbUzryIu`w1W>UF6+cW&ih
zj>hYW))r7V`Rl}}D@oo;{$I>mdSeN&==}fX&URV<-+B3X|KFWFC7xAzO_C%i&Grko
z9u*`*EkW02wN*sEs{Hu2<;J(NHLx5%p}|>!heb&Elef+UEH?#>v1;y>vG;rLh9SKI
z5)Ww_2hK%^+;D4$b>}bYp>iUl3ZVxL?*z;1jTnuJ-InlWp9;L?9_>rq5Y~sbx+APr
zj8>>$$e)vt_(Wv4zHkd)G3X(?D<%hjb_dwF>C8IS+bMQaQcG4x+Hyo^pT<ktsiNd8
z578xVRgS?DXToTN#RR7uxX)067tp5CAntL?Tq*x&T|aNt{`abU|HsaD@5Q72?@pd_
zgjViVUE2B;ql)Ia26u9O;Y3|ct_m8R;Zfj!69S)+OA_KS4*D=cA(u=~2b5<!qo=+#
z@IJL~bV{l0XBHJFKB%gDAtF)sRYhIw6P6ce^k3?RDEVeWxiHFR4uO1mc(PY~adNny
zzhG&+%inWsBnV3-*M54Ga&aoZ9MkxeQUxK$Z%LefE|gPccH^n~o+c&`7lm&aO%q<-
zqy}FdOJ&^MgNVd^=(TbQ_PGx)U%Ytsq6IMGs=akJ$1n=s#o<&AOdU^6xxkS{$wJ9e
z&HpnYCgHpB25=GofBCFe-v2#+_IUn(C(jD!KRI=rO6sUF6-G2Bf-(}1J3eKYD#p~!
z42UO%MphRKGv}o>P{z)Ehb>3Zt;~Dz&C8l57(qcmq<lc3)~)l}&hhd*d*Zhx)S9A2
zay$e2*x~!$0<zR}@SU^6mF?*ANeCMjr<?Gd1MH9Y?o3w6|K)CHJ)uA9S;YUJ^~(0Y
z7tgjI`Tw0frA6#SMdn)kDGhOfx2sY%I8i6r&#riS)bJlPGt_Kp7U1H>Px3pI5Tp3Q
zM<*_`{ky>-rz!KX`dZ!(5^RfIVm4GoQjSYCmBA?2aT^oKzmM<jLwIWW|B%FiRNn63
z{Qr4x_Wb|R{&P1^Q~v*2lf$DJ_%{&)G{mQPBysG>_@!sc%7{6%(Bi2|F|Ov*gM$0W
zuJ6+{7A<@9pnA?O9bJ&F6*kM)-<ak)?xjnmjb7FD_kU?IQpx|dA&;+X3$W<?zxQm0
z|8MU+f8_sn@qC$+X|tH-zf&Kcp^H4S{0GhQwcFOa1pSfX%;~o(u}%ih%r%lGU(z2H
zWwQ(DvhlPxH=z_Z@7X^+dlg9eT**0`*MB-!8g?oJH)g!I^3E3a(WvPK*H)K%b;>M;
zp!)8{Mgz4Aw>AM*;ic5(FKiE+Wte4=BCz$97sKY}-??x0_V_G#YUID-bI9mZw|)Mz
z{p@A={O8%r$N2v{d0Y?O8g<$*lu`(1h0Z-sK`7|^uA=Y_Oa3KwoNq-@_$zOR{&LSe
z{%?+OZ=3(`yx5-M|IZ)ye|Ph&aQ<(o<H%6QYUlrFg+{8kj*ARHRa~_O$oa?rOV#~%
z@e^o@x@tdxCc#9tEzC%tZ`89O^OwVMpo0H1XMv<D4yZZKNh~nCbY0Btn<fN1TYJXg
zx)~VSgZZ39n5H7HTzK6Cpqh3HP*u2|gLVF%Ju0j=<d#FNZZS;Z-$hTVmj8Jkdr$ei
z-^>&|U;aPqz1rR``+x8B9?$>o<Y{K%Y7*&Hclm+i4t{2eoK+f&+YLit6h*ebW#K#H
zi>8Lu2{ZXxnd7CL8FR(><9muet{F3`0<Vz+qLsZy)*LSreLle`2r=i%e_ByIFUT=>
z87MeUO{qJUGBfc=#W*C}yn(}6QH2xLX66a`grz8}W#g-sTv<yFeo6JVjISCBOla_S
z{=%#B(yVT%BG|vQN*i^clq^Hu71|p2Cpbt$%-l$Dsg^mfH9M`V(Vo@7>e#~UWu*?_
zFKabQjgpuKcsA0|eOnb^SW&l#s%A>9VKAc+iHUHo>$h*}yUyyY-mRb^W@SonUe<T+
z)?B53fmuXi)xaBue0+i#QDIm#4qRB~6)P~qh7B&ni}4WL(=wxYfTrlTSRm&@He$vF
zs@$3>vkW*@Ms61x_xtgBy;BxK>D+IssRDl%3?0Tq?CE>IFyqCuzuEgfvzu_7#@w6A
z3OD6sy-gw=tu<r*$-nrMhz8lQfIa2~wM%sYEU~YL0WB1Qj<t+bxgk|KPYO^c_E&Mg
zdVyAR$?8nhamGY-6l8&t=UvpQi&uvw&uH$(A-7n{@zbp^*yNRRO{+n$HrP8}i}BbV
zbcZDF@=58f=YKA}xh{oQmz|L-=DpCpe4<YQVdmn~s*38K{1crBvMZ+*=J~o*->R>C
zUK(}a(|A;kDupgdTkvXo`&$5ZMB<=HGvGy%WD+rf9(WP@Z2xxBC@c-WCu@1ylSJo;
z&fzS4?C=;Rd_qOL@H(Vi{4k<v9JJvY{#i|D_z&0sLC@5Ugs?GZDVD`d7GMgSo6tt7
zpzT=%0(?en%)y_~s~Egf7?1$GbkJA-zJY7-QvqH8ZD@lx+8I<pS$ETCspUBmF$eYQ
z*Zwk+vj9dFfz16-V)RRM=(@$@ox-bEub>;?%PyZpO+dQ+*{)St>Lzhc1vh$mzI>QB
z(~B6lZtX~}z*061eG||UEZ9oVlE{=##wPkr7)hxzPlt1>n(yU`HB?zv`)25|Zd9{G
z=8US63@eqn#ao3c)y`~1lk(=Es%&{9c_UyFMyR4Kd(&-Re&$nAAzxH|rhk7%QCu8m
zS!uO^#fn-(wanc!&uC%!wz&d(cdLFayS0MVSkFxu4UR9%+M%A>*N5lFyGMr?`v<Sz
zzbUOSWpOmK$YR8%CeIPHRXT(6-Shz-rsKM#J+{A-cW38sP7luh=k3LZcW>Vx9bD`m
zo>uqUZosVCi#j=ZcY1zt{Ql_m!JJ+e<fCfOV_}WhXa?Au{oV83S~Sl(^6n#n_6e)Q
zY7Lhy<Kg1;;N<P$p1O|q;^^J}K@BQ0TYkf)-k;TBwSk9iYJ8Nn39EK^4ysd*t@HCQ
zBwR>h1yE0R&(3~(ce;P^%i-I);df~wx<evj6cOj*G8=%=UEo(dOD0unV<RZ50Q{wp
z*33Q{w!h=4i61II^BK6VeO#BCOFp0Qw7<xsdL^3Nd;9+E{NVIr_vGZ_c=xDgQfiI?
zP?G&!lxsDe9qp>Vetma#K8MLIBjV~iS;%r~o$NKknZForH8^0Vw^f&3{>OUP-Au^B
zii>Urz6ZSGX2#r9(O#^7FFmbmp3NIh;x{mNji;=Xk<cBm@Dnd@v%DX-di%+8*)?I7
z8bWf3W6b#pqr;jVS)oV~TKqXbBFllRFib+NaT1Jya^~ec^PAl84v|tvXSkSdP(lXD
z_=0eTQ7{GXeH{y~)=9uq7P!T|yHzI8+j-U5?re8@#w^-=UK}#1F+8nfP-}v4mdTh4
z%l2`Ird3B+MLMe}U2ZU`Jq;^1l~kXF=|^aXx5cd#3znPVsqbUX&nFD?2@Qie4V8<Q
zn;Ib!rVKY}s$6vWU8$rJvS4)=%iP`a_Q1o{Yrb+1;R3m*L1-7;Q+h9#CCL(YZbXx%
zwpJy|QZqN8%2G==BFj=+E70XUo98OZ$s%c6v=lB-P9C}qvl4=D(K<Y5SZlfXHv3$8
z<!u96D&1T=XW}ZzN!GCdFEODH;?94^!?5bM{|2aA6=SO`zT6J~!Qm@awJP0vW^2~l
zerFxD%5ZQJU?157gB2Y+OHI{zbyj()mC^!N;A;*~ZN^VEqb&06d|$M}-l<}qzoFGI
zAAd6oA<NQSMBw~wr$2Kxe<S?e79U-ThpvPO7lc(1(nw<0NNbxQyL1@>4oDjH;Rr{R
zO^b_y{E6R^h=@M)-jD{+x#8RkBzlcB&tQZvOQEC833<8jBG$>ve5tbYGzpNvXM!Pt
z$5V~SncJ(1g`CT)aw7o#1KOupr^9K_tC*Ps7!5-bkKd~zeTdUAY{6W9UONGodGhpg
z8=+&v%*rm`Fgr~%&dP2_Gv4?5Da94!4K27u-4@h$soVQ^vkTN~31sGl>--FW)b8Pk
z24yj$!KoZrUZn_}jvlMBcvp~ZetKKjvi^}`UfxM?L0RUQUZs|jKPw&7Yb+?HIdzQQ
zp2<(W#>lfp@n5%}|MA84i|w6q{;yZP$NV36^4v*eSM7bj>fXA4yKG>^G~;@V;c7Y7
zA0xch8R6A?=sLmuhnAVEBp+kTn#Pu82!kqR%dGxFj9Ff^Vihd%;HznUVc^;F{e9yB
zXa+Y8BG9Tf996ZOPtq(HbE44ZbnnEWt={#*NVGWs6l2j=fZ;J1tsyw~7>u?UOeZAE
z5XNIT+G9A{g2Ug(aI^;-;q@4f_85-#7>@QBj`py_(Y|?)g9qo!(QwC56OfiyapThF
z)LCX<+W@SUL(>-5pMl^pHtjJst+d*1IW}$mVPkg^09R(y8Ca4R1jAja9xNFA#o_Vc
z`TpyR-P1Q`wK$*K!E&)`3qbx2h5Ljx1^Tz$x3$=u1GeepMt~F5(k#hW&b$QoZ142&
z<orwp(KU*Hs_$VL2(t*G<)EAwYf%AZT`$W!G(MD=${8+RbNNU;Mw>=qY61BehWQwV
z={)NS!*sXbPIO=)#o{#fCyd54<$E-Wh=4X7joO=wFnIQl<Go)`-yOeue|E9=?&#?7
zd=8b@rFWd^yP?dM!ny!~na{;C%<Vo-qq7`>EY0K%qpxo>(slkcKL(3F28%YNmL`O}
zw4k|t;qn-fdTSA>tA}0A;AQ`HE!iv+Rk?zmrYs=`@nvPP`Cd7dPB~e7jxWw;)1ZNQ
zIQpNr7YE0?uiqYAyxreDS-jhwV%~;!Omol*_sun1ZG|d}0hEwkoE@Bgn8OANO>@jH
z8*PYG%W~7*tX;XuUSc<|;okf8pn>ewaQhQnEo;lj6XC)gwFTh(ZH+S0?p3gxIB1Hs
z(}Q0Q|6fDAF+3ulm&V-tUmEwo(~;9d!wz2Wo*i85A2;hk@`e55rm(+0Jl=2KG>L=R
zrY#rLN>Y@F>1?h1Hphj`umIUNATSEoQQm+~&klA^_kO+DJwI>EJP`9I7f6W49K`hT
z%i-Je<}6C}G9sa9&Z*v?zHQce%EB6XFwaVBh0F)U_}<ZswRDy+ygZ<$k}PtfaLx)!
zy;S6ecuZ39n55z{NyTH5ipL}sk4Y*XlT<h}UK?B+Q2!HV9*zZ@sypaBeIB9$Zolx!
z7XKrZ|L=_d{OZKs>OyBeBZ=U7bZzD5IvvGNxuB8i&*QpiiChaF3iW`lu*)t0s6E4%
z0MpZ2>1xnc)SVCWUpKwPk~X%-#47)8Zcg7qMui5{c!&8#Tz{%16O7bWT`j|iX>Khk
zM#^n9%`s92sdP25GZs5*#p_mKvHO*6b9q<!Ld``E@--v5E%&Ip_AA|_nmI|yQs3E)
z9rS-zk?@4!0NRH!P!?bYf`T4_od=lG6k?16`H3gkC!;AK$eP)x_LflJoY0GLNQWrw
z6!u@`@|*3|&kgo>&v!4*-n~EFJGgj%dRS{}Nf?R62-?{evHzbz_dof6a~?)Cz&{6s
z%h4-HYTV7u#&L7gLFQUds@$=h?4F(7>p@i+m<McjTqU=3fo|rVRaOG&njmh^0yPmL
zc~j1y1dwRSReoD{akYLHZ5S=vS)(nZy2(|ykJYW+U>8~4;Egtu)lJ^Nt>ZojX`L2`
znl^7rO6#*o)U>!3VtP!YS*L<&`@oUWSLPcLsz|vA=ZxB~*VMZ>oc2Mm)V1g#Hs*c!
z*!Ilkyz@tj+0>H@s=Wnmv+FMOtn%@+e_uS@IR_`Ti*n}J<fq<`uj=_pPFgF(7tB^}
z6lX9q*1G(I-@?wbV*B!#%kQD*^81z&T0Rh?aWjMQO0!x7Y5Cb)U`JlchP>*;R=}|I
zIA(1>i*hPf)o7AbvCzHi?prp_G?udqW$a3nVVe1NvvpQ^R9BdXE5CgvT#$IIvPM=y
zUo;+Pb;XA~+hl+CqWeaDs2P(lj|)B^@Lh#%PnizZpNiCNdJ+CMYWsEvXe>vM$v7XA
zal(2taNh4zo&WRF&l2dZApz+8{GZ#sXWP$a@_+8Udd&ZM7mu6&^Rj2NdFmulOJwq_
z&%XGL=ki>fZF45e-kqo3v<zCOvD^z&sn{K!w4@j|fA`^-#<*253(WPSOqO$-6o`$n
z&_;uq_KG<zmmz{ivwGi4=$n3O`9H%bSV!{b#r*&I_RH-u|KEP`;*tN~#nUXvTpj(|
z)PW9<>i-NrMIq*XuKAhUM0DYTQk$plnEmFJdO4paxIyzOGjF+F^|IXHTZ)3$C`7R@
z`C)^m!(xSUC#BExx;s;P>#5X_o1iSLt2z&aLcuaHnMi2RdnPhwy34<m+drlOmb||~
z^RX>jZaw=T8^0Z`M6$GRTO;|_(t(pvCEI8URspK2hH6407pX{cBkb}S7hV(xbv$DO
z|52>hb_=wPiJ-_B3Z0eOtHqgwVPR(rIn4|-?$<`DY9;<_`)fQI3&xpoD`${72UGPO
zz1Bf*sZgQE<@DY)DZT(R%OGQwSqql&6^1ff>`Q%?__b@)kYzVl%=_QR+VS|5pE~`2
zO{%|o7V7`oW&Qs}@7d%1FL&}RquE<0-rG{`OYN^!w=cDQhsyn&p6^1tFLl3m^}f{p
zJ?i(5s{NyC|EStOs`htb(*E`}dvkA*qyKd#IE=_RrVOuF$5^2MZNKQfDCvLCUheEX
z>VJ3fJb@D=1ZFV@K|#+xTupEc!<2*piN}y2{}UQx-f2C7^9kX=(?qQ~;1e8%Fb?TZ
z-&988@s^}RB*-OJe&No06bG#*5aY4-jNH(ffpDN5BL3HA2j0cu6lkn!N{}GI3_=p)
zPOGzjc5x;s!>uQ<r(_p=*gJ!OFy88niRh~TYVcc~;h(Il{%c=M#$EXz`;%YB-Mpb8
z@;{{sD9^ao_Z@zfw7%~Q(Wln;9T6q1@Bja;C-4C=LQ@Wh`v<($Nf`YX_C>2h0*t!4
z9HamG7B|Pv`aeC`-9I|$M8UfIn7jUWdcB=j<^A8zs~5e;^?w)76EL|s&;I9atMxJe
z@%zR^h=ljM-K(oBH}H<Kad#642NVMx%5~uBB~N1%=7D_?iqRNHQcd7fE^q`J?@sq$
zADwOL1&?CDQ8GcCaG)_L?_5rXBqU<0v<Dgk7bp%83%KXgC<%#FOggRBFO<QryIYVb
z83!C=_$VY}VmP5W++!jp=}@Y=S>S+D<at*xjJsL@R>Tx|6SUcCJ$VA>Z~xE!>Hlf9
z27`f5V@^Zd`VOR!R2=~d0x-3~_NhDQnAdLKwknCaKw${c)H4zrW<ii$Di981!Dx{B
z61%OI;=Za27*Z;@U?|~$pmN$OhHw7$jQeli-zEe&3F%Z#7ma0;e@};)#aLjjo9uVH
zpR!jSLN~3Z1}T?PLQF7x{1t~$4uKqRhfg-G1Ti$hI<3}ggEx&Y@KFpy3@NwbKy{Cj
zgy*e&GH=v~Hep1W3$&ydhveu8BrLF}+b6MwmUqCx;skLRVjP3OT<93pE6P4;7>?f@
z9{)c$j3tWr7WkM6&x~LTMq!F$5vYDo7>%%);8anvpo#2W;p6q+Pfm*?NEi(|gmyPO
zYJN``R#CK^2+Uh84|23auhZN4q2=j;?8qM=319wt*4g%kSfFR}`^g7L7`-HNJB^u@
z&T`BWhBOW^3#W35NIYVQ3zqsKW!TV{qDDJ`3SF&pno+5IsZpg+B7a({RXKVGIT;W7
zRV!r)azB@S>AW>&X1T+h6ly2fMUW*xGg5mSULoQ^PB(^+Cy1d4%lZF(<4KbJ*aVK%
z+Jca9!BsQ)R}d2<EN$9WaR5QeG&<GLbT_Tm-{AZ2&q?zA_kDOvxBxk7Gh}Yo$Uvb)
zcBNPM`<PVWUrs=3KXn5fVu96X7uyc;S0dh2%WKRcnc;|DVh(nqUDVPjp)rmH2gEt`
z2@-Z`<|LsfDpVC5$}p6jp;31_qG3p{)IiZN#N5GnHetiCfPS-z92&^`6%$NYHszPv
zs?lm)!|anmQt_>-{EeP{tiuB&O|AKv3+ukY#Ju{gYj3${+4A@K+!WU9)-?=FngNy2
z;S`Sv7i>DHpN}`HIP5EN3Wu^5FjMU&Grj)j8U`^5YlpJ9zJr~)Nf-uskIuTy(>>5j
z%oqtUhe1W<&2^1;$<f_5c5F`jYV6oF05#ajD*t<7$A(wvfTuyRM`gF7Bd~=`9F<hi
zQjV4K=OEAq+3^AfOC8)2_HLbaY_MT9?VuncafW~z3d)+ea|*g8>=;|>31y<(b^$v|
z5q5E6Pow0A`&v&ftha(4$BDB{JlAlVe^iX8ns!`2(Bz(|XPww7Um{=KYFVOZvfOYV
z$%Umt3@8S~7`jg(e+`3=zYky|pqQ)hITQpsTNNZ}7#fh3Rafs6Z~zGnxSd27J8pne
zJ-##SnBw5e@_Hjal{-2=--k+;eV@--Xh-MuVvF=Z+hl!XaHdVPZESmD+qP}nwvCCC
zi9NBCiEZ1q-q^Nv@}0Wp*ZtS^w5oP@^?vs1y;c_vc;MGlm(~@^3E~NB^eF-JKp%?E
zg1?mY#?E`<@43JSYoQLISUT5|%(hAm!CXMO_P~}twT1Pi-fwc8X_wW|AjJh|^O|hc
zHx_d079?HrmHrqvywHSN9_xrRM@b%Ig~8aOy0M-wC%w`;ykYV?knb-|4Rs^#Md`U3
zW+BH2!mq&YM752`00m2I2*$zQTiu4SY`zsnMUJs*>LxUIQVl<ght^Pdz2LS`T}4SG
zRIt!pv`TC!^c?jziXi?$VEbyO9%5%P<}5?IESj{4m3+=>v4RaF*8cb?JS``-Nx)PC
z#>J%mrM+-(`Fd9vX!c3cpy+{DVf2)5!DpCjRQ!RQ`LH)B5?Bb8MJko8B;CBmzq<-(
z^H#&z?}tJ_!s=i#sM$AO^dw?K7HIj)7`j=md6^v@jSU8m%fo;TCvAb)$`eeQC!zG7
zc4MFSh3ZN8RGrJWbU`7!I4L<WK7Dv$+iKY&Vy4OQSBhu^o*Pul-h4(>w)AH$m;050
zRA*S9y=Uk@7xY%I$BH_Y%mpu?l{{x2f~yL<Hq!#Kr_Oxe4)IY9inJ`5Eh%Hq)SVYw
zVQ~=3;AF7);ap>HbcaAwIc_UioZ_J76$`NTu)e1=lnKL<<QTi(J}Wmg?Tht8))~}p
zBnZh$5^VuxCVJ5zW`3~@yC`)&bA>C!4S)>{9Lr$wf}WokXAA&^f7Bp;u}C12>}~5v
zp3j(?D-Kv`z_6R$B3~&@x8ZwuE^#pWGeR2M6da;$O)^fr36S{m>DkCur00JkbNbxE
zBaRJz+4uJs6=r1qA&-9k6c702775;BJGcG6Kc6!hBY$bGgyQ+FStjY7>_!02m?zsz
zYwPk!Bk;ObRYkH>gtYe?_%BG&OIVipsQq6!W5Uw3I0zu=oC9B3W9w>`*Sq*_ityZa
zZAf6lj+n}^2{heFkX@e$Darkp!|{;W7t)<C9+)SydiX$b-)+5V^f@a8Y;?88-MW!4
z51#OBGV|Bz6w4zb5v@Yw>qoisF9{}uMNlAVg4_EWhEs~^!SoS$D7|J!wJIjZuUhpC
zKi8XxwPH1goPe-NQ0`G;qtjO4Yv6X}a+*ve&hcEZJJs!r%}0;O4F-Orje)7s{JDEa
zjMP@7Cg;R>I{8G%eKe9V2-!3>%T}ho&`x;ElOb}qD5v}b;0V?yabMKilB;d-r)?5o
z`#m8GwnRMx>a!e`eKCF4Ml*4B92IhhgxrL2p<1My*#gVv<65#jzPWwZ@RzSWDm$5B
z)mF`ugKu>t`qFqe@9ZqKuEEi6>i*N)GHys7G)zgaCmJv1NB*G4*~STe#2l1+UMsFu
z&jj%bOV7B(!(_q=m}g-%ml1m*`Ff6$7+pWbIrk7vMTk^XP!tppxcMIsoiW_W4{O%5
zmaOAXX)h+FRDaq1dn9t;;dT5QCF`-5E30-=%<)@T%#<O;PXz9JfG&D4FE7q|MyQGx
zr7%lIzcX!z8(Y@vx2p0gVED&qk`d*NkS#}IfadCR#n{awKe55)i(gy~BgQ5(5i6^}
z`g}I<88>cTQOX-lw_tTdNT|_?7A#`KqZzEm2uY3smorr~rC(kpss7YS%-}h8EvU2}
zbucDfmax#yzkeYJ)f40D^icNETKEGR3FqbLL{IG&(%VKPq!KCqhgXYgosRxDs(tSc
zXCpxyJ{?soCD^;JTLe04z5H)TWCJI>v|M95*&$?6ql`siSm3bq#$xO8h+zomU;q4z
z)lu)?fM7OzI_y#w#G{(@G|-k2t~p5V01ag+vQMPThm@oVI-g{N0dNr~L6Q@@idCTl
z8g?{tRJ0Og^Fa=KZcMpa7Sth?rF}Se{7USzXge|x>IM12E<L(S-bRb5Mix{8jU^Mc
zLBN3T@}vi;`_mY}Zx+s-kPuFs6%K#vu02dhOg{qH){*M02}=l<n&D`BvI(khR>*hl
z2G^7$C#W2Rvzs(}m>RL4%vdyBN5Kk4WBibfG`IHY<$&BM5aXM*6^F@!SVO($+V~jM
z*!Q}$E;dxqKnGHSvTi+5wGAKPXt}c<VQJI3!&Y}@AC^XDTg>7naFsJg6(u124gll+
zTf~U(p2|?dUUR8iG@blcBp353$%&uOUf)}tN-I?Zz3~-m40uGXo`%<YI8OAwdk&k)
zNY`=WUw7MlF3a^<i#YFl<gra0v!ym!do>+>M0a!h-t3BNN=WgpP*;0^-mefHUsiX+
zf!6f*aq)eSuD0HLMdOk;lpXE$F$T@4yXw|5MVM!}iUYUWd^@S@a^qf^h60b_hJ~iK
zNKzfxOI3Yj-4$~(cUxH4S=W`!*T=zvc8@`N>vQa<h(wt`a)*1&!kfCf9n6F+ca_LI
z*O_?5lLuSz(U|_jzpdwK-F`AEv<crJ4&Dbhu<I5K{SjQI4ca0LNjQN}7$R<Tyq0^)
z)%Qk=i`gauqhLMAp4!JxmSeMrzUGdeY(q0pv|Sa`nB-k>T?&{76Fo(>Oz--vC#Ot7
zDziz()y1#0YxlP#XM0<=q^iyDdn!79R`til(r!MDQ!Ipv(nR^t9@~1g&alDh^ZGY8
zFyErpny`d0+*p_9WnXZIhCf!inQ>_lPww+vRRI?dFfYuH?^M42=Z$MXS4)j#VV^y~
zFVGlBN>j9oD`ZD0MIwy_LI!%}-u(^sd^a0aJh+6Zq&-%^%qW3Fu^>!&e=QPW^gNIS
z>3&q2<W<B>AH28yx_m*!Eg~{sqIf*SkIUvvQ4nw*EgyhDM?Ehzv_*f;kh9@yWQpJ}
zHJl(Pa!IGak40hHq+mx<tIM+wVCe8gDI?&XYur){IYDu_k>kwogXm$2)*BG4bv2Xd
zWOo0M5)FRkRCX5<><`Huhq*ahqLGpP^_$&Q`b+Sx*y|ONG;@AB<XmF?$5J_mtj~L{
z*6C<{6a-J|p+9@+(PX5x?IQG#=u(a+MYMh*PzCPoGL^Zb@di=`oZBazn8Nc>dL4d+
z)e@Is*P+aBwPs^2RYU_9{0E?>zHyh?;m3*9-BU+=`$c+Iydx_yxDKY5F~=uHBschA
z_xFFtdEghc()%7&s}t!`+byZZ*DkE)!R7D%%iZ<yKgfTarQ-2bL0v;dWFYOcp;KW~
z-~TZ$FZRh07cH#9KiVj95@mQwUgFSPZUvcK;e!db<K5<`3$jlx=vDDncv+3A@f%?E
zy1Mx%sPza}UBj!1`+>lZdQn4-a?WCms++BG*|B0lC;x680;U@<qSK?8O|W-ZT*fv4
zwy24~r|-1rd}OM7K}mJ)3TvZ>Wow3jjW3(*RiVNJ028fbvp0OlKfu7qEO#A=<)5{J
zLx>f}oD`pv7p*9UwBl@tPRS?FkVSC5($Qqa_)veBKrsAbqLJt5Vz>EN@{l2Rf?zxm
z4n#C2h~-BkihLnZt>plB6zm(wfXpV7<4fbabOjznh@V<E<8b8i`MR-B)heS$Y<XF(
zhFj-;AI3Y1NIn6i4}j~nnqZtW8DDh7YJ=2C`KV<2UPPN{ZCb-spVB;c=->WWc1yfD
z*6Q0!D#H=m`eds8zTKncS{DCcrQvDN!KhF-ztvsRUjA}j`A~e1V8Ok9<I>hzICu4M
z%j_BLx`k1JeeDtY4V<@l)KyJRiWJ*7NrD5wMgvBYCN$4IAJUN_g^QpkR9c`;f2_a?
zqB(+leIz0{-#Hf{{7)i`WuNABNWOM=59&cvX)rd=6fM?7CgT;dh|Qop3+ym8d9=^K
zjJE0D{A_WIXfiph5B<4D@pUWnK1=)lR)aw-&6TihbByQ|S*+)##vfk|fe~#chxJU|
zv>fqYkHeobO~bNb|Ln<6pVkEEef-tC_7L@-q2Xn*JQT!Qg0o*O*#Da{fvyJjzv=z?
zP{aD<8=#WRWU(yjcb5V?ZX1T}EC;Y6|B*+(55oZv+>dk^Gcp<RfxMT4@cz5$E`IJd
z8XciXL&nZB${p^5!%=3kyAv5U{sA(lTx5B$hU<U%2>|@~ZN|lHa2+!mUEqBvt~(?+
z3v4smu7DPDj5=`=|L~?6?%T{dJ{i^C?;RrlvX$Cds=1V=IB@pE(^2m9unL6iyuEF1
zN}lb{B?vjUI@MC}6@=y?`3jqBBu{(7UX*w)DF28phkVi<$ZP59^6p=fzTot5S9{d#
z9y;$Mw$NKunzvqgK8!UK0t#)YZ*&iKWy2A+6(N<gAy+ZQl~36>qP7eHyIoQ%;f@QB
z<)`XX9Mv4Xjog*984Ju7ISNwWFcIUQBhJB}Y{<E|J3tvpyGIodhc$7i-sMOcvyoQG
zo`Mz1?{-pPtEz-s)y`>hJj9Cn3D8e%&@fF#Dl1J|md{99r!4qd$S`XQjRg?-VJD4M
zg;G{(74}PntvExBZbXP5P0grPqt|tni)G87KL8MyzW>oliPm5h;^Vw_k#4ZvH#yzR
z?3%z`gV6Q(vOqLy)F3Q3k$$+Tw#<8;l_bu;uw(upc6a^T5I?Gh<l*4R#&|`Dh#;f{
zj1Xn0UyxS|`33&RCTGb3jWFg839e?i$~?Bz%(dGt{i1bG^y;8p+pl?mIgvC>QDN$n
z-TYO`t_LH8c+wWO)m}#;8Dd3!HtPc4Bj<QwDDwAMZ~>BZ?9v6E!Cu`TgXc$YEP3}H
zdcaqBp#G*kj07c#GKTa$MZ0;N)`a>npEH7F(@dzKP{x!C7YG}A(lCfVr9JtLe;62H
z8K2D?p26Y2L0~keQwL(p8nO8P?NGu;Q8HWVT)V(`WiG8?z@f$eJKJd*J3q4w9(qHR
z#M6xuWiYbno~0hEth^FI)3({=A-kBw)b{5}SL>hl&3{Zy()#~CAY(+obgqeAt~in-
zp#~hh{ABcU9y+^-t@(ANP4nBV73y5Da>IX49Ifd%PFwi!qDqd+xw$t>{K8$(BtTGL
zgb}9Nkt=+*9@32C@rZCg8otH!WmKff+HOp)X?%C%Yz^zf3<q|Fx^&LX2Yb$^TN->)
zKdlI9N4(7S7U;J2$5S=2uorJDmvx4N46!Kn;`BPS4|b2Wlm#<mlU)ah@DrUmu3DZ2
zt&8qjgtEIXM`!sgfU%HnZ%?`4=&l)4JkL38(!tV9w5yjV*UC3*$WK_-W4eHcygw*I
zKkqJz0ql6sBjBor<;`z#(R_SUu>hvv0fWQ%+A^ZgcYvdD;=108dRwoaFqWa!-rrZf
zyQBEyrxykYVyix=o^`RN5|N|!&uwxSC&=07dMkw2b3doz$X}t@GG~caEf#m@Q}>K8
zH}@Q3jlZ&MTJl2}FMKSAkIsib_sPR46Mxzfn>*F3b^GP<G^W#Um%tjdg2r@nUIufN
zwETm3epkC$!baADvhMA0!p_tPK=R1OHub+fD*3(mnGlQizi-+rZNin#WNU09K~IXc
zIO0fPhNeNI#4)I<Y|3?{u1Eqv{DVFfj^vH}#BAaI)6sEk3yD3Cpk_ZILdM=l7%=Gv
zuZX&%A!QY))d>^PLbqL7+SU5mK*0fTxs2yX?RV^r(b*x+R88f#EQmabza9AhJ^lpv
zloquQ7x=XaNe8s<VAwO;MJpx}dEt&znop9|zTNLfKZyn>hUizifmx*RBA1S}tf!;p
z@w`~6DK=QRv9V>GMrr$=w`5Q(j}-}p4r`^*g4`;pjk0<nC$I(An?%JQnr4n9d7AI5
z`Gi2suq}CBzk5R<*sXrhm;aP{VjpU}kI5xA=h&DRhD3apI}<E-nsu+MFSL8`ha1d6
z#X&~^UI=Z7@B%hYqfM(;2L}(SF81Za@>5>723L8l*gR~<L;h{Sd)60=S(x942$4Ub
zyNmuuDj%i&|7+VP-!%KyY`Tp7Do;XD(o;EU{a;0jR!mmbS3Pq@LehePym_%y02n_i
z95k<f7W!ouH3A^nU+^jG?#Flx#^t>9@>W=ho|Q%p9E~BTGUT4~b5B>~LZh`Man<sc
zKo;(~UyQ+x%k>f#A_pAe3SrqQ*v4)f86W#>5uj~??6Ql0yO&-LE<~%VevZUVji5su
z<C3NNX8vq1XeKnHF(g-F$T4AvoRPW!1<$tzZjsm4l+V|9AS9d;>WG{?#<U$q5EPfd
ze#hBB1Ih+SI-ROzL&kXAKVhwpc&%ha8QyT=SWa-?w!kM}cOn!%2@f;te^b+Pb-W_{
zNN16pK3rHILGD|uVGN(PD4``Q-1z$f!XA|ChbWa(&!||8ZrwjF_TGgs9<4hxK<R~9
zPdJ<V9AO5xZf1amAT*+haeI4#-Da(t+(pnCDAznWH$lL@SNXgv=rdNr%bvDua|~3E
z9KCq#0Ql|XZ)Xia)#UZi!B#xQUtmmi^B<lh3mz7c1+^F*{=wHh0u*D<+t0fMtZIVA
zy4#WVU6B0Tmml4`AFH-aIlN3BrW>%&haXs$4^cp{qQdl1{DE;{PW|C5oY4iUl(0pD
zCdax=KO8_TN1h+GNUy8hs}Oy!Aom5%-e_1fNc;tO?|S$ds<t(2JZc3<daRg{T{Nt}
z55Xobh%vZiQ~^Mw%ks@a<;L8=BdH-uDPHxU$Ef|lBf6)oDjCcs#p*KD4OZ`{XmJxl
z$EL{yD=@6;UzpO)X*e~Tq_pc-+tyvnP_q`-?()ckFVYJk_Cf`TP*?vXh)Gl~P*~_C
zjH*SWkRtA#b$Z7*$w~GKSB0lq0+?@pDLD?9VGpO}6G2DBFIE;z@Oa}ZIFr7zEC}RB
ze^Bwj1inj7$LbD-;Pgsegj?mQuM46krS9v_EeY0;`#}k?sd5oJA1;*EhEbAmVt5ND
zai=Y|7J@PLTiGs1F!9QZ4AMfiZ_8W3BUKY6fW;^oDp_Gd#2m_cEyqtgqM#T&uBArF
z$Xidi7;MD&5F|5Neky({T}3~hJ?#94=#1s4Wf0ig+_clH)~V<~c^At|=X%%*SZD&}
z4u6HrrTx>r)g~q^0It5IV(2cBe$JPZD0FWdDK~cVaSw1e&4{7y&m}CQ;W1?Eb;=UA
z@QU#*-S`m`8GmF>UhLTH@Jr2ly>H8Yjh{K^a#NS$R68F;%F-s)`L(8F&U?cfl?xm#
z%(|S41EEY5zr7C^!;}&gHJBmAMa+Dxfwv0Jm3?V)<y<s*IinTgD_mntR{-y`suFH@
zpfHvbdpF_eCS5kUqFblKL&8Z}y{>MfVc<q(2}0C8n15$)GOilTykf%rf%z1An+10x
zX+Of+(9|V4##3a>>_SuXw;XsF+Wg2f{-f-znU5$;29ImXDo5K^*-LmL5d0t!tSn2L
zgfm{gos5Z|@_!-e+6tohR!+bj64%msLA^nt%&d|eHD~oWwUJ7~b(9E)Ow2I69hRdn
zl{@L824(fBj)NANO&0kp+ha!15^-#u`7G`^Mt$|7k^@9+U+~_+i*mQnj?5{2ahj+}
zSoy`3J&PB_vN5%XR88ol<r*4w9@rbH8^guEpx!V|iRl%X=KM0qRu_oUgjQ2&HaN46
z@cRmtA&Ze^Dj`QZpYl3J9ppYpjLVQ^A_C8_lSH{#<=(%g>P3_G%&VMUC!w)rTcv#0
z@ejbpsjWvdq<5uP2VNU{KJ5Q0g}tSk!r&rtoIgR4iBHnRs3IatDeqY&uAVlZ%O-s-
ziCzIB=e5~snl1=u;U;kbHlG>7I&K?ufy>h`*?`@#Itz{d4DeDmnElbx`S`O62$r2H
z<DF7v=~Q$rIyOJ@%W#m@z14JUDVDUUE0pp33sowF?cIuL(xU-7%Z=&eGaFRUy(l`B
zISFKhXQUCG0G@pWU#oj)V@}WParBW5Kg*ugEq?FKuXU>?gninLe?nj*f+?xoGx;kE
z5ur~L3sx%8Ukpq?@pfA)xmv^clqwPea10Y%Nj+Txe7z!xO_N~rh^pZPM1<BDxH)w-
z>pP*U*8}y-)VP`#qFvmR_INyT8-e1fB&!h5GoYh=D^JuZSpD3w2nn?mmnlO)xg*<U
zw8Om|T}m2TrL3IR>?KX=%>}BjuSX9J<<**mWwsY<_5P7)+db&2(`}ABS20#@%1lEX
zDc%#1QreUF4$cyap*7^xJ}G(rg$Zl~3JTN4%3>{guufk38<}2Ym^%9!X3*9`lD&hN
zF7;$J{x+X~Gm#dp?~f7x-23I~$h!L7oIRdP|Ag6S8Wfdy(MRq4z{k1O+}@!jfK|A(
zw4+FyXcUX(`Ii){3&mre+YTedIEbw>sF47=ck;jP`L=&Z#kwa}E8Ij%VK)FY5EATh
zafpmb_{slcvh*Xt@$?DO$a-44k>n2Z#$0^XuO-u(FBLmslxjV>{S!#`tUDNN>DOQ(
zwb5oZq{|xyDLOZ;%1bA#0G_ym`%iAI%I!Z*RN1n{TuSwUA`J5L2|7RX)_wGiyq`QO
zn<5@K6MEM4!bRc(>LQi$s9=O#xaI=^{}9k2uch4V+g#9w)@fPqv*<RO%_e?iHW?E(
z9&u1L417Pch>0hT<PWjBjaWCrLO5Y={E77X%!w)ARp1m;U#WO}-yA+27E+I|Y02ae
zl?F&=8deuAk#2=_<|rKfD=@j^V$vaxWG^NApIe^fznaR9jftD{-w!%K804=lC9?ng
zmO4t(!YK?W@2lTVe~)kHn9~2?r0_Mf$rTRLRu>flb^~{6%f<+=5s_|}m%Kju@Qs^X
zEsJ40z`|A0Ac;URG8N<|Q@56h>1F6T%<2*8FQ#SbzbEa`*#faMy(v<bVnK&Ej6|A2
z1Rj6;Hd(nCj{hwlw^=kSc<b+G{!wC5T8P!vcW(G6Kx1`Td-a3!bZoGGB+<k#8junb
zDf6mCxr}j#xfh1)7Owqky%i_VsUl3FG0Q@Y-}~T#JFTst(v(JWqb>kdl{K)px>jjc
z<zAo!u+ox?bR@)jrD=^VXzuoFy(Hp)OEQrthjI>J3;8(z%e^aLt49MaJQ9+sQ`DTa
z#3Ehr5Lb$bpb=M@G{H63DS_4bj95PE#4_-Lu)a<tMD)V$%Smp^T)#{y*K4Ui!TI}|
zQ!(|;StNq?19F1Fi%h1Rs0{g0=YPWiMwpC4?&w+*Gat*Euf`IhOGOKe72s@GAmoeQ
z(0&AP$x<Z_>sAr<cVF|{7u{ZItLonnfxPh_h+Ys=F7;<@TI%D3^DFy0C&1Z`I(<*r
z=qs#MJ3DPZ6$Aegm^-oEm#eXXnx$3K=#NFl`i@fP6pPHXusZ5_H<?gZFPo&R8vXT!
zHJOxT-~mHNZR13v#SPQEGJj+S#@5NCT`u90)l|Of{R#98%29J&EvcW;7}k`cX0?xH
z=~Z4!f`1L}!h{<s`DtiNsrfWlDKK?WPZ&y!Y$Qs@sH!wss$_}bl%#C-538SPtYxTb
zJ0|EH_#AYbqfF!1?x|`U(jR>5VBG0jjKT28(WqifAoK(qIUvKOnAx;5B&!`bb5i5M
zX#S=?sPr;lm!uWL81b#RTh%i0JsMmuL2mvb&}zYtT8e(KqT#KkWTxBlnBgin86>fN
zw~u$LLyXspC}-!G^3=48svOMF@I}!yIkgKfRQ)=sR07i@Mky!ZN2%~j<AR*T2tWyS
z4EjZ(yR)$o;Ue@a$H@;WUQnHD^pOZbTntBbHRABEl<Wm3b4=rcwOKGy9s^U*kNBFT
zjpsNB^$N%EH-XRg7JxnWqQn1O#jse#hKEc!(Ll;o;a|0}4{vpyiNS`{blGGwd_?>p
zwAdX`5uP3U_9sR=4&h7uC27v&8g+&H@-A!~#H{7R{tA_}jpCyyxir@i*)eN5myj*5
z1M4foGeW!V!&d<;oqmW@=^;&z8EHPEg?smB_ZAiTHiXKbM%hjn?#SG%t_>3?F5D29
zFe*Cn{uT)?e5pRrMDDy@qe<ZvMW#a|Fc!C83Of$N`-YvQQP`3uN}_+2me`z;Xkn@T
zjp7K%CJOp)P!{UG?Y$mNtHK2x_o*914@K>e5nM#31|RbX`CGhYK{9Z7yeFmVbftdT
zGa&89k8Dlk$R^sBdn<9en|Eb+#Ckw5bna(oZ^FB%w#Z_~Ek+0%yJ|)9Lm=%UvRDAK
zzT`q70>N?;<{=ud`Tda_;8b-%-eIN`iU?K%gU^eeEshB%Xf<2YveiO*@14r*-7EBk
zpa9M}Wfuh@*L;N231e6}UNwfoecc=^v(WWZ<-<QYEl~i*$CLLCOcT|GiNoG8QsFsa
zxuQz~;6!O*IqY04;o6~ZwS$A->CpKRyJ7pV+<2@CJml(S`Q|-<;3@u{(7Zl6{8DY?
zdM~{NVBXHhe6_r&l}`NP_Qpk4K;=TFKdkXY(=&=>;<j8X2t!9Ck?WN*N3Pc$1upcp
z8zH_QA>RL;zHY|d{q~`gIos`TgZLOKJu7q4@^sVEyil{fZqOYc-s{r^opLH9dZj(;
zI8aIi3O{`%z$#}ner4-mH&58>MVexaLM;+)zd-rdan~S!AOE(IxCN{;1g)`POm<MX
zfN5hW(tu3=we@vJ24P$r`_{|}ME;I;ibZnwv>kN8yHBh|!F(}dw!p}pMs)J5BTngL
z82G&w@gh9i8YGNY+seGNegooCxauz?b%-?ZqjjYU+AkoPEzB^SVqL1?{o?mox6XQH
zq12;>1j>G`EJ@@%ZcvD#QyMdBiOIyu{7q3*s@1jAp~KzRzM-X!sNj2hr?&6)HclKp
z-A)0%Z4Z0AF0OWfzaJa7KxgT;p8)rk05@btF5Xofy#zl_0<}gYIHHN-CmTE72jXm|
zqcNIC1;kQ`k`~uV-eLq_my)IQ?0B)3Tz9>x_R2o-{pwL~(5arBWiX8DgGr&QmN30=
z=$U#VE#)N%b*;(b)_PXP3O`O=oblK&F~$PpK%B6e+qQCOyHraU=>W047wv;`s&8W8
z0OW<bG=qyDK1_55dxRc7ZU}YKE~kVP^g72eGbOl4h3uW813QweTSnxIF}^&DoYj=<
zMGSqG*@KpJh+!r%9xYrQG<}%4Qdp5N9u8gKF@2KE1=pFzUvDr9S8i++<QbT=Y6PR-
zOGjRR8#`!-dlORJmV5*2vjx%_67xRLnz-LRpNKU?;^(h5uO&t?fB%hO`oKvIx9hon
z?kM7yMJ?`UTEDFd&URU})XskN`qC~{oG>xXW$G}dwVxUR$A(tq+h<t-Nj4r;-MFX(
zPRwsg6b81xQ-(NG&h0va>Eh|AfSGm9Kl*Kw1wFl@+WEykxtfKeQ(}H?G9n0zV~B2e
zm|`?SH)2zGece26k@czAeRlfqVLtt9!P(5%a^ly_(L>~%Kts!^?44kvw!~V7aowyB
z{7Mo_-4P>eq;dg~O&QU(StL&IWDwIt9c%4N;6AOFIni|Rk$na~nZ_!k_%r6%KB1PV
zjD<v#+v|lcEm)SVMpG1S=pR_U6~rjhFDDPubDS%DFNfp)heB6&@n2SxOMq6x%xP}=
zRT$r>Y!ghc_8QmBZ$tLDZx7q&^lcdeHnx|g@cZC~{lc!f!@1MUJ)ZsTnEpJP*9zat
zdPWwERn|RJCdiI*V~rTQR^h<s^0t2!#;@4@ae+gae*<KXk}1MNG7{rFvn;)k&39m@
z7`3ZdsQ&FzG}Kw{0*A=!C{b!rC()*prZwUuPs;fE7S$txRpa=@OF$y+S12u~q90;&
zK$F$;Ue<$um&QG#XrYT!rlTgHsf?PNv}*8*v`9Pw2u}XR1@%hf5n2;m$4!s>WOxy@
zzeVNnH9Dg0(@H1Cd0CS{jD9*yKCbCFgr^&`tcoprWt7KMA2ywHfO4n#!tDoCU2lNC
zLU29qT4m8tf;AU-yj<28;r7bAzFcV#_yHze1$>`r2Kd%Oikw_ariC5h4eIOAbQ|=r
z&W+>rNX%1Z*W@Veg-#{h<+?658V%Q7q1d*(NRKVu5!6QTClzw>9DjuhXI%B4L9E-=
z5yAzev>H{24oeXytR%*j9yL=(Qv}5{MORY%s*C`iA?FMogYiad2ovelKjTw<dzj~q
z^bS7GWPlho^TbBss;LT-%uW606(W<WY*(+N4+eDNQh-0QHMN7iERG*#%yrAE3py2v
zh8iN7Bz%bc_BkTAA20_>xJdUx5J85Ca~!qE`8m*DKDnjmKjM$D87A?d)l!5IO}yHY
zJvH5ob`=;AFMBmSlS}%Lh)C+|rd}&{?>Kv14@{i|nd!ZpuFUa?my5Tn5551-2LU)9
zUfXEJoprGUeFtsd_v~XKvyt~HT-x|$M3xkW;0w5MwJ&8&GRk6xGP=)_0nZu^!oD=%
zJ@5NM3t1N^AC8@zq*j9Cq?O;q=2wI<Gh7dCJ7(yu1e+<r<V9y!mz!F4MAqXA=U9V2
zt-YGV&EBDV4JUwa=MbKkVC#KI^@esuB26|d7hhTIH5lH7JX}j!=O6V#m5dI!*I<BY
zalPo-J)C!fV2DC2t+E5CAnWI^FveN)Uo(?W7p=*ZM2tD2lIfC(cN0a+&U|wM(&pur
zSY8aoilG_^=F|2LkL6WSzR~7(&d4E884U}bWA<#%b8Nq(wiHvlfnL=QUB8HwHvpZ{
z7Tc<>h!eJYCweR;ttDkheQ65(XTq=^Y2W7|woTd+4!`-$E|w~CR~sy_B$c$NYv<}M
zX0)G%JhX52lY0_<fd<mJ_C{I!<d=_44&UYBmr1IXL!sC2WgIlJGx}gv9Pk52dwu#W
z!YN&h9n}ucBS9YqdH^jD)zt5-iC#c-^!`o9t=JvdiNd08`uy^W(sVwRDX<}$WVCh(
zru}k8C!KByWLDbtHf?DZGiSk8i@p9U1K!_oo==rStKogu7sqplC!V8`tulACsfOkS
zbo2#!$as~f6Q98oa|vG$^Q**>!I@j8u;HSjl~o-F=Xl}sNXkG4#rz(ihQWb7he@GR
zt+&C!O-EE<Fda}9iGyOcD1XEV$Hagyi(;dL%dp@EcA56As8RXTbw<*nK?J08m<aNm
znIiyWK0>>EW5sAr%MBF2{B!6ErZ*Y}?&rSdGDWU8=SF#W0RBGC?A-iYj_bD5yJUz-
z^S7x0{jAnC!6<BTFDvd%v#0}z7EY?(cyNom)nc%=WZV5GpVM+k$p=bSjfzI2Sf0#u
z*I68vu$AEMZ@{&W^K<CjX@*35VENb>v$XjxSX4xk;EVrGM0N#N$}EyY1bj<mQzDPK
zT)L+nl#tMGQ}^q$jpd7+aZ+?<ZS_fm6$Axg2}gq7^U=rAcH4GmmpQ?%aZg9oM6;PJ
z<AEVzFrpdJ#>M)Zv9;6J!;`7Qc&!o-O}gRp&723jwlM5;enHF;s?Vy&Ls#(vaXy<w
z(~>pa(T!PJmNXca;5&F94r*yuL`%*N_A~Xqbh`v|8NVZ<2iM%%0kM0`!u|b)XAMXS
zi_~wsiQi44B|fa+$?I~|cxl1nvUn1_Ungfw(J71Yau90l-lBj%lu~XqFyFm&7FL?+
z(4#o!WS<#IQE0bn-bWc9m3qS^8G05)L^8xgn*fR>tQuD6<ZW(Z8uXk=uV@s=vT(d+
zkwDD_-bhB5M_th}@(9f$WUTnaXfhMvj(o54WZ#$sNY_;xzl^|5IB+AnQ3H{RhC??e
zq<E0Rhexi+Gd4XEJVc1Vwajk%k<*(^vlM;TNSAAo2zs|``udN5D(0uab^UTaD0Q~I
zm24A*HSb^kuitJ{!-*ql0(;&-9@6h9_RKfHZwO_wMcPGX_&nfl@Gg7g$bY>)-}ZJs
zHs`j0fxh(j$9nszD-Ck-uQ6$D2P!v(c~1WH|1nYI0ZvgB(Grd%xic^DK6#ruJ?sn3
z^($b7EDp<f`9TD+8PX^Bv4m%E?9wv=OEV*&ANhzk?zyQ+1AB4YE$WefyX}BeDHjs9
zgGL#lzXX*W@|a+-HWf?tE>95+<wLqQo?vyjzZYPhJPuP&RK1XrPr|bN3rBvUQ~56A
zcNZVCg)k27NI&PpCDrAbxsW&J@a6?NhnMX6y-8M#KC@Z{K9-y8V+mU(A8Wl)rg$`!
z&I6tPy!?CoNg}myr4ZKp4)xqDs<9-F-0Mt-IIh=B=*S6NY)}gaYM@S%1?Fbo{Vrjt
zE-k7Y01LQKr-x>~F}8*lC7*p1x}nPAYj7lzGzx^2r{MqzRC`ef!3uDir)%bKSe3&n
z*poe%R1cvw^0rZELBcQiB^a~gO{uQ(ERb2IlNu~k07TP->VQOsiqB=TReX~b<T|9-
zT5#(P{RIpzJ^{rJGgOT%3I{B$dN61UQ!jsH+y@KF=16NoLaoL3FJCo%f+x_1yPh+C
zz9&3+nf<<e03^LgOh%gZOW?|<5ryE(ygJ0xfdOIq+#x^)KS_!-5;NL^Ai@9gaqcj4
zZVY*~`w~u{2Aw4-V?3j!n7I?0gb7tzVeN?B`fhV63*CUMg_MtL`z-ybrDVJC1NU&6
z^up>Xez1`E87~Ci*8%VIch9%41?1P$`{&vAm!ZwMLvYpRX5aGF^wHJy_FM4gWp>}T
z=C@P3=QG0!^XvB8ww^|l%Qtz?`X59cI513uDW7}NS5DJQRhYQJwCb&MUXzNl&a=%(
zNA{Vp%1ik5suHrd>l>OHf8~Fk@_;##MW^ex?Ng2A@9C?n<%PFz<Q@bb3`!AfRXEj<
zR(Wh*6CVj}Q+3;{aHTw~T&F3d)icU(M)%vJ4+`^}o(B#6Z|iQsYw|eX<KPiP@aL-U
zuVr_yPlu=X%ngO}Z;6k}``oQ(nlv+iw~d_N{$Dd%-+%I*elxBMaNS_`?Jqf9fAwgk
ze7C&+*E;;;DbaNduKr(T`hXYi1IilEgBhU;3z#AiP$alQZu6Ueg@N5Cs_LRiec=1@
z_x)wYM^D?DzxKDl-m~Ch{dFjHX7ZXWi(&e9JD6Y*GlUk_cOWA%x_EH494{2@Ra)yl
z@7+p%Y<2(ye~vcN6e7)M1y*&tLlov^GIum3-ZRVo`kO&a{^JzyZujF)QfTGqckoo-
z^#2;=+g?BKfJHrQRN6E!K9sjNpxlWHE>fpA2m}W8l5C%JEShZ<D8qlK{AKtMiTif|
zJ|rg&s6fl^AlR$_Bh*KefW;@r0H1&`o=461W!2_o##c|zedG6cyg|tT0<uGJ!67BM
z!>;1`X)Vi*&WW($bar0AQe4NulfmP_HHN$m!b<>Uo<M=FATzY9sw*Lfxd*%ZACGCd
zNVgDbLRa?jEWnv76pHDp@pPcYD8Ijz8(dZ<mGLNs%>6ZoFHs~%7IC;^D$|VDt47^m
z$rFvU+ICc{a{DUmG4>vuI>b44T#|ga6cb*3O<2IPpZG;PMg#Oo_~emact;osLME;%
z*2IhLC<N$t==L*|rSa_ZfqPV){D^tZks2$nuWa83p<)#g?-n*}33xRdEV@pVC%J0#
zvKg^52(mFs^O5<S{=gnBdIm6_Gg%SG#DL&K9>~&pk+P>%?3mCEesYmT04U&CJ(MjQ
z!_fyLna5mLx_ePa+l~B16duN!^`#gV{}^fwa`-h5qJBr?&5c4iRF6kL15E5M>K{Sk
z!G6^+4qnupU*|cecHzZWol6{787=>KPHIV9ek5ghX?yuVHziS^as(}Pe^?`WW(l(w
zl%SljL;7*_zXL;G&0U=bL71kIubHEPzsZnH!ZAETsb)9uRV%&m^g2@qx6&%wEGF!j
zDhDXp9*NsWNx2G(bghYqv@v`qk#}QQjCadh5qKT?23EO^f7Q@`?uF@F;vI1_BG9m%
zF%xLwV5mR-2?5ao`#cAUZ@<yVmgkfAwVXZcyN3LrmZU6<4^}p15kEJB=HZw-5Q)@S
zSz3XusfdHuB_FI{XUR5iR*?nW<2DH}2|V}FoGN6=95Ll+1e>58>4W)XcfY@cJD#!N
zY93*0b|Kgo%2CSL6&vU2XX;IbYmYHR9pyEyzZ0wl?-#+rHQiCAsYR(}glTj6Fzx}d
z2aXB=<bltE4w{)RLvBcNMCbh?Z0<cJF)tK!Xc+sz-~*~NY?06cktzo10$}d!ms9Kt
z5TdLSe-+l`V%MKD8tVV%3+V~JFtAOun1o%goa#J1V#A1o2hs4fwrX4~mcNJUB&6#N
z#o^{jSHwmJDVwc=0v%drBYG!~3<FBzuuNUBm<Bh%*ad<3*gemuqr7m#9d12588#%d
zLRp092(b<Py6`YIn0=^16M>tm7h9I71*4qb+sxN7ikA>p9u95B01{~a%)okPi&q^I
z);&<d_?K{F%SU<a78&^{-TzsV%rsA%d#(Q&#^@;HJD&FiVV$Ca&jjkrY#RLAf0lX<
z<qC~XyyOb`-_83M1m^RY0if_ApbKL&uN=FDW$Fhk%aV1<Ll&HVYr(;ErA7gfq#Tu)
zvD17sRhMWn%EYLCqjI(rgqZbZw#OG=f4~<^mO@bw%_zeU(tTuAx>%j-QZHBDv;i>c
zT3N*@69o;F9)V$!DW7Ug(~Pm{I8Rc*7pL60Egg#?s0jA_h@lCvA(XkU=$?sbP3fAG
zEvb1;Xrg#%F=x9|t=>kKST#0klnOx{pP2R+LInD%ac;`^w@}=3!eaItl5XEYnVcbP
zUwK_ijBMTZbp)GiUZ9`O<TdBUIQRuFdg+}VvjswfpLA}~B~q>-BJuAUaV=QN=j!9b
zHTmijE`F$zJ4DqjozCS&yHH@c#pQLec}?;0g%Tl5U69Wrc5%Yt(2O*kas3LKJxB(*
zh^G6iG0mrq0WMr+o*oOy4+3{Ww>CFrqaK_u*(ij5D$HShetOP?11$q6pWtcD5`wn^
zWbq+k3n?(D9gXptpTD7@Q>4GVi%(27o5mx<(NET{TR1-IhktS^goenBknv>o<2W`#
zE#+=%FlT$N=>oN<Sqv8}uBrPmhK2h37W=y|{rqf&`ZXcUso=oy+$w^(JVDT{ouy9E
zCA)<mMf`RJ>Fhz1tjf*bt;q0FUTK7(sa~2RvB!RO!D72{p%8wSkbCW*v<~pJL1S|Q
z_zRP`;aD?ji7Xe1flktHh9q#sSV8kbNuJL^t(F*gpj5y+J+O=+?%}jjDhq%3dPj0#
zjYEqp<GZYh6Qggh`qv@$khGQ~OJqGTl3wmS6b=JR3%50T=$3b(&daB%&KLDVHyBQ~
zW|av<oLu!12-%T9dtw(a@U7($KF9Te*926UC5}WY$f`ae+FbeIpOz_SR~#m%$XiHq
zYi0v3yIt+tYnOg)7#g#e&`IA{t~Ed=k|!n5qm*kHk}Z~c5<~}#HzMgE2MT_aDc2-d
zSBvwXqbnBfOa2P9$g+^V{=V5uiJ)Lvi>5Ky6iKw0N+v{1V;1Tj1A{)+pW#IH)Y^*)
z4W9<vQYD9FoTov|g6_1PHdzgeM*Xc6Z?BY+3@I;O_a-XZs+D8mf@~pPuFb`_`+`Bj
zo4$XxMD1!Ng1V<LXO_}(mF*k*y{d;ASKMGQ+{r7m+QZA3YdA?5che(#L>>HoFKYJ0
z-U;SG%|QE?z1Ox*m5>---~KIFPcZG=&b~pccAu27C8GICdyA6GVA;-y#+(;IcBOsw
ztoFz>e8300(Ymj8*wsZ7+sQ*X*vTT$T)+s$1-e|EB4I<*u+#Qv^`3zFj9o(8Y*3>k
zEqPgYg7xpbPkxGBUFW<<O|7HB)X!;U`r9PC=Xux&pyJ{pB6|dFb4?)@MAW0VZbtnc
zk&+~naG8SUrUo+)KWngBQ6HlDs~>XK{cw>wp-8%5T(dCxHII9({U{Gtk6S84ams6*
zo%(XY1VQqOSGqTLpY;!!vlwiJ9EBIwx?STAtz*AbavG^q9_@_-t!ThYz>nY4wIY8N
z4G26Gl4h^Kn5$Z`)q0!<`>t7GDh`vnAX8Bg=;b=)<y?HshW<s~2i|Ny+N_A9DdDwf
zAOWm^qbAc99agysVOH3QoJg-c3LW+h1|@s1%uh$ps<Pp4Lf_9xsi&C@eZYmPD}SWH
zJ5f}Ha3w3!^>?akOxLmujlN#8Ej(P>dBaf|**Y5E?vHn1gQyk%Np}vN%BIPug{3RF
zghk#-JymJ=g&Yd3OhEQ!)s*_$bQV{7p;U|c!N7h9WR2J0K6K#UPNwS=XTu-HmNi9$
z6wwv>Db!?_zC`ND>C*`WX0!T2KT*?HG%k%-r)yFGy5VPJ@;PjGh?%rETQ1%Szw<eS
zm260N*#s2`?k|`QyA)!2WJWoP-BYqUeU3OuG!^DQyjyA5ii#A@8E&rTmPI%dk;}xA
zM|@zO0n~VeP`nZ@i+ReqqEh&t2cOiBMrwdN$}_hj#dJ7|bcrEZROoDGKjyQ8qi#Jx
zf@$Cu2)QeKoCm*;+`oLIqLXIo1M6BEI2jwK0vRzBUSU@7md&J0D)-<zf4~JrJ-9F2
zfFnZRE62ctsc(SfSVG_%NhOy1zeI&QLC6u=>dy5E?Y*tLds#6$HYip~D?lp5*&#ps
zAj{zx1F-p?ELY<C>kgc)5LZH|RyXi3?6E8%C}*wi&V-{<0shJfIvqS4IC^?m^wgQs
zFoO7dq`6aCoK+X!mJ)Hq$bJ9*AzHZfIS2z(w2M8dw2fCn(aUmfK=X%OMhys}bpF!K
zm({rvi4GCB5uJlz!9?yhMRk-@Fz7Nza#!~S4CM&;Pe<O)6I0OSUo3bN;i3eW5)3zp
zMhdFzx7&v_WW%6$3_oE0GgG9(9vqLco!?tbf=+-%6Co&-566>>3G2|gOBG(a_HS?b
zUGO~CzW%f>m)p1jF*lQ;A6<pA+;(MzHB(AUS61-bZ`0{~YgQRf4fR-Q(acG?0%o#<
zR<(3QiTJ#Jj8{sP?N@V^nq+R>qgH#F1hg`tP!JJ4XjlpCFoOTkh2#Z+rQg)c0ZD5b
z=gFm<I~rXkCOr@={(U+W_GnEi&VdWDONYougNM&@dhZL;Dhd;@e8My^-s6ZAKBT!f
z@)Ji|QYM!NX8o`nEVx!nFI$jl3r5z400m~IC^Nxb54!JisY*VMIcysk>91fRefwfL
zD}-{4S_#7Pj(*>hkT~<9)I^G$dYO6SBaSoJZ1+~IuM}RazbvK^b~2?rzxS!p)OOS3
z2ZOS^L}b}b*qL~0?b63bR;%4{GL&w4Y<;xL2mCHbp+n^4eds-J^uy9QV~j{tb_Isw
z|MQeZuzY;TM`y%Iyr>P<U*uhxz>AOIMRf>3##ys)*%EHx`vZfnQ|D$Vfm0j6OIL2S
zN;&=Np~6k$Q@Gk=_q@Q@SuIe@V)SbAkn)Zs^j!ViUa@_*q)6b-`YWMRB7jHLun4$@
zLs6CPKUBbUu%@BvyKrGIG@;dry_*BZy|YzAQ~Hp1Nyv_X{lB(vXSbX;o>`$eZTGE@
zrty~G)=q!UV#J2|`kB9~Vcg`*9XnNF>LkZ-&w{QJaP8V9Q{{sN;b#~Pk`mg_ojo(a
zMy_zIP@>Nmlx(DVFrDu9vJ`W3u5sh|&gWpPeSJa5$rfhA(U(<a+rTpEHws$G0uM*g
zGa&&^3pS}2_>Z_7rr=i6jhFn^lg)ArtH~R#n`vGf{5I3QmqlQZI<VZwZPiyXB?gf6
z4UYKz_l$Vs@jtH<g&#IJfU>j;u1=va)Q?T%YR;k3yfIat^sYnV^_bj4VRQ~a1o+{$
zS;W1)A)?G!o7+VBXH^_>zN!K!!iS08YcWV|^qS3k^xijbDx^c78ToZJ;s!)F>vKF$
zJnj???YBpS=`_1*+tjnbpaKHhplDD|y1q7(OcRcF4rC*#9K9Mfu=Io7@^oV|(up<z
zYkbhV)1*_6X8wU+U_y$@-$cHw*;osdT9J8@=!NIbKpVmu#0<riMF~8;vK7ObiUb1V
zWh{1M{5&y*WIX+@S?o#V#=>U(txrQ^c6wAo<3>Jv`SqAm0d4esQ_~VXmfT_{dt7h?
z3?-9AV0@a|R5s?jQ|8Pgdqn><1?vxZLCewn08O1_5oPFaX#hG3{XfK%^iu#dD6HG5
zeX=s5y0k}Y6D`7rUyH5PW448g6YXUpG1g$x&?U0I(uIyFK?6LThcpA%Zu>%?C^NX5
z1IG-a%mou#D2mLYvay1SWz#@4W&Qg-oZ|fyX}f<G{oht8M7G%CYgH@7QnSgV0tRNu
z47KD>6P^r`#82IF@>A$^p_a^Af&d-6cu8{zPKMA)xIRLn!(pq#!UuV<WIj>S!28tl
z<;I)DGAuV&CAzx85z0pP2YYy|%(V>xHvAawA;gL+QN13T4?+=qHTW_UVu5>&-xvTD
z@||q5J}`phExwoJvn9)Zn;XzLzc0$aA}`f4iv8MxoRJ+Nt?Z@*vQ9nzfqa%`3zJ&i
zhAAf?AsIr+h=n)egTholPjLk!RV$}Q4+T$OBf5>TqkA=@Akv(=WyS4Ii%)d={;SD!
zHAMUBVj%8zjd6)CHVfVq++Jv4A7k-xDH$UC_Mjg+)P-SFC@>s#7wQ5@T5aR8Y_g5&
zspjJGm$#7yZAbcXG}1FcqGv8rB?|>UG35is3VEN)Oebtwm*dXnutR~WL8j!+Y2enx
zZC{mD=awAZ!eP^?!I(3*q2+d?&HJPgBHC*3?y5&=OVS0^w}m6g%eH~VJIi^wfmLVX
z_a{~SVkS(s&twQ;_}IogJ|}7J=01)&Boa8Vg@T{<Y?QyB2>DK=Q(L5n#R|N^i}?oV
zxleQ~!mzXJn9k#PnA;5u6fDChFPouRL`*Te6ojbl&nk?W<5>Ow+1~T+SS8rvXG!)>
zIutI+17xGcl=a~TC!y0|n$06|J$ltFLC_N%-ahl&=Ce{HgcSx1?$RA`*W+F*J)u|2
zaO+*&4>>Ch#C)I9$NiVSKH8wL>^Q(Yo6~2yeQzz%n|o^UH`Xto*A#Z-9B4AEA^0>~
zTZlV+IOkhXIE4Gl6tDM*hUr(2o0hD4L>8ULsV}^@&&OVB`Be|;V)Hxqi@)?2b_E>q
z{a@#o9cGert1IAp=D&RFcC^LaVO%oro51&5=M(mEL=@%X_$Jux7_ED-fd#NSE5+Q@
zLB?{8d2H&k-_y`HZi5K@4YV;l8k%*|4}^z^>q*?q#LEk#qAh@4gw4D-h@M*`rqaVo
zOY&e8BBvBNc(V1tmof1in4SdMW*Z9qoE&{?J;p!;b{wJ13t<U;QZHlZ5mw&~5VlT0
z$a(jbnD38u*ZQk%MTgrzJ13T(<hMJyRy%Yz3{z9$vcq)CZgQtBa4vRU_5vQ)`ZE1C
zK|Yf|eSdq`@3}xAGolz9=Px;dq@ymcOrl)ZxTSYtoxqALH^np;_ZP@gNzm*7=6ZAk
zkMjL^z5N^k)x5NI+0D0x9;nQXGUz8;dNHZ#iWTKtxLtg_tsNP#as|?C8DNU`8(8ny
z#-s#BcuR$(*O4@Kt5y}e330Rk9Fp6WK3<OoKup-`y66M9h-f%uCZ_K0s3W{WCnq)a
z!oCgWn+4FnOTxYnOxV%B5mN@^R7dz;95y;OW-4Cdf~zP#o(b;W0mhY|1e`~gL^eqn
zXwF0nvXTdt;oldH9dB-aP>a{bvG$$eYfue}rBCsGVQqlwk(V_Kc`BGZr98Aw0&`?u
zEFnsZ>JVCddDJ#bo{3wT7VQ+L&ad+F3yEh9RnINfrJZ;%gPJ7pt8=+3R|_{98oH`?
z#nS?51|B<x%~WE9kPzwuM#s@exgZ}3BLIHA&;sgL89a{SKtqdD+Nm?*K(pUV@!=QS
zL&JJ#xZ=#y`fzIQ#>}P6w0Mm{m&o}xXZtfk%BS~`qZ+oKhSm)n9Z1u=heANd@Z(n<
z9qK(8HW1Uhu-PM~3~GMQ8PjCg)YnrKIzt+j)1EA}x-8iH6Y12qu=YiEmmjI{gGQGj
zR9)$8{?fy>TGVh(7(u;lhIvava%9qD_oydU+4~y$m{7&vUQQ|EzI}Ass7gioA(}Nc
zq44Sf8a>J&H94q#*~xO+DRyAHhUREUrwK1CFyiVO1G<q=Ry4~IY5_<lX^pe!45xfM
z|Dn8<562#hp4Y#?x?*W(y&%#mMlKAP%7@c&L4xkv<R+{(0%?Ze8d_z3{}Uqs-2Z>T
k%rEz-rT_c#gsK1Zd-^^79{>0M0{{U3|1-MBI{+#J0NvsEy8r+H

literal 0
HcmV?d00001

diff --git a/charts-wip/matrix-synapse/charts/postgresql/.helmignore b/charts-wip/matrix-synapse/charts/postgresql/.helmignore
new file mode 100755
index 0000000..f0c1319
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/charts-wip/matrix-synapse/charts/postgresql/Chart.yaml b/charts-wip/matrix-synapse/charts/postgresql/Chart.yaml
new file mode 100755
index 0000000..20d20f6
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/Chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+appVersion: 11.8.0
+description: Chart for PostgreSQL, an object-relational database management system
+  (ORDBMS) with an emphasis on extensibility and on standards-compliance.
+engine: gotpl
+home: https://www.postgresql.org/
+icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png
+keywords:
+- postgresql
+- postgres
+- database
+- sql
+- replication
+- cluster
+maintainers:
+- email: containers@bitnami.com
+  name: Bitnami
+- email: cedric@desaintmartin.fr
+  name: desaintmartin
+name: postgresql
+sources:
+- https://github.com/bitnami/bitnami-docker-postgresql
+version: 8.9.9
diff --git a/charts-wip/matrix-synapse/charts/postgresql/README.md b/charts-wip/matrix-synapse/charts/postgresql/README.md
new file mode 100755
index 0000000..b5bdd13
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/README.md
@@ -0,0 +1,580 @@
+# PostgreSQL
+
+[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance.
+
+For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha)
+
+## TL;DR;
+
+```console
+$ helm repo add bitnami https://charts.bitnami.com/bitnami
+$ helm install my-release bitnami/postgresql
+```
+
+## Introduction
+
+This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/).
+
+## Prerequisites
+
+- Kubernetes 1.12+
+- Helm 2.12+ or Helm 3.0-beta3+
+- PV provisioner support in the underlying infrastructure
+
+## Installing the Chart
+To install the chart with the release name `my-release`:
+
+```console
+$ helm install my-release bitnami/postgresql
+```
+
+The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
+
+> **Tip**: List all releases using `helm list`
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```console
+$ helm delete my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Parameters
+
+The following tables lists the configurable parameters of the PostgreSQL chart and their default values.
+
+|                   Parameter                   |                                                                                Description                                                                                |                            Default                            |
+|-----------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------|
+| `global.imageRegistry`                        | Global Docker Image registry                                                                                                                                              | `nil`                                                         |
+| `global.postgresql.postgresqlDatabase`        | PostgreSQL database (overrides `postgresqlDatabase`)                                                                                                                      | `nil`                                                         |
+| `global.postgresql.postgresqlUsername`        | PostgreSQL username (overrides `postgresqlUsername`)                                                                                                                      | `nil`                                                         |
+| `global.postgresql.existingSecret`            | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`)                                                                                      | `nil`                                                         |
+| `global.postgresql.postgresqlPassword`        | PostgreSQL admin password (overrides `postgresqlPassword`)                                                                                                                | `nil`                                                         |
+| `global.postgresql.servicePort`               | PostgreSQL port (overrides `service.port`)                                                                                                                                | `nil`                                                         |
+| `global.postgresql.replicationPassword`       | Replication user password (overrides `replication.password`)                                                                                                              | `nil`                                                         |
+| `global.imagePullSecrets`                     | Global Docker registry secret names as an array                                                                                                                           | `[]` (does not add image pull secrets to deployed pods)       |
+| `global.storageClass`                         | Global storage class for dynamic provisioning                                                                                                                             | `nil`                                                         |
+| `image.registry`                              | PostgreSQL Image registry                                                                                                                                                 | `docker.io`                                                   |
+| `image.repository`                            | PostgreSQL Image name                                                                                                                                                     | `bitnami/postgresql`                                          |
+| `image.tag`                                   | PostgreSQL Image tag                                                                                                                                                      | `{TAG_NAME}`                                                  |
+| `image.pullPolicy`                            | PostgreSQL Image pull policy                                                                                                                                              | `IfNotPresent`                                                |
+| `image.pullSecrets`                           | Specify Image pull secrets                                                                                                                                                | `nil` (does not add image pull secrets to deployed pods)      |
+| `image.debug`                                 | Specify if debug values should be set                                                                                                                                     | `false`                                                       |
+| `nameOverride`                                | String to partially override postgresql.fullname template with a string (will prepend the release name)                                                                   | `nil`                                                         |
+| `fullnameOverride`                            | String to fully override postgresql.fullname template with a string                                                                                                       | `nil`                                                         |
+| `volumePermissions.enabled`                   | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work)                 | `false`                                                       |
+| `volumePermissions.image.registry`            | Init container volume-permissions image registry                                                                                                                          | `docker.io`                                                   |
+| `volumePermissions.image.repository`          | Init container volume-permissions image name                                                                                                                              | `bitnami/minideb`                                             |
+| `volumePermissions.image.tag`                 | Init container volume-permissions image tag                                                                                                                               | `buster`                                                      |
+| `volumePermissions.image.pullPolicy`          | Init container volume-permissions image pull policy                                                                                                                       | `Always`                                                      |
+| `volumePermissions.securityContext.runAsUser` | User ID for the init container (when facing issues in OpenShift or uid unknown, try value "auto")                                                                         | `0`                                                           |
+| `usePasswordFile`                             | Have the secrets mounted as a file instead of env vars                                                                                                                    | `false`                                                       |
+| `ldap.enabled`                                | Enable LDAP support                                                                                                                                                       | `false`                                                       |
+| `ldap.existingSecret`                         | Name of existing secret to use for LDAP passwords                                                                                                                         | `nil`                                                         |
+| `ldap.url`                                    | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn[?[attribute][?[scope][?[filter]]]]`                                                                          | `nil`                                                         |
+| `ldap.server`                                 | IP address or name of the LDAP server.                                                                                                                                    | `nil`                                                         |
+| `ldap.port`                                   | Port number on the LDAP server to connect to                                                                                                                              | `nil`                                                         |
+| `ldap.scheme`                                 | Set to `ldaps` to use LDAPS.                                                                                                                                              | `nil`                                                         |
+| `ldap.tls`                                    | Set to `1` to use TLS encryption                                                                                                                                          | `nil`                                                         |
+| `ldap.prefix`                                 | String to prepend to the user name when forming the DN to bind                                                                                                            | `nil`                                                         |
+| `ldap.suffix`                                 | String to append to the user name when forming the DN to bind                                                                                                             | `nil`                                                         |
+| `ldap.search_attr`                            | Attribute to match agains the user name in the search                                                                                                                     | `nil`                                                         |
+| `ldap.search_filter`                          | The search filter to use when doing search+bind authentication                                                                                                            | `nil`                                                         |
+| `ldap.baseDN`                                 | Root DN to begin the search for the user in                                                                                                                               | `nil`                                                         |
+| `ldap.bindDN`                                 | DN of user to bind to LDAP                                                                                                                                                | `nil`                                                         |
+| `ldap.bind_password`                          | Password for the user to bind to LDAP                                                                                                                                     | `nil`                                                         |
+| `replication.enabled`                         | Enable replication                                                                                                                                                        | `false`                                                       |
+| `replication.user`                            | Replication user                                                                                                                                                          | `repl_user`                                                   |
+| `replication.password`                        | Replication user password                                                                                                                                                 | `repl_password`                                               |
+| `replication.slaveReplicas`                   | Number of slaves replicas                                                                                                                                                 | `1`                                                           |
+| `replication.synchronousCommit`               | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off`                                                                      | `off`                                                         |
+| `replication.numSynchronousReplicas`          | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.slaveReplicas`.                                                      | `0`                                                           |
+| `replication.applicationName`                 | Cluster application name. Useful for advanced replication settings                                                                                                        | `my_application`                                              |
+| `existingSecret`                              | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-postgres-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template.                                                                                                                  | `nil`                                                         |
+| `postgresqlPostgresPassword`                  | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`)                                                                                              | _random 10 character alphanumeric string_                     |
+| `postgresqlUsername`                          | PostgreSQL admin user                                                                                                                                                     | `postgres`                                                    |
+| `postgresqlPassword`                          | PostgreSQL admin password                                                                                                                                                 | _random 10 character alphanumeric string_                     |
+| `postgresqlDatabase`                          | PostgreSQL database                                                                                                                                                       | `nil`                                                         |
+| `postgresqlDataDir`                           | PostgreSQL data dir folder                                                                                                                                                | `/bitnami/postgresql` (same value as persistence.mountPath)   |
+| `extraEnv`                                    | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template.                                                               | `[]`                                                          |
+| `extraEnvVarsCM`                              | Name of a Config Map containing extra environment variables you would like to pass on to the pod. The value is evaluated as a template.                                   | `nil`                                                         |
+| `postgresqlInitdbArgs`                        | PostgreSQL initdb extra arguments                                                                                                                                         | `nil`                                                         |
+| `postgresqlInitdbWalDir`                      | PostgreSQL location for transaction log                                                                                                                                   | `nil`                                                         |
+| `postgresqlConfiguration`                     | Runtime Config Parameters                                                                                                                                                 | `nil`                                                         |
+| `postgresqlExtendedConf`                      | Extended Runtime Config Parameters (appended to main or default configuration)                                                                                            | `nil`                                                         |
+| `pgHbaConfiguration`                          | Content of pg_hba.conf                                                                                                                                                    | `nil (do not create pg_hba.conf)`                             |
+| `configurationConfigMap`                      | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template.             | `nil`                                                         |
+| `extendedConfConfigMap`                       | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template.                                                                         | `nil`                                                         |
+| `initdbScripts`                               | Dictionary of initdb scripts                                                                                                                                              | `nil`                                                         |
+| `initdbUser`                                  | PostgreSQL user to execute the .sql and sql.gz scripts                                                                                                                    | `nil`                                                         |
+| `initdbPassword`                              | Password for the user specified in `initdbUser`                                                                                                                       | `nil`                                                         |
+| `initdbScriptsConfigMap`                      | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template.                                                                | `nil`                                                         |
+| `initdbScriptsSecret`                         | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil`                                                         |
+| `service.type`                                | Kubernetes Service type                                                                                                                                                   | `ClusterIP`                                                   |
+| `service.port`                                | PostgreSQL port                                                                                                                                                           | `5432`                                                        |
+| `service.nodePort`                            | Kubernetes Service nodePort                                                                                                                                               | `nil`                                                         |
+| `service.annotations`                         | Annotations for PostgreSQL service                                                                                                                                        | `{}` (evaluated as a template)                                |
+| `service.loadBalancerIP`                      | loadBalancerIP if service type is `LoadBalancer`                                                                                                                          | `nil`                                                         |
+| `service.loadBalancerSourceRanges`            | Address that are allowed when svc is LoadBalancer                                                                                                                         | `[]` (evaluated as a template)                                |
+| `schedulerName`                               | Name of the k8s scheduler (other than default)                                                                                                                            | `nil`                                                         |
+| `shmVolume.enabled`                           | Enable emptyDir volume for /dev/shm for master and slave(s) Pod(s)                                                                                                        | `true`                                                        |
+| `shmVolume.chmod.enabled`                     | Run at init chmod 777 of the /dev/shm (ignored if `volumePermissions.enabled` is `false`)                                                                                 | `true`                                                        |
+| `persistence.enabled`                         | Enable persistence using PVC                                                                                                                                              | `true`                                                        |
+| `persistence.existingClaim`                   | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template.                                                                                        | `nil`                                                         |
+| `persistence.mountPath`                       | Path to mount the volume at                                                                                                                                               | `/bitnami/postgresql`                                         |
+| `persistence.subPath`                         | Subdirectory of the volume to mount at                                                                                                                                    | `""`                                                          |
+| `persistence.storageClass`                    | PVC Storage Class for PostgreSQL volume                                                                                                                                   | `nil`                                                         |
+| `persistence.accessModes`                     | PVC Access Mode for PostgreSQL volume                                                                                                                                     | `[ReadWriteOnce]`                                             |
+| `persistence.size`                            | PVC Storage Request for PostgreSQL volume                                                                                                                                 | `8Gi`                                                         |
+| `persistence.annotations`                     | Annotations for the PVC                                                                                                                                                   | `{}`                                                          |
+| `commonAnnotations`                         | Annotations to be added to all deployed resources (rendered as a template)                                                                                                                      | `{}`                                                          |
+| `master.nodeSelector`                         | Node labels for pod assignment (postgresql master)                                                                                                                        | `{}`                                                          |
+| `master.affinity`                             | Affinity labels for pod assignment (postgresql master)                                                                                                                    | `{}`                                                          |
+| `master.tolerations`                          | Toleration labels for pod assignment (postgresql master)                                                                                                                  | `[]`                                                          |
+| `master.anotations`                           | Map of annotations to add to the statefulset (postgresql master)                                                                                                          | `{}`                                                          |
+| `master.labels`                               | Map of labels to add to the statefulset (postgresql master)                                                                                                               | `{}`                                                          |
+| `master.podAnnotations`                       | Map of annotations to add to the pods (postgresql master)                                                                                                                 | `{}`                                                          |
+| `master.podLabels`                            | Map of labels to add to the pods (postgresql master)                                                                                                                      | `{}`                                                          |
+| `master.priorityClassName`                    | Priority Class to use for each pod (postgresql master)                                                                                                                    | `nil`                                                          |
+| `master.extraInitContainers`                  | Additional init containers to add to the pods (postgresql master)                                                                                                         | `[]`                                                          |
+| `master.extraVolumeMounts`                    | Additional volume mounts to add to the pods (postgresql master)                                                                                                           | `[]`                                                          |
+| `master.extraVolumes`                         | Additional volumes to add to the pods (postgresql master)                                                                                                                 | `[]`                                                          |
+| `master.sidecars`                             | Add additional containers to the pod                                                                                                                                      | `[]`                                                          |
+| `master.service.type`                         | Allows using a different service type for Master                                                                                                                          | `nil`                                                         |
+| `master.service.nodePort`                     | Allows using a different nodePort for Master                                                                                                                              | `nil`                                                         |
+| `master.service.clusterIP`                    | Allows using a different clusterIP for Master                                                                                                                             | `nil`                                                         |
+| `slave.nodeSelector`                          | Node labels for pod assignment (postgresql slave)                                                                                                                         | `{}`                                                          |
+| `slave.affinity`                              | Affinity labels for pod assignment (postgresql slave)                                                                                                                     | `{}`                                                          |
+| `slave.tolerations`                           | Toleration labels for pod assignment (postgresql slave)                                                                                                                   | `[]`                                                          |
+| `slave.anotations`                            | Map of annotations to add to the statefulsets (postgresql slave)                                                                                                          | `{}`                                                          |
+| `slave.labels`                                | Map of labels to add to the statefulsets (postgresql slave)                                                                                                               | `{}`                                                          |
+| `slave.podAnnotations`                        | Map of annotations to add to the pods (postgresql slave)                                                                                                                  | `{}`                                                          |
+| `slave.podLabels`                             | Map of labels to add to the pods (postgresql slave)                                                                                                                       | `{}`                                                          |
+| `slave.priorityClassName`                     | Priority Class to use for each pod (postgresql slave)                                                                                                                     | `nil`                                                          |
+| `slave.extraInitContainers`                   | Additional init containers to add to the pods (postgresql slave)                                                                                                          | `[]`                                                          |
+| `slave.extraVolumeMounts`                     | Additional volume mounts to add to the pods (postgresql slave)                                                                                                            | `[]`                                                          |
+| `slave.extraVolumes`                          | Additional volumes to add to the pods (postgresql slave)                                                                                                                  | `[]`                                                          |
+| `slave.sidecars`                              | Add additional containers to the pod                                                                                                                                      | `[]`                                                          |
+| `slave.service.type`                          | Allows using a different service type for Slave                                                                                                                           | `nil`                                                         |
+| `slave.service.nodePort`                      | Allows using a different nodePort for Slave                                                                                                                               | `nil`                                                         |
+| `slave.service.clusterIP`                     | Allows using a different clusterIP for Slave                                                                                                                              | `nil`                                                         |
+| `terminationGracePeriodSeconds`               | Seconds the pod needs to terminate gracefully                                                                                                                             | `nil`                                                         |
+| `resources`                                   | CPU/Memory resource requests/limits                                                                                                                                       | Memory: `256Mi`, CPU: `250m`                                  |
+| `securityContext.enabled`                     | Enable security context                                                                                                                                                   | `true`                                                        |
+| `securityContext.fsGroup`                     | Group ID for the container                                                                                                                                                | `1001`                                                        |
+| `securityContext.runAsUser`                   | User ID for the container                                                                                                                                                 | `1001`                                                        |
+| `serviceAccount.enabled`                      | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set)                                                     | `false`                                                       |
+| `serviceAcccount.name`                        | Name of existing service account                                                                                                                                          | `nil`                                                         |
+| `livenessProbe.enabled`                       | Would you like a livenessProbe to be enabled                                                                                                                              | `true`                                                        |
+| `networkPolicy.enabled`                       | Enable NetworkPolicy                                                                                                                                                      | `false`                                                       |
+| `networkPolicy.allowExternal`                 | Don't require client label for connections                                                                                                                                | `true`                                                        |
+| `networkPolicy.explicitNamespacesSelector`    | A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed                                                                    | `{}`                                                          |
+| `livenessProbe.initialDelaySeconds`           | Delay before liveness probe is initiated                                                                                                                                  | 30                                                            |
+| `livenessProbe.periodSeconds`                 | How often to perform the probe                                                                                                                                            | 10                                                            |
+| `livenessProbe.timeoutSeconds`                | When the probe times out                                                                                                                                                  | 5                                                             |
+| `livenessProbe.failureThreshold`              | Minimum consecutive failures for the probe to be considered failed after having succeeded.                                                                                | 6                                                             |
+| `livenessProbe.successThreshold`              | Minimum consecutive successes for the probe to be considered successful after having failed                                                                               | 1                                                             |
+| `readinessProbe.enabled`                      | would you like a readinessProbe to be enabled                                                                                                                             | `true`                                                        |
+| `readinessProbe.initialDelaySeconds`          | Delay before readiness probe is initiated                                                                                                                                 | 5                                                             |
+| `readinessProbe.periodSeconds`                | How often to perform the probe                                                                                                                                            | 10                                                            |
+| `readinessProbe.timeoutSeconds`               | When the probe times out                                                                                                                                                  | 5                                                             |
+| `readinessProbe.failureThreshold`             | Minimum consecutive failures for the probe to be considered failed after having succeeded.                                                                                | 6                                                             |
+| `readinessProbe.successThreshold`             | Minimum consecutive successes for the probe to be considered successful after having failed                                                                               | 1                                                             |
+| `metrics.enabled`                             | Start a prometheus exporter                                                                                                                                               | `false`                                                       |
+| `metrics.service.type`                        | Kubernetes Service type                                                                                                                                                   | `ClusterIP`                                                   |
+| `service.clusterIP`                           | Static clusterIP or None for headless services                                                                                                                            | `nil`                                                         |
+| `metrics.service.annotations`                 | Additional annotations for metrics exporter pod                                                                                                                           | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` |
+| `metrics.service.loadBalancerIP`              | loadBalancerIP if redis metrics service type is `LoadBalancer`                                                                                                            | `nil`                                                         |
+| `metrics.serviceMonitor.enabled`              | Set this to `true` to create ServiceMonitor for Prometheus operator                                                                                                       | `false`                                                       |
+| `metrics.serviceMonitor.additionalLabels`     | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus                                                                                     | `{}`                                                          |
+| `metrics.serviceMonitor.namespace`            | Optional namespace in which to create ServiceMonitor                                                                                                                      | `nil`                                                         |
+| `metrics.serviceMonitor.interval`             | Scrape interval. If not set, the Prometheus default scrape interval is used                                                                                               | `nil`                                                         |
+| `metrics.serviceMonitor.scrapeTimeout`        | Scrape timeout. If not set, the Prometheus default scrape timeout is used                                                                                                 | `nil`                                                         |
+| `metrics.prometheusRule.enabled`              | Set this to true to create prometheusRules for Prometheus operator                                                                                                        | `false`                                                       |
+| `metrics.prometheusRule.additionalLabels`     | Additional labels that can be used so prometheusRules will be discovered by Prometheus                                                                                    | `{}`                                                          |
+| `metrics.prometheusRule.namespace`            | namespace where prometheusRules resource should be created                                                                                                                | the same namespace as postgresql                              |
+| `metrics.prometheusRule.rules`                | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example.                                            | `[]`                                                          |
+| `metrics.image.registry`                      | PostgreSQL Exporter Image registry                                                                                                                                        | `docker.io`                                                   |
+| `metrics.image.repository`                    | PostgreSQL Exporter Image name                                                                                                                                            | `bitnami/postgres-exporter`                                   |
+| `metrics.image.tag`                           | PostgreSQL Exporter Image tag                                                                                                                                            | `{TAG_NAME}`                                                  |
+| `metrics.image.pullPolicy`                    | PostgreSQL Exporter Image pull policy                                                                                                                                    | `IfNotPresent`                                                |
+| `metrics.image.pullSecrets`                   | Specify Image pull secrets                                                                                                                                                | `nil` (does not add image pull secrets to deployed pods)      |
+| `metrics.customMetrics`                       | Additional custom metrics                                                                                                                                                 | `nil`                                                         |
+| `metrics.securityContext.enabled`             | Enable security context for metrics                                                                                                                                       | `false`                                                       |
+| `metrics.securityContext.runAsUser`           | User ID for the container for metrics                                                                                                                                     | `1001`                                                        |
+| `metrics.livenessProbe.initialDelaySeconds`   | Delay before liveness probe is initiated                                                                                                                                  | 30                                                            |
+| `metrics.livenessProbe.periodSeconds`         | How often to perform the probe                                                                                                                                            | 10                                                            |
+| `metrics.livenessProbe.timeoutSeconds`        | When the probe times out                                                                                                                                                  | 5                                                             |
+| `metrics.livenessProbe.failureThreshold`      | Minimum consecutive failures for the probe to be considered failed after having succeeded.                                                                                | 6                                                             |
+| `metrics.livenessProbe.successThreshold`      | Minimum consecutive successes for the probe to be considered successful after having failed                                                                               | 1                                                             |
+| `metrics.readinessProbe.enabled`              | would you like a readinessProbe to be enabled                                                                                                                             | `true`                                                        |
+| `metrics.readinessProbe.initialDelaySeconds`  | Delay before liveness probe is initiated                                                                                                                                  | 5                                                             |
+| `metrics.readinessProbe.periodSeconds`        | How often to perform the probe                                                                                                                                            | 10                                                            |
+| `metrics.readinessProbe.timeoutSeconds`       | When the probe times out                                                                                                                                                  | 5                                                             |
+| `metrics.readinessProbe.failureThreshold`     | Minimum consecutive failures for the probe to be considered failed after having succeeded.                                                                                | 6                                                             |
+| `metrics.readinessProbe.successThreshold`     | Minimum consecutive successes for the probe to be considered successful after having failed                                                                               | 1                                                             |
+| `updateStrategy`                              | Update strategy policy                                                                                                                                                    | `{type: "RollingUpdate"}`                                     |
+| `psp.create`                                  | Create Pod Security Policy                                                                                                                                                | `false`                                                       |
+| `rbac.create`                                 | Create Role and RoleBinding (required for PSP to work)                                                                                                                    | `false`                                                       |
+
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+
+```console
+$ helm install my-release \
+  --set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \
+    bitnami/postgresql
+```
+
+The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`.
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
+
+```console
+$ helm install my-release -f values.yaml bitnami/postgresql
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+## Configuration and installation details
+
+### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
+
+It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
+
+Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
+
+### Production configuration and horizontal scaling
+
+This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one.
+
+- Enable replication:
+```diff
+- replication.enabled: false
++ replication.enabled: true
+```
+
+- Number of slaves replicas:
+```diff
+- replication.slaveReplicas: 1
++ replication.slaveReplicas: 2
+```
+
+- Set synchronous commit mode:
+```diff
+- replication.synchronousCommit: "off"
++ replication.synchronousCommit: "on"
+```
+
+- Number of replicas that will have synchronous replication:
+```diff
+- replication.numSynchronousReplicas: 0
++ replication.numSynchronousReplicas: 1
+```
+
+- Start a prometheus exporter:
+```diff
+- metrics.enabled: false
++ metrics.enabled: true
+```
+
+To horizontally scale this chart, you can use the `--replicas` flag to modify the number of nodes in your PostgreSQL deployment. Also you can use the `values-production.yaml` file or modify the parameters shown above.
+
+### Customizing Master and Slave services in a replicated configuration
+
+At the top level, there is a service object which defines the services for both master and slave. For deeper customization, there are service objects for both the master and slave types individually. This allows you to override the values in the top level service object so that the master and slave can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the master and slave to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the master.service or slave.service objects will take precedence over the top level service object.
+
+### Change PostgreSQL version
+
+To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=12.0.0`
+
+### postgresql.conf / pg_hba.conf files as configMap
+
+This helm chart also supports to customize the whole configuration file.
+
+Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server.
+
+Alternatively, you can specify PostgreSQL configuration parameters using the `postgresqlConfiguration` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}.
+
+In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options.
+
+### Allow settings to be loaded from files other than the default `postgresql.conf`
+
+If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory.
+Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`.
+
+Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option.
+
+### Initialize a fresh instance
+
+The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap.
+
+Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict.
+
+In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter.
+
+The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
+
+### Sidecars
+
+If you need  additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
+
+```yaml
+# For the PostgreSQL master
+master:
+  sidecars:
+  - name: your-image-name
+    image: your-image
+    imagePullPolicy: Always
+    ports:
+    - name: portname
+     containerPort: 1234
+# For the PostgreSQL replicas
+slave:
+  sidecars:
+  - name: your-image-name
+    image: your-image
+    imagePullPolicy: Always
+    ports:
+    - name: portname
+     containerPort: 1234
+```
+
+### Metrics
+
+The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml).
+
+The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details.
+
+### Use of global variables
+
+In more complex scenarios, we may have the following tree of dependencies
+
+```
+                     +--------------+
+                     |              |
+        +------------+   Chart 1    +-----------+
+        |            |              |           |
+        |            --------+------+           |
+        |                    |                  |
+        |                    |                  |
+        |                    |                  |
+        |                    |                  |
+        v                    v                  v
++-------+------+    +--------+------+  +--------+------+
+|              |    |               |  |               |
+|  PostgreSQL  |    |  Sub-chart 1  |  |  Sub-chart 2  |
+|              |    |               |  |               |
++--------------+    +---------------+  +---------------+
+```
+
+The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters:
+
+```
+postgresql.postgresqlPassword=testtest
+subchart1.postgresql.postgresqlPassword=testtest
+subchart2.postgresql.postgresqlPassword=testtest
+postgresql.postgresqlDatabase=db1
+subchart1.postgresql.postgresqlDatabase=db1
+subchart2.postgresql.postgresqlDatabase=db1
+```
+
+If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows:
+
+```
+global.postgresql.postgresqlPassword=testtest
+global.postgresql.postgresqlDatabase=db1
+```
+
+This way, the credentials will be available in all of the subcharts.
+
+## Persistence
+
+The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container.
+
+Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube.
+See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
+
+If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished.
+
+## NetworkPolicy
+
+To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`.
+
+For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace:
+
+```console
+$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
+```
+
+With NetworkPolicy enabled, traffic will be limited to just port 5432.
+
+For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL.
+This label will be displayed in the output of a successful install.
+
+## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image
+
+- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image.
+- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift.
+- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,shmVolume.chmod.enabled=false
+
+### Deploy chart using Docker Official PostgreSQL Image
+
+From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image.
+Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory.
+
+```
+image.repository=postgres
+image.tag=10.6
+postgresqlDataDir=/data/pgdata
+persistence.mountPath=/data/
+```
+
+## Upgrade
+
+It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart:
+
+```bash
+$ helm upgrade my-release stable/postgresql \
+    --set postgresqlPassword=[POSTGRESQL_PASSWORD] \
+    --set replication.password=[REPLICATION_PASSWORD]
+```
+
+> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes.
+
+## 8.0.0
+
+Prefixes the port names with their protocols to comply with Istio conventions.
+
+If you depend on the port names in your setup, make sure to update them to reflect this change.
+
+## 7.1.0
+
+Adds support for LDAP configuration.
+
+## 7.0.0
+
+Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec.
+
+In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage.
+
+This major version bump signifies this change.
+
+## 6.5.7
+
+In this version, the chart will use PostgreSQL with the Postgis extension included. The version used with Postgresql version 10, 11 and 12 is Postgis 2.5. It has been compiled with the following dependencies:
+
+- protobuf
+- protobuf-c
+- json-c
+- geos
+- proj
+
+## 5.0.0
+
+In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/).
+
+For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs:
+
+```console
+Welcome to the Bitnami postgresql container
+Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql
+Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues
+Send us your feedback at containers@bitnami.com
+
+INFO  ==> ** Starting PostgreSQL setup **
+NFO  ==> Validating settings in POSTGRESQL_* env vars..
+INFO  ==> Initializing PostgreSQL database...
+INFO  ==> postgresql.conf file not detected. Generating it...
+INFO  ==> pg_hba.conf file not detected. Generating it...
+INFO  ==> Deploying PostgreSQL with persisted data...
+INFO  ==> Configuring replication parameters
+INFO  ==> Loading custom scripts...
+INFO  ==> Enabling remote connections
+INFO  ==> Stopping PostgreSQL...
+INFO  ==> ** PostgreSQL setup finished! **
+
+INFO  ==> ** Starting PostgreSQL **
+  [1] FATAL:  database files are incompatible with server
+  [1] DETAIL:  The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3.
+```
+
+In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one.
+
+### 4.0.0
+
+This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately.
+
+IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error
+
+```
+The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development
+```
+
+### 3.0.0
+
+This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods.
+It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride.
+
+#### Breaking changes
+
+- `affinty` has been renamed to `master.affinity` and `slave.affinity`.
+- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`.
+- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`.
+
+### 2.0.0
+
+In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps:
+
+ - Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running
+
+```console
+$ kubectl get svc
+```
+
+- Install (not upgrade) the new version
+
+```console
+$ helm repo update
+$ helm install my-release bitnami/postgresql
+```
+
+- Connect to the new pod (you can obtain the name by running `kubectl get pods`):
+
+```console
+$ kubectl exec -it NAME bash
+```
+
+- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart:
+
+```console
+$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql
+```
+
+After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`).
+This operation could take some time depending on the database size.
+
+- Once you have the backup file, you can restore it with a command like the one below:
+
+```console
+$ psql -U postgres DATABASE_NAME < /tmp/backup.sql
+```
+
+In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt).
+
+If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below.
+
+```console
+$ psql -U postgres
+postgres=# drop database DATABASE_NAME;
+postgres=# create database DATABASE_NAME;
+postgres=# create user USER_NAME;
+postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD';
+postgres=# grant all privileges on database DATABASE_NAME to USER_NAME;
+postgres=# alter database DATABASE_NAME owner to USER_NAME;
+```
diff --git a/charts-wip/matrix-synapse/charts/postgresql/ci/commonAnnotations.yaml b/charts-wip/matrix-synapse/charts/postgresql/ci/commonAnnotations.yaml
new file mode 100755
index 0000000..a936299
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/ci/commonAnnotations.yaml
@@ -0,0 +1,4 @@
+commonAnnotations:
+  helm.sh/hook: "pre-install, pre-upgrade"
+  helm.sh/hook-weight: "-1"
+
diff --git a/charts-wip/matrix-synapse/charts/postgresql/ci/default-values.yaml b/charts-wip/matrix-synapse/charts/postgresql/ci/default-values.yaml
new file mode 100755
index 0000000..fc2ba60
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/ci/default-values.yaml
@@ -0,0 +1 @@
+# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.
diff --git a/charts-wip/matrix-synapse/charts/postgresql/ci/shmvolume-disabled-values.yaml b/charts-wip/matrix-synapse/charts/postgresql/ci/shmvolume-disabled-values.yaml
new file mode 100755
index 0000000..347d3b4
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/ci/shmvolume-disabled-values.yaml
@@ -0,0 +1,2 @@
+shmVolume:
+  enabled: false
diff --git a/charts-wip/matrix-synapse/charts/postgresql/files/README.md b/charts-wip/matrix-synapse/charts/postgresql/files/README.md
new file mode 100755
index 0000000..1813a2f
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/files/README.md
@@ -0,0 +1 @@
+Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map.
diff --git a/charts-wip/matrix-synapse/charts/postgresql/files/conf.d/README.md b/charts-wip/matrix-synapse/charts/postgresql/files/conf.d/README.md
new file mode 100755
index 0000000..184c187
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/files/conf.d/README.md
@@ -0,0 +1,4 @@
+If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files.
+These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`.
+
+More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file).
diff --git a/charts-wip/matrix-synapse/charts/postgresql/files/docker-entrypoint-initdb.d/README.md b/charts-wip/matrix-synapse/charts/postgresql/files/docker-entrypoint-initdb.d/README.md
new file mode 100755
index 0000000..cba3809
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/files/docker-entrypoint-initdb.d/README.md
@@ -0,0 +1,3 @@
+You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image.
+
+More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository.
\ No newline at end of file
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/NOTES.txt b/charts-wip/matrix-synapse/charts/postgresql/templates/NOTES.txt
new file mode 100755
index 0000000..3b5e6c6
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/NOTES.txt
@@ -0,0 +1,60 @@
+** Please be patient while the chart is being deployed **
+
+PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the following DNS name from within your cluster:
+
+    {{ template "postgresql.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection
+{{- if .Values.replication.enabled }}
+    {{ template "postgresql.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection
+{{- end }}
+
+{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
+
+To get the password for "postgres" run:
+
+    export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-postgres-password}" | base64 --decode)
+{{- end }}
+
+To get the password for "{{ template "postgresql.username" . }}" run:
+
+    export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode)
+
+To connect to your database run the following command:
+
+    kubectl run {{ template "postgresql.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
+   --labels="{{ template "postgresql.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "postgresql.fullname" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }}
+
+{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
+Note: Since NetworkPolicy is enabled, only pods with label {{ template "postgresql.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster.
+{{- end }}
+
+To connect to your database from outside the cluster execute the following commands:
+
+{{- if contains "NodePort" .Values.service.type }}
+
+    export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+    export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "postgresql.fullname" . }})
+    {{ if (include "postgresql.password" . )  }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }}
+
+{{- else if contains "LoadBalancer" .Values.service.type }}
+
+  NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+        Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "postgresql.fullname" . }}'
+
+    export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "postgresql.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+    {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.port" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }}
+
+{{- else if contains "ClusterIP" .Values.service.type }}
+
+    kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "postgresql.fullname" . }} {{ template "postgresql.port" . }}:{{ template "postgresql.port" . }} &
+    {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }}
+
+{{- end }}
+
+{{- include "postgresql.validateValues" . -}}
+
+{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
+
+WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
+
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/_helpers.tpl b/charts-wip/matrix-synapse/charts/postgresql/templates/_helpers.tpl
new file mode 100755
index 0000000..e13caad
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/_helpers.tpl
@@ -0,0 +1,452 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "postgresql.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "postgresql.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "postgresql.master.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- $fullname := default (printf "%s-%s" .Release.Name $name) .Values.fullnameOverride -}}
+{{- if .Values.replication.enabled -}}
+{{- printf "%s-%s" $fullname "master" | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s" $fullname | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for networkpolicy.
+*/}}
+{{- define "postgresql.networkPolicy.apiVersion" -}}
+{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}}
+"extensions/v1beta1"
+{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}}
+"networking.k8s.io/v1"
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "postgresql.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Return the proper PostgreSQL image name
+*/}}
+{{- define "postgresql.image" -}}
+{{- $registryName := .Values.image.registry -}}
+{{- $repositoryName := .Values.image.repository -}}
+{{- $tag := .Values.image.tag | toString -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
+Also, we can't use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+    {{- if .Values.global.imageRegistry }}
+        {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
+    {{- else -}}
+        {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+    {{- end -}}
+{{- else -}}
+    {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL postgres user password
+*/}}
+{{- define "postgresql.postgres.password" -}}
+{{- if .Values.global.postgresql.postgresqlPostgresPassword }}
+    {{- .Values.global.postgresql.postgresqlPostgresPassword -}}
+{{- else if .Values.postgresqlPostgresPassword -}}
+    {{- .Values.postgresqlPostgresPassword -}}
+{{- else -}}
+    {{- randAlphaNum 10 -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL password
+*/}}
+{{- define "postgresql.password" -}}
+{{- if .Values.global.postgresql.postgresqlPassword }}
+    {{- .Values.global.postgresql.postgresqlPassword -}}
+{{- else if .Values.postgresqlPassword -}}
+    {{- .Values.postgresqlPassword -}}
+{{- else -}}
+    {{- randAlphaNum 10 -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL replication password
+*/}}
+{{- define "postgresql.replication.password" -}}
+{{- if .Values.global.postgresql.replicationPassword }}
+    {{- .Values.global.postgresql.replicationPassword -}}
+{{- else if .Values.replication.password -}}
+    {{- .Values.replication.password -}}
+{{- else -}}
+    {{- randAlphaNum 10 -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL username
+*/}}
+{{- define "postgresql.username" -}}
+{{- if .Values.global.postgresql.postgresqlUsername }}
+    {{- .Values.global.postgresql.postgresqlUsername -}}
+{{- else -}}
+    {{- .Values.postgresqlUsername -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Return PostgreSQL replication username
+*/}}
+{{- define "postgresql.replication.username" -}}
+{{- if .Values.global.postgresql.replicationUser }}
+    {{- .Values.global.postgresql.replicationUser -}}
+{{- else -}}
+    {{- .Values.replication.user -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL port
+*/}}
+{{- define "postgresql.port" -}}
+{{- if .Values.global.postgresql.servicePort }}
+    {{- .Values.global.postgresql.servicePort -}}
+{{- else -}}
+    {{- .Values.service.port -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return PostgreSQL created database
+*/}}
+{{- define "postgresql.database" -}}
+{{- if .Values.global.postgresql.postgresqlDatabase }}
+    {{- .Values.global.postgresql.postgresqlDatabase -}}
+{{- else if .Values.postgresqlDatabase -}}
+    {{- .Values.postgresqlDatabase -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper image name to change the volume permissions
+*/}}
+{{- define "postgresql.volumePermissions.image" -}}
+{{- $registryName := .Values.volumePermissions.image.registry -}}
+{{- $repositoryName := .Values.volumePermissions.image.repository -}}
+{{- $tag := .Values.volumePermissions.image.tag | toString -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
+Also, we can't use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+    {{- if .Values.global.imageRegistry }}
+        {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
+    {{- else -}}
+        {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+    {{- end -}}
+{{- else -}}
+    {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper PostgreSQL metrics image name
+*/}}
+{{- define "postgresql.metrics.image" -}}
+{{- $registryName :=  default "docker.io" .Values.metrics.image.registry -}}
+{{- $repositoryName := .Values.metrics.image.repository -}}
+{{- $tag := default "latest" .Values.metrics.image.tag | toString -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
+Also, we can't use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+    {{- if .Values.global.imageRegistry }}
+        {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
+    {{- else -}}
+        {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+    {{- end -}}
+{{- else -}}
+    {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the password secret.
+*/}}
+{{- define "postgresql.secretName" -}}
+{{- if .Values.global.postgresql.existingSecret }}
+    {{- printf "%s" (tpl .Values.global.postgresql.existingSecret $) -}}
+{{- else if .Values.existingSecret -}}
+    {{- printf "%s" (tpl .Values.existingSecret $) -}}
+{{- else -}}
+    {{- printf "%s" (include "postgresql.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a secret object should be created
+*/}}
+{{- define "postgresql.createSecret" -}}
+{{- if .Values.global.postgresql.existingSecret }}
+{{- else if .Values.existingSecret -}}
+{{- else -}}
+    {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the configuration ConfigMap name.
+*/}}
+{{- define "postgresql.configurationCM" -}}
+{{- if .Values.configurationConfigMap -}}
+{{- printf "%s" (tpl .Values.configurationConfigMap $) -}}
+{{- else -}}
+{{- printf "%s-configuration" (include "postgresql.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the extended configuration ConfigMap name.
+*/}}
+{{- define "postgresql.extendedConfigurationCM" -}}
+{{- if .Values.extendedConfConfigMap -}}
+{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}}
+{{- else -}}
+{{- printf "%s-extended-configuration" (include "postgresql.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a configmap should be mounted with PostgreSQL configuration
+*/}}
+{{- define "postgresql.mountConfigurationCM" -}}
+{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
+    {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the initialization scripts ConfigMap name.
+*/}}
+{{- define "postgresql.initdbScriptsCM" -}}
+{{- if .Values.initdbScriptsConfigMap -}}
+{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}}
+{{- else -}}
+{{- printf "%s-init-scripts" (include "postgresql.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the initialization scripts Secret name.
+*/}}
+{{- define "postgresql.initdbScriptsSecret" -}}
+{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}}
+{{- end -}}
+
+{{/*
+Get the metrics ConfigMap name.
+*/}}
+{{- define "postgresql.metricsCM" -}}
+{{- printf "%s-metrics" (include "postgresql.fullname" .) -}}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names
+*/}}
+{{- define "postgresql.imagePullSecrets" -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
+Also, we can not use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }}
+imagePullSecrets:
+{{- range .Values.image.pullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- range .Values.metrics.image.pullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- range .Values.volumePermissions.image.pullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end -}}
+{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }}
+imagePullSecrets:
+{{- range .Values.image.pullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- range .Values.metrics.image.pullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- range .Values.volumePermissions.image.pullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the readiness probe command
+*/}}
+{{- define "postgresql.readinessProbeCommand" -}}
+- |
+{{- if (include "postgresql.database" .) }}
+  exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+{{- else }}
+  exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+{{- end }}
+{{- if contains "bitnami/" .Values.image.repository }}
+  [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return  the proper Storage Class
+*/}}
+{{- define "postgresql.storageClass" -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
+*/}}
+{{- if .Values.global -}}
+    {{- if .Values.global.storageClass -}}
+        {{- if (eq "-" .Values.global.storageClass) -}}
+            {{- printf "storageClassName: \"\"" -}}
+        {{- else }}
+            {{- printf "storageClassName: %s" .Values.global.storageClass -}}
+        {{- end -}}
+    {{- else -}}
+        {{- if .Values.persistence.storageClass -}}
+              {{- if (eq "-" .Values.persistence.storageClass) -}}
+                  {{- printf "storageClassName: \"\"" -}}
+              {{- else }}
+                  {{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
+              {{- end -}}
+        {{- end -}}
+    {{- end -}}
+{{- else -}}
+    {{- if .Values.persistence.storageClass -}}
+        {{- if (eq "-" .Values.persistence.storageClass) -}}
+            {{- printf "storageClassName: \"\"" -}}
+        {{- else }}
+            {{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
+        {{- end -}}
+    {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Renders a value that contains template.
+Usage:
+{{ include "postgresql.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }}
+*/}}
+{{- define "postgresql.tplValue" -}}
+    {{- if typeIs "string" .value }}
+        {{- tpl .value .context }}
+    {{- else }}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end }}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for statefulset.
+*/}}
+{{- define "postgresql.statefulset.apiVersion" -}}
+{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- print "apps/v1beta2" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Compile all warnings into a single message, and call fail.
+*/}}
+{{- define "postgresql.validateValues" -}}
+{{- $messages := list -}}
+{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}}
+{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}}
+{{- $messages := without $messages "" -}}
+{{- $message := join "\n" $messages -}}
+
+{{- if $message -}}
+{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap
+*/}}
+{{- define "postgresql.validateValues.ldapConfigurationMethod" -}}
+{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }}
+postgresql: ldap.url, ldap.server
+    You cannot set both `ldap.url` and `ldap.server` at the same time.
+    Please provide a unique way to configure LDAP.
+    More info at https://www.postgresql.org/docs/current/auth-ldap.html
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate values of Postgresql - If PSP is enabled RBAC should be enabled too
+*/}}
+{{- define "postgresql.validateValues.psp" -}}
+{{- if and .Values.psp.create (not .Values.rbac.create) }}
+postgresql: psp.create, rbac.create
+    RBAC should be enabled if PSP is enabled in order for PSP to work.
+    More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for podsecuritypolicy.
+*/}}
+{{- define "podsecuritypolicy.apiVersion" -}}
+{{- if semverCompare "<1.10-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "policy/v1beta1" -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/configmap.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/configmap.yaml
new file mode 100755
index 0000000..18ca98e
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/configmap.yaml
@@ -0,0 +1,29 @@
+{{ if and (or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration) (not .Values.configurationConfigMap) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "postgresql.fullname" . }}-configuration
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+data:
+{{- if (.Files.Glob "files/postgresql.conf") }}
+{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }}
+{{- else if .Values.postgresqlConfiguration }}
+  postgresql.conf: |
+{{- range $key, $value := default dict .Values.postgresqlConfiguration }}
+    {{ $key | snakecase }}={{ $value }}
+{{- end }}
+{{- end }}
+{{- if (.Files.Glob "files/pg_hba.conf") }}
+{{ (.Files.Glob "files/pg_hba.conf").AsConfig | indent 2 }}
+{{- else if .Values.pgHbaConfiguration }}
+  pg_hba.conf: |
+{{ .Values.pgHbaConfiguration | indent 4 }}
+{{- end }}
+{{ end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/extended-config-configmap.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/extended-config-configmap.yaml
new file mode 100755
index 0000000..04fc917
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/extended-config-configmap.yaml
@@ -0,0 +1,24 @@
+{{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap)}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "postgresql.fullname" . }}-extended-configuration
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+data:
+{{- with .Files.Glob "files/conf.d/*.conf" }}
+{{ .AsConfig | indent 2 }}
+{{- end }}
+{{ with .Values.postgresqlExtendedConf }}
+  override.conf: |
+{{- range $key, $value := . }}
+    {{ $key | snakecase }}={{ $value }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/initialization-configmap.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/initialization-configmap.yaml
new file mode 100755
index 0000000..3c489bd
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/initialization-configmap.yaml
@@ -0,0 +1,27 @@
+{{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "postgresql.fullname" . }}-init-scripts
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }}
+binaryData:
+{{- range $path, $bytes := . }}
+  {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }}
+{{- end }}
+{{- end }}
+data:
+{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }}
+{{ .AsConfig | indent 2 }}
+{{- end }}
+{{- with .Values.initdbScripts }}
+{{ toYaml . | indent 2 }}
+{{- end }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/metrics-configmap.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/metrics-configmap.yaml
new file mode 100755
index 0000000..c812292
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/metrics-configmap.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "postgresql.metricsCM" . }}
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+data:
+  custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/metrics-svc.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/metrics-svc.yaml
new file mode 100755
index 0000000..69f1a8d
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/metrics-svc.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.metrics.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "postgresql.fullname" . }}-metrics
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  annotations:
+  {{- if .Values.commonAnnotations }}
+    {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+    {{- toYaml .Values.metrics.service.annotations | nindent 4 }}
+spec:
+  type: {{ .Values.metrics.service.type }}
+  {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }}
+  {{- end }}
+  ports:
+    - name: http-metrics
+      port: 9187
+      targetPort: http-metrics
+  selector:
+    app: {{ template "postgresql.name" . }}
+    release: {{ .Release.Name }}
+    role: master
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/networkpolicy.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/networkpolicy.yaml
new file mode 100755
index 0000000..340cb58
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/networkpolicy.yaml
@@ -0,0 +1,41 @@
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ template "postgresql.fullname" . }}
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ template "postgresql.name" . }}
+      release: {{ .Release.Name | quote }}
+  ingress:
+    # Allow inbound connections
+    - ports:
+        - port: {{ template "postgresql.port" . }}
+      {{- if not .Values.networkPolicy.allowExternal }}
+      from:
+        - podSelector:
+            matchLabels:
+              {{ template "postgresql.fullname" . }}-client: "true"
+          {{- if .Values.networkPolicy.explicitNamespacesSelector }}
+          namespaceSelector:
+{{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }}
+          {{- end }}
+        - podSelector:
+            matchLabels:
+              app: {{ template "postgresql.name" . }}
+              release: {{ .Release.Name | quote }}
+              role: slave
+      {{- end }}
+    # Allow prometheus scrapes
+    - ports:
+        - port: 9187
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/podsecuritypolicy.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/podsecuritypolicy.yaml
new file mode 100755
index 0000000..6b15374
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/podsecuritypolicy.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.psp.create }}
+apiVersion: {{ include "podsecuritypolicy.apiVersion" . }}
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "postgresql.fullname" . }}
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  privileged: false
+  volumes:
+    - 'configMap'
+    - 'secret'
+    - 'persistentVolumeClaim'
+    - 'emptyDir'
+    - 'projected'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/prometheusrule.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/prometheusrule.yaml
new file mode 100755
index 0000000..917b3ea
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/prometheusrule.yaml
@@ -0,0 +1,26 @@
+{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ template "postgresql.fullname" . }}
+{{- with .Values.metrics.prometheusRule.namespace }}
+  namespace: {{ . }}
+{{- end }}
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  {{- with .Values.metrics.prometheusRule.additionalLabels }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+{{- with .Values.metrics.prometheusRule.rules }}
+  groups:
+    - name: {{ template "postgresql.name" $ }}
+      rules: {{ tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/role.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/role.yaml
new file mode 100755
index 0000000..c99842a
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/role.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "postgresql.fullname" . }}
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+rules:
+  {{- if .Values.psp.create }}
+  - apiGroups: ["extensions"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames:
+      - {{ template "postgresql.fullname" . }}
+  {{- end }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/rolebinding.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/rolebinding.yaml
new file mode 100755
index 0000000..b61bee2
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/rolebinding.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "postgresql.fullname" . }}
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+roleRef:
+  kind: Role
+  name: {{ template "postgresql.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/secrets.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/secrets.yaml
new file mode 100755
index 0000000..12a2b7c
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/secrets.yaml
@@ -0,0 +1,26 @@
+{{- if (include "postgresql.createSecret" .) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "postgresql.fullname" . }}
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: Opaque
+data:
+  {{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
+  postgresql-postgres-password: {{ include "postgresql.postgres.password" . | b64enc | quote }}
+  {{- end }}
+  postgresql-password: {{ include "postgresql.password" . | b64enc | quote }}
+  {{- if .Values.replication.enabled }}
+  postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }}
+  {{- end }}
+  {{- if (and .Values.ldap.enabled .Values.ldap.bind_password)}}
+  postgresql-ldap-password: {{ .Values.ldap.bind_password | b64enc | quote }}
+  {{- end }}
+{{- end -}}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/serviceaccount.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/serviceaccount.yaml
new file mode 100755
index 0000000..7583136
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/serviceaccount.yaml
@@ -0,0 +1,14 @@
+{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  name: {{ template "postgresql.fullname" . }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/servicemonitor.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/servicemonitor.yaml
new file mode 100755
index 0000000..ec7df64
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/servicemonitor.yaml
@@ -0,0 +1,37 @@
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "postgresql.fullname" . }}
+  {{- if .Values.metrics.serviceMonitor.namespace }}
+  namespace: {{ .Values.metrics.serviceMonitor.namespace }}
+  {{- end }}
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+    {{- if .Values.metrics.serviceMonitor.additionalLabels }}
+    {{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+
+spec:
+  endpoints:
+    - port: http-metrics
+      {{- if .Values.metrics.serviceMonitor.interval }}
+      interval: {{ .Values.metrics.serviceMonitor.interval }}
+      {{- end }}
+      {{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+      {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app: {{ template "postgresql.name" . }}
+      release: {{ .Release.Name }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/statefulset-slaves.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/statefulset-slaves.yaml
new file mode 100755
index 0000000..179841f
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/statefulset-slaves.yaml
@@ -0,0 +1,302 @@
+{{- if .Values.replication.enabled }}
+apiVersion: {{ template "postgresql.statefulset.apiVersion" . }}
+kind: StatefulSet
+metadata:
+  name: "{{ template "postgresql.fullname" . }}-slave"
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+{{- with .Values.slave.labels }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+  annotations:
+  {{- if .Values.commonAnnotations }}
+  {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+  {{- with .Values.slave.annotations }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  serviceName: {{ template "postgresql.fullname" . }}-headless
+  replicas: {{ .Values.replication.slaveReplicas }}
+  selector:
+    matchLabels:
+      app: {{ template "postgresql.name" . }}
+      release: {{ .Release.Name | quote }}
+      role: slave
+  template:
+    metadata:
+      name: {{ template "postgresql.fullname" . }}
+      labels:
+        app: {{ template "postgresql.name" . }}
+        chart: {{ template "postgresql.chart" . }}
+        release: {{ .Release.Name | quote }}
+        heritage: {{ .Release.Service | quote }}
+        role: slave
+{{- with .Values.slave.podLabels }}
+{{ toYaml . | indent 8 }}
+{{- end }}
+{{- with .Values.slave.podAnnotations }}
+      annotations:
+{{ toYaml . | indent 8 }}
+{{- end }}
+    spec:
+      {{- if .Values.schedulerName }}
+      schedulerName: "{{ .Values.schedulerName }}"
+      {{- end }}
+{{- include "postgresql.imagePullSecrets" . | indent 6 }}
+      {{- if .Values.slave.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.slave.nodeSelector | indent 8 }}
+      {{- end }}
+      {{- if .Values.slave.affinity }}
+      affinity:
+{{ toYaml .Values.slave.affinity | indent 8 }}
+      {{- end }}
+      {{- if .Values.slave.tolerations }}
+      tolerations:
+{{ toYaml .Values.slave.tolerations | indent 8 }}
+      {{- end }}
+      {{- if .Values.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      {{- end }}
+      {{- if .Values.securityContext.enabled }}
+      securityContext:
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+      {{- end }}
+      {{- if .Values.serviceAccount.enabled }}
+      serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name}}
+      {{- end }}
+      {{- if or .Values.slave.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }}
+      initContainers:
+      {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled)) }}
+        - name: init-chmod-data
+          image: {{ template "postgresql.volumePermissions.image" . }}
+          imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+          {{- if .Values.resources }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
+          {{- end }}
+          command:
+            - /bin/sh
+            - -cx
+            - |
+              {{- if .Values.persistence.enabled }}
+              mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
+              chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
+              find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
+              {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+                xargs chown -R `id -u`:`id -G | cut -d " " -f2`
+              {{- else }}
+                xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}
+              {{- end }}
+              {{- end }}
+              {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }}
+              chmod -R 777 /dev/shm
+              {{- end }}
+          {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+          securityContext:
+          {{- else }}
+          securityContext:
+            runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }}
+          {{- end }}
+          volumeMounts:
+            {{ if .Values.persistence.enabled }}
+            - name: data
+              mountPath: {{ .Values.persistence.mountPath }}
+              subPath: {{ .Values.persistence.subPath }}
+            {{- end }}
+            {{- if .Values.shmVolume.enabled }}
+            - name: dshm
+              mountPath: /dev/shm
+            {{- end }}
+      {{- end }}
+      {{- if .Values.slave.extraInitContainers }}
+{{ tpl .Values.slave.extraInitContainers . | indent 8 }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.slave.priorityClassName }}
+      priorityClassName: {{ .Values.slave.priorityClassName }}
+      {{- end }}
+      containers:
+        - name: {{ template "postgresql.fullname" . }}
+          image: {{ template "postgresql.image" . }}
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          {{- if .Values.resources }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
+          {{- end }}
+          {{- if .Values.securityContext.enabled }}
+          securityContext:
+            runAsUser: {{ .Values.securityContext.runAsUser }}
+          {{- end }}
+          env:
+            - name: BITNAMI_DEBUG
+              value: {{ ternary "true" "false" .Values.image.debug | quote }}
+            - name: POSTGRESQL_VOLUME_DIR
+              value: "{{ .Values.persistence.mountPath }}"
+            - name: POSTGRESQL_PORT_NUMBER
+              value: "{{ template "postgresql.port" . }}"
+            {{- if .Values.persistence.mountPath }}
+            - name: PGDATA
+              value: {{ .Values.postgresqlDataDir | quote }}
+            {{- end }}
+            - name: POSTGRES_REPLICATION_MODE
+              value: "slave"
+            - name: POSTGRES_REPLICATION_USER
+              value: {{ include "postgresql.replication.username" . | quote }}
+            {{- if .Values.usePasswordFile }}
+            - name: POSTGRES_REPLICATION_PASSWORD_FILE
+              value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password"
+            {{- else }}
+            - name: POSTGRES_REPLICATION_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "postgresql.secretName" . }}
+                  key: postgresql-replication-password
+            {{- end }}
+            - name: POSTGRES_CLUSTER_APP_NAME
+              value: {{ .Values.replication.applicationName }}
+            - name: POSTGRES_MASTER_HOST
+              value: {{ template "postgresql.fullname" . }}
+            - name: POSTGRES_MASTER_PORT_NUMBER
+              value: {{ include "postgresql.port" . | quote }}
+            {{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
+            {{- if .Values.usePasswordFile }}
+            - name: POSTGRES_POSTGRES_PASSWORD_FILE
+              value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password"
+            {{- else }}
+            - name: POSTGRES_POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "postgresql.secretName" . }}
+                  key: postgresql-postgres-password
+            {{- end }}
+            {{- end }}
+            {{- if .Values.usePasswordFile }}
+            - name: POSTGRES_PASSWORD_FILE
+              value: "/opt/bitnami/postgresql/secrets/postgresql-password"
+            {{- else }}
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "postgresql.secretName" . }}
+                  key: postgresql-password
+            {{- end }}
+          ports:
+            - name: tcp-postgresql
+              containerPort: {{ template "postgresql.port" . }}
+          {{- if .Values.livenessProbe.enabled }}
+          livenessProbe:
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                {{- if (include "postgresql.database" .) }}
+                - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+                {{- else }}
+                - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+                {{- end }}
+            initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+          {{- end }}
+          {{- if .Values.readinessProbe.enabled }}
+          readinessProbe:
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                - -e
+                {{- include "postgresql.readinessProbeCommand" . | nindent 16 }}
+            initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          {{- end }}
+          volumeMounts:
+            {{- if .Values.usePasswordFile }}
+            - name: postgresql-password
+              mountPath: /opt/bitnami/postgresql/secrets/
+            {{- end }}
+            {{- if .Values.shmVolume.enabled }}
+            - name: dshm
+              mountPath: /dev/shm
+            {{- end }}
+            {{- if .Values.persistence.enabled }}
+            - name: data
+              mountPath: {{ .Values.persistence.mountPath }}
+              subPath: {{ .Values.persistence.subPath }}
+            {{ end }}
+            {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
+            - name: postgresql-extended-config
+              mountPath: /bitnami/postgresql/conf/conf.d/
+            {{- end }}
+            {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
+            - name: postgresql-config
+              mountPath: /bitnami/postgresql/conf
+            {{- end }}
+            {{- if .Values.slave.extraVolumeMounts }}
+            {{- toYaml .Values.slave.extraVolumeMounts | nindent 12 }}
+            {{- end }}
+{{- if .Values.slave.sidecars }}
+{{- include "postgresql.tplValue" ( dict "value" .Values.slave.sidecars "context" $ ) | nindent 8 }}
+{{- end }}
+      volumes:
+        {{- if .Values.usePasswordFile }}
+        - name: postgresql-password
+          secret:
+            secretName: {{ template "postgresql.secretName" . }}
+        {{- end }}
+        {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}}
+        - name: postgresql-config
+          configMap:
+            name: {{ template "postgresql.configurationCM" . }}
+        {{- end }}
+        {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
+        - name: postgresql-extended-config
+          configMap:
+            name: {{ template "postgresql.extendedConfigurationCM" . }}
+        {{- end }}
+        {{- if .Values.shmVolume.enabled }}
+        - name: dshm
+          emptyDir:
+            medium: Memory
+            sizeLimit: 1Gi
+        {{- end }}
+        {{- if not .Values.persistence.enabled }}
+        - name: data
+          emptyDir: {}
+        {{- end }}
+        {{- if .Values.slave.extraVolumes }}
+        {{- toYaml .Values.slave.extraVolumes | nindent 8 }}
+        {{- end }}
+  updateStrategy:
+    type: {{ .Values.updateStrategy.type }}
+    {{- if (eq "Recreate" .Values.updateStrategy.type) }}
+    rollingUpdate: null
+    {{- end }}
+{{- if .Values.persistence.enabled }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      {{- with .Values.persistence.annotations }}
+        annotations:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
+      spec:
+        accessModes:
+        {{- range .Values.persistence.accessModes }}
+          - {{ . | quote }}
+        {{- end }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size | quote }}
+        {{ include "postgresql.storageClass" . }}
+{{- end }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/statefulset.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/statefulset.yaml
new file mode 100755
index 0000000..9eb1cad
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/statefulset.yaml
@@ -0,0 +1,457 @@
+apiVersion: {{ template "postgresql.statefulset.apiVersion" . }}
+kind: StatefulSet
+metadata:
+  name: {{ template "postgresql.master.fullname" . }}
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  {{- with .Values.master.labels }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  annotations:
+  {{- if .Values.commonAnnotations }}
+  {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+  {{- with .Values.slave.annotations }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  serviceName: {{ template "postgresql.fullname" . }}-headless
+  replicas: 1
+  updateStrategy:
+    type: {{ .Values.updateStrategy.type }}
+    {{- if (eq "Recreate" .Values.updateStrategy.type) }}
+    rollingUpdate: null
+    {{- end }}
+  selector:
+    matchLabels:
+      app: {{ template "postgresql.name" . }}
+      release: {{ .Release.Name | quote }}
+      role: master
+  template:
+    metadata:
+      name: {{ template "postgresql.fullname" . }}
+      labels:
+        app: {{ template "postgresql.name" . }}
+        chart: {{ template "postgresql.chart" . }}
+        release: {{ .Release.Name | quote }}
+        heritage: {{ .Release.Service | quote }}
+        role: master
+      {{- with .Values.master.podLabels }}
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.master.podAnnotations }}
+      annotations: {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- if .Values.schedulerName }}
+      schedulerName: "{{ .Values.schedulerName }}"
+      {{- end }}
+{{- include "postgresql.imagePullSecrets" . | indent 6 }}
+      {{- if .Values.master.nodeSelector }}
+      nodeSelector: {{- toYaml .Values.master.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.master.affinity }}
+      affinity: {{- toYaml .Values.master.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.master.tolerations }}
+      tolerations: {{- toYaml .Values.master.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      {{- end }}
+      {{- if .Values.securityContext.enabled }}
+      securityContext:
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+      {{- end }}
+      {{- if .Values.serviceAccount.enabled }}
+      serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }}
+      {{- end }}
+      {{- if or .Values.master.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }}
+      initContainers:
+      {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled)) }}
+        - name: init-chmod-data
+          image: {{ template "postgresql.volumePermissions.image" . }}
+          imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+          {{- if .Values.resources }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
+          {{- end }}
+          command:
+            - /bin/sh
+            - -cx
+            - |
+              {{- if .Values.persistence.enabled }}
+              mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
+              chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
+              find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
+              {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+                xargs chown -R `id -u`:`id -G | cut -d " " -f2`
+              {{- else }}
+                xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}
+              {{- end }}
+              {{- end }}
+              {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }}
+              chmod -R 777 /dev/shm
+              {{- end }}
+          {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+          securityContext:
+          {{- else }}
+          securityContext:
+            runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }}
+          {{- end }}
+          volumeMounts:
+            {{- if .Values.persistence.enabled }}
+            - name: data
+              mountPath: {{ .Values.persistence.mountPath }}
+              subPath: {{ .Values.persistence.subPath }}
+            {{- end }}
+            {{- if .Values.shmVolume.enabled }}
+            - name: dshm
+              mountPath: /dev/shm
+            {{- end }}
+      {{- end }}
+      {{- if .Values.master.extraInitContainers }}
+      {{- tpl .Values.master.extraInitContainers . | nindent 8 }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.master.priorityClassName }}
+      priorityClassName: {{ .Values.master.priorityClassName }}
+      {{- end }}
+      containers:
+        - name: {{ template "postgresql.fullname" . }}
+          image: {{ template "postgresql.image" . }}
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          {{- if .Values.resources }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
+          {{- end }}
+          {{- if .Values.securityContext.enabled }}
+          securityContext:
+            runAsUser: {{ .Values.securityContext.runAsUser }}
+          {{- end }}
+          env:
+            - name: BITNAMI_DEBUG
+              value: {{ ternary "true" "false" .Values.image.debug | quote }}
+            - name: POSTGRESQL_PORT_NUMBER
+              value: "{{ template "postgresql.port" . }}"
+            - name: POSTGRESQL_VOLUME_DIR
+              value: "{{ .Values.persistence.mountPath }}"
+            {{- if .Values.postgresqlInitdbArgs }}
+            - name: POSTGRES_INITDB_ARGS
+              value: {{ .Values.postgresqlInitdbArgs | quote }}
+            {{- end }}
+            {{- if .Values.postgresqlInitdbWalDir }}
+            - name: POSTGRES_INITDB_WALDIR
+              value: {{ .Values.postgresqlInitdbWalDir | quote }}
+            {{- end }}
+            {{- if .Values.initdbUser }}
+            - name: POSTGRESQL_INITSCRIPTS_USERNAME
+              value: {{ .Values.initdbUser }}
+            {{- end }}
+            {{- if .Values.initdbPassword }}
+            - name: POSTGRESQL_INITSCRIPTS_PASSWORD
+              value: {{ .Values.initdbPassword }}
+            {{- end }}
+            {{- if .Values.persistence.mountPath }}
+            - name: PGDATA
+              value: {{ .Values.postgresqlDataDir | quote }}
+            {{- end }}
+            {{- if .Values.replication.enabled }}
+            - name: POSTGRES_REPLICATION_MODE
+              value: "master"
+            - name: POSTGRES_REPLICATION_USER
+              value: {{ include "postgresql.replication.username" . | quote }}
+            {{- if .Values.usePasswordFile }}
+            - name: POSTGRES_REPLICATION_PASSWORD_FILE
+              value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password"
+            {{- else }}
+            - name: POSTGRES_REPLICATION_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "postgresql.secretName" . }}
+                  key: postgresql-replication-password
+            {{- end }}
+            {{- if not (eq .Values.replication.synchronousCommit "off")}}
+            - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE
+              value: {{ .Values.replication.synchronousCommit | quote }}
+            - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS
+              value: {{ .Values.replication.numSynchronousReplicas | quote }}
+            {{- end }}
+            - name: POSTGRES_CLUSTER_APP_NAME
+              value: {{ .Values.replication.applicationName }}
+            {{- end }}
+            {{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
+            {{- if .Values.usePasswordFile }}
+            - name: POSTGRES_POSTGRES_PASSWORD_FILE
+              value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password"
+            {{- else }}
+            - name: POSTGRES_POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "postgresql.secretName" . }}
+                  key: postgresql-postgres-password
+            {{- end }}
+            {{- end }}
+            - name: POSTGRES_USER
+              value: {{ include "postgresql.username" . | quote }}
+            {{- if .Values.usePasswordFile }}
+            - name: POSTGRES_PASSWORD_FILE
+              value: "/opt/bitnami/postgresql/secrets/postgresql-password"
+            {{- else }}
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "postgresql.secretName" . }}
+                  key: postgresql-password
+            {{- end }}
+            {{- if (include "postgresql.database" .) }}
+            - name: POSTGRES_DB
+              value: {{ (include "postgresql.database" .) | quote }}
+            {{- end }}
+            {{- if .Values.extraEnv }}
+            {{- include "postgresql.tplValue" (dict "value" .Values.extraEnv "context" $) | nindent 12 }}
+            {{- end }}
+            - name: POSTGRESQL_ENABLE_LDAP
+              value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }}
+            {{- if .Values.ldap.enabled }}
+            - name: POSTGRESQL_LDAP_SERVER
+              value: {{ .Values.ldap.server }}
+            - name: POSTGRESQL_LDAP_PORT
+              value: {{ .Values.ldap.port | quote }}
+            - name: POSTGRESQL_LDAP_SCHEME
+              value: {{ .Values.ldap.scheme }}
+            {{- if .Values.ldap.tls }}
+            - name: POSTGRESQL_LDAP_TLS
+              value: "1"
+            {{- end}}
+            - name: POSTGRESQL_LDAP_PREFIX
+              value: {{ .Values.ldap.prefix | quote }}
+            - name: POSTGRESQL_LDAP_SUFFIX
+              value: {{ .Values.ldap.suffix | quote}}
+            - name: POSTGRESQL_LDAP_BASE_DN
+              value: {{ .Values.ldap.baseDN }}
+            - name: POSTGRESQL_LDAP_BIND_DN
+              value: {{ .Values.ldap.bindDN }}
+            {{- if (not (empty .Values.ldap.bind_password)) }}
+            - name: POSTGRESQL_LDAP_BIND_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "postgresql.secretName" . }}
+                  key: postgresql-ldap-password
+            {{- end}}
+            - name: POSTGRESQL_LDAP_SEARCH_ATTR
+              value: {{ .Values.ldap.search_attr }}
+            - name: POSTGRESQL_LDAP_SEARCH_FILTER
+              value: {{ .Values.ldap.search_filter }}
+            - name: POSTGRESQL_LDAP_URL
+              value: {{ .Values.ldap.url }}
+            {{- end}}
+          {{- if .Values.extraEnvVarsCM }}
+          envFrom:
+            - configMapRef:
+                name: {{ tpl .Values.extraEnvVarsCM . }}
+          {{- end }}
+          ports:
+            - name: tcp-postgresql
+              containerPort: {{ template "postgresql.port" . }}
+          {{- if .Values.livenessProbe.enabled }}
+          livenessProbe:
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                {{- if (include "postgresql.database" .) }}
+                - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+                {{- else }}
+                - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+                {{- end }}
+            initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+          {{- end }}
+          {{- if .Values.readinessProbe.enabled }}
+          readinessProbe:
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                - -e
+                {{- include "postgresql.readinessProbeCommand" . | nindent 16 }}
+            initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          {{- end }}
+          volumeMounts:
+            {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }}
+            - name: custom-init-scripts
+              mountPath: /docker-entrypoint-initdb.d/
+            {{- end }}
+            {{- if .Values.initdbScriptsSecret }}
+            - name: custom-init-scripts-secret
+              mountPath: /docker-entrypoint-initdb.d/secret
+            {{- end }}
+            {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
+            - name: postgresql-extended-config
+              mountPath: /bitnami/postgresql/conf/conf.d/
+            {{- end }}
+            {{- if .Values.usePasswordFile }}
+            - name: postgresql-password
+              mountPath: /opt/bitnami/postgresql/secrets/
+            {{- end }}
+            {{- if .Values.shmVolume.enabled }}
+            - name: dshm
+              mountPath: /dev/shm
+            {{- end }}
+            {{- if .Values.persistence.enabled }}
+            - name: data
+              mountPath: {{ .Values.persistence.mountPath }}
+              subPath: {{ .Values.persistence.subPath }}
+            {{- end }}
+            {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
+            - name: postgresql-config
+              mountPath: /bitnami/postgresql/conf
+            {{- end }}
+            {{- if .Values.master.extraVolumeMounts }}
+            {{- toYaml .Values.master.extraVolumeMounts | nindent 12 }}
+            {{- end }}
+{{- if .Values.master.sidecars }}
+{{- include "postgresql.tplValue" ( dict "value" .Values.master.sidecars "context" $ ) | nindent 8 }}
+{{- end }}
+{{- if .Values.metrics.enabled }}
+        - name: metrics
+          image: {{ template "postgresql.metrics.image" . }}
+          imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
+         {{- if .Values.metrics.securityContext.enabled }}
+          securityContext:
+            runAsUser: {{ .Values.metrics.securityContext.runAsUser }}
+        {{- end }}
+          env:
+            {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }}
+            - name: DATA_SOURCE_URI
+              value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.port" .)) $database | quote }}
+            {{- if .Values.usePasswordFile }}
+            - name: DATA_SOURCE_PASS_FILE
+              value: "/opt/bitnami/postgresql/secrets/postgresql-password"
+            {{- else }}
+            - name: DATA_SOURCE_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "postgresql.secretName" . }}
+                  key: postgresql-password
+            {{- end }}
+            - name: DATA_SOURCE_USER
+              value: {{ template "postgresql.username" . }}
+          {{- if .Values.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http-metrics
+            initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }}
+          {{- end }}
+          {{- if .Values.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http-metrics
+            initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }}
+          {{- end }}
+          volumeMounts:
+            {{- if .Values.usePasswordFile }}
+            - name: postgresql-password
+              mountPath: /opt/bitnami/postgresql/secrets/
+            {{- end }}
+            {{- if .Values.metrics.customMetrics }}
+            - name: custom-metrics
+              mountPath: /conf
+              readOnly: true
+          args: ["--extend.query-path", "/conf/custom-metrics.yaml"]
+            {{- end }}
+          ports:
+            - name: http-metrics
+              containerPort: 9187
+          {{- if .Values.metrics.resources }}
+          resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
+          {{- end }}
+{{- end }}
+      volumes:
+        {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}}
+        - name: postgresql-config
+          configMap:
+            name: {{ template "postgresql.configurationCM" . }}
+        {{- end }}
+        {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
+        - name: postgresql-extended-config
+          configMap:
+            name: {{ template "postgresql.extendedConfigurationCM" . }}
+        {{- end }}
+        {{- if .Values.usePasswordFile }}
+        - name: postgresql-password
+          secret:
+            secretName: {{ template "postgresql.secretName" . }}
+        {{- end }}
+        {{- if  or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }}
+        - name: custom-init-scripts
+          configMap:
+            name: {{ template "postgresql.initdbScriptsCM" . }}
+        {{- end }}
+        {{- if .Values.initdbScriptsSecret }}
+        - name: custom-init-scripts-secret
+          secret:
+            secretName: {{ template "postgresql.initdbScriptsSecret" . }}
+        {{- end }}
+        {{- if .Values.master.extraVolumes }}
+        {{- toYaml .Values.master.extraVolumes | nindent 8 }}
+        {{- end }}
+        {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
+        - name: custom-metrics
+          configMap:
+            name: {{ template "postgresql.metricsCM" . }}
+        {{- end }}
+        {{- if .Values.shmVolume.enabled }}
+        - name: dshm
+          emptyDir:
+            medium: Memory
+            sizeLimit: 1Gi
+        {{- end }}
+{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
+        - name: data
+          persistentVolumeClaim:
+{{- with .Values.persistence.existingClaim }}
+            claimName: {{ tpl . $ }}
+{{- end }}
+{{- else if not .Values.persistence.enabled }}
+        - name: data
+          emptyDir: {}
+{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      {{- with .Values.persistence.annotations }}
+        annotations:
+        {{- range $key, $value := . }}
+          {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- end }}
+      spec:
+        accessModes:
+        {{- range .Values.persistence.accessModes }}
+          - {{ . | quote }}
+        {{- end }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size | quote }}
+        {{ include "postgresql.storageClass" . }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/svc-headless.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/svc-headless.yaml
new file mode 100755
index 0000000..6f31bc8
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/svc-headless.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "postgresql.fullname" . }}-headless
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  type: ClusterIP
+  clusterIP: None
+  ports:
+    - name: tcp-postgresql
+      port: {{ template "postgresql.port" . }}
+      targetPort: tcp-postgresql
+  selector:
+    app: {{ template "postgresql.name" . }}
+    release: {{ .Release.Name | quote }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/svc-read.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/svc-read.yaml
new file mode 100755
index 0000000..754445a
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/svc-read.yaml
@@ -0,0 +1,46 @@
+{{- if .Values.replication.enabled }}
+{{- $serviceAnnotations := coalesce .Values.slave.service.annotations .Values.service.annotations -}}
+{{- $serviceType := coalesce .Values.slave.service.type .Values.service.type -}}
+{{- $serviceLoadBalancerIP := coalesce .Values.slave.service.loadBalancerIP .Values.service.loadBalancerIP -}}
+{{- $serviceLoadBalancerSourceRanges := coalesce .Values.slave.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}}
+{{- $serviceClusterIP := coalesce .Values.slave.service.clusterIP .Values.service.clusterIP -}}
+{{- $serviceNodePort := coalesce .Values.slave.service.nodePort .Values.service.nodePort -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "postgresql.fullname" . }}-read
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  annotations:
+  {{- if .Values.commonAnnotations }}
+  {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+  {{- if $serviceAnnotations }}
+  {{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ $serviceType }}
+  {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }}
+  loadBalancerIP: {{ $serviceLoadBalancerIP }}
+  {{- end }}
+  {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }}
+  loadBalancerSourceRanges: {{- include "postgresql.tplValue" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }}
+  {{- end }}
+  {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }}
+  clusterIP: {{ $serviceClusterIP }}
+  {{- end }}
+  ports:
+    - name: tcp-postgresql
+      port:  {{ template "postgresql.port" . }}
+      targetPort: tcp-postgresql
+      {{- if $serviceNodePort }}
+      nodePort: {{ $serviceNodePort }}
+      {{- end }}
+  selector:
+    app: {{ template "postgresql.name" . }}
+    release: {{ .Release.Name | quote }}
+    role: slave
+{{- end }}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/templates/svc.yaml b/charts-wip/matrix-synapse/charts/postgresql/templates/svc.yaml
new file mode 100755
index 0000000..d24b2a6
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/templates/svc.yaml
@@ -0,0 +1,44 @@
+{{- $serviceAnnotations := coalesce .Values.master.service.annotations .Values.service.annotations -}}
+{{- $serviceType := coalesce .Values.master.service.type .Values.service.type -}}
+{{- $serviceLoadBalancerIP := coalesce .Values.master.service.loadBalancerIP .Values.service.loadBalancerIP -}}
+{{- $serviceLoadBalancerSourceRanges := coalesce .Values.master.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}}
+{{- $serviceClusterIP := coalesce .Values.master.service.clusterIP .Values.service.clusterIP -}}
+{{- $serviceNodePort := coalesce .Values.master.service.nodePort .Values.service.nodePort -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "postgresql.fullname" . }}
+  labels:
+    app: {{ template "postgresql.name" . }}
+    chart: {{ template "postgresql.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  annotations:
+  {{- if .Values.commonAnnotations }}
+  {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+  {{- if $serviceAnnotations }}
+  {{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ $serviceType }}
+  {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }}
+  loadBalancerIP: {{ $serviceLoadBalancerIP }}
+  {{- end }}
+  {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }}
+  loadBalancerSourceRanges: {{- include "postgresql.tplValue" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }}
+  {{- end }}
+  {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }}
+  clusterIP: {{ $serviceClusterIP }}
+  {{- end }}
+  ports:
+    - name: tcp-postgresql
+      port: {{ template "postgresql.port" . }}
+      targetPort: tcp-postgresql
+      {{- if $serviceNodePort }}
+      nodePort: {{ $serviceNodePort }}
+      {{- end }}
+  selector:
+    app: {{ template "postgresql.name" . }}
+    release: {{ .Release.Name | quote }}
+    role: master
diff --git a/charts-wip/matrix-synapse/charts/postgresql/values-production.yaml b/charts-wip/matrix-synapse/charts/postgresql/values-production.yaml
new file mode 100755
index 0000000..dae1c94
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/values-production.yaml
@@ -0,0 +1,556 @@
+## Global Docker image parameters
+## Please, note that this will override the image parameters, including dependencies, configured to use the global value
+## Current available global Docker image parameters: imageRegistry and imagePullSecrets
+##
+global:
+  postgresql: {}
+#   imageRegistry: myRegistryName
+#   imagePullSecrets:
+#     - myRegistryKeySecretName
+#   storageClass: myStorageClass
+
+## Bitnami PostgreSQL image version
+## ref: https://hub.docker.com/r/bitnami/postgresql/tags/
+##
+image:
+  registry: docker.io
+  repository: bitnami/postgresql
+  tag: 11.8.0-debian-10-r4
+  ## Specify a imagePullPolicy
+  ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+  ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+  ##
+  pullPolicy: IfNotPresent
+  ## Optionally specify an array of imagePullSecrets.
+  ## Secrets must be manually created in the namespace.
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  ##
+  # pullSecrets:
+  #   - myRegistryKeySecretName
+
+  ## Set to true if you would like to see extra information on logs
+  ## It turns BASH and NAMI debugging in minideb
+  ## ref:  https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging
+  debug: false
+
+## String to partially override postgresql.fullname template (will maintain the release name)
+##
+# nameOverride:
+
+## String to fully override postgresql.fullname template
+##
+# fullnameOverride:
+
+##
+## Init containers parameters:
+## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
+##
+volumePermissions:
+  enabled: false
+  image:
+    registry: docker.io
+    repository: bitnami/minideb
+    tag: buster
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: Always
+    ## Optionally specify an array of imagePullSecrets.
+    ## Secrets must be manually created in the namespace.
+    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+    ##
+    # pullSecrets:
+    #   - myRegistryKeySecretName
+  ## Init container Security Context
+  ## Note: the chown of the data folder is done to securityContext.runAsUser
+  ## and not the below volumePermissions.securityContext.runAsUser
+  ## When runAsUser is set to special value "auto", init container will try to chwon the
+  ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
+  ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed).
+  ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with
+  ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false
+  ##
+  securityContext:
+    runAsUser: 0
+
+## Use an alternate scheduler, e.g. "stork".
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+# schedulerName:
+
+## Pod Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+##
+securityContext:
+  enabled: true
+  fsGroup: 1001
+  runAsUser: 1001
+
+## Pod Service Account
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+serviceAccount:
+  enabled: false
+  ## Name of an already existing service account. Setting this value disables the automatic service account creation.
+  # name:
+
+## Pod Security Policy
+## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+psp:
+  create: false
+
+## Creates role for ServiceAccount
+## Required for PSP
+rbac:
+  create: false
+
+replication:
+  enabled: true
+  user: repl_user
+  password: repl_password
+  slaveReplicas: 2
+  ## Set synchronous commit mode: on, off, remote_apply, remote_write and local
+  ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL
+  synchronousCommit: "on"
+  ## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication
+  ## NOTE: It cannot be > slaveReplicas
+  numSynchronousReplicas: 1
+  ## Replication Cluster application name. Useful for defining multiple replication policies
+  applicationName: my_application
+
+## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`)
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!)
+# postgresqlPostgresPassword:
+
+## PostgreSQL user (has superuser privileges if username is `postgres`)
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
+postgresqlUsername: postgres
+
+## PostgreSQL password
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
+##
+# postgresqlPassword:
+
+## PostgreSQL password using existing secret
+## existingSecret: secret
+
+## Mount PostgreSQL secret as a file instead of passing environment variable
+# usePasswordFile: false
+
+## Create a database
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run
+##
+# postgresqlDatabase:
+
+## PostgreSQL data dir
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
+##
+postgresqlDataDir: /bitnami/postgresql/data
+
+## An array to add extra environment variables
+## For example:
+## extraEnv:
+##   - name: FOO
+##     value: "bar"
+##
+# extraEnv:
+extraEnv: []
+
+## Name of a ConfigMap containing extra env vars
+##
+# extraEnvVarsCM:
+
+## Specify extra initdb args
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
+##
+# postgresqlInitdbArgs:
+
+## Specify a custom location for the PostgreSQL transaction log
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
+##
+# postgresqlInitdbWalDir:
+
+## PostgreSQL configuration
+## Specify runtime configuration parameters as a dict, using camelCase, e.g.
+## {"sharedBuffers": "500MB"}
+## Alternatively, you can put your postgresql.conf under the files/ directory
+## ref: https://www.postgresql.org/docs/current/static/runtime-config.html
+##
+# postgresqlConfiguration:
+
+## PostgreSQL extended configuration
+## As above, but _appended_ to the main configuration
+## Alternatively, you can put your *.conf under the files/conf.d/ directory
+## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf
+##
+# postgresqlExtendedConf:
+
+## PostgreSQL client authentication configuration
+## Specify content for pg_hba.conf
+## Default: do not create pg_hba.conf
+## Alternatively, you can put your pg_hba.conf under the files/ directory
+# pgHbaConfiguration: |-
+#   local all all trust
+#   host all all localhost trust
+#   host mydatabase mysuser 192.168.0.0/24 md5
+
+## ConfigMap with PostgreSQL configuration
+## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration
+# configurationConfigMap:
+
+## ConfigMap with PostgreSQL extended configuration
+# extendedConfConfigMap:
+
+## initdb scripts
+## Specify dictionary of scripts to be run at first boot
+## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory
+##
+# initdbScripts:
+#   my_init_script.sh: |
+#      #!/bin/sh
+#      echo "Do something."
+
+## Specify the PostgreSQL username and password to execute the initdb scripts
+# initdbUser:
+# initdbPassword:
+
+## ConfigMap with scripts to be run at first boot
+## NOTE: This will override initdbScripts
+# initdbScriptsConfigMap:
+
+## Secret with scripts to be run at first boot (in case it contains sensitive information)
+## NOTE: This can work along initdbScripts or initdbScriptsConfigMap
+# initdbScriptsSecret:
+
+## Optional duration in seconds the pod needs to terminate gracefully.
+## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
+##
+# terminationGracePeriodSeconds: 30
+
+## LDAP configuration
+##
+ldap:
+  enabled: false
+  url: ""
+  server: ""
+  port: ""
+  prefix: ""
+  suffix: ""
+  baseDN: ""
+  bindDN: ""
+  bind_password:
+  search_attr: ""
+  search_filter: ""
+  scheme: ""
+  tls: false
+
+## PostgreSQL service configuration
+service:
+  ## PosgresSQL service type
+  type: ClusterIP
+  # clusterIP: None
+  port: 5432
+
+  ## Specify the nodePort value for the LoadBalancer and NodePort service types.
+  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+  ##
+  # nodePort:
+
+  ## Provide any additional annotations which may be required. Evaluated as a template.
+  ##
+  annotations: {}
+  ## Set the LoadBalancer service type to internal only.
+  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+  ##
+  # loadBalancerIP:
+
+  ## Load Balancer sources. Evaluated as a template.
+  ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
+  ##
+  # loadBalancerSourceRanges:
+  # - 10.10.10.0/24
+
+## Start master and slave(s) pod(s) without limitations on shm memory.
+## By default docker and containerd (and possibly other container runtimes)
+## limit `/dev/shm` to `64M` (see e.g. the
+## [docker issue](https://github.com/docker-library/postgres/issues/416) and the
+## [containerd issue](https://github.com/containerd/containerd/issues/3654),
+## which could be not enough if PostgreSQL uses parallel workers heavily.
+##
+shmVolume:
+  ## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove
+  ## this limitation.
+  ##
+  enabled: true
+  ## Set to `true` to `chmod 777 /dev/shm` on a initContainer.
+  ## This option is ingored if `volumePermissions.enabled` is `false`
+  ##
+  chmod:
+    enabled: true
+
+## PostgreSQL data Persistent Volume Storage Class
+## If defined, storageClassName: <storageClass>
+## If set to "-", storageClassName: "", which disables dynamic provisioning
+## If undefined (the default) or set to null, no storageClassName spec is
+##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+##   GKE, AWS & OpenStack)
+##
+persistence:
+  enabled: true
+  ## A manually managed Persistent Volume and Claim
+  ## If defined, PVC must be created manually before volume will be bound
+  ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart
+  ##
+  # existingClaim:
+
+  ## The path the volume will be mounted at, useful when using different
+  ## PostgreSQL images.
+  ##
+  mountPath: /bitnami/postgresql
+
+  ## The subdirectory of the volume to mount to, useful in dev environments
+  ## and one PV for multiple services.
+  ##
+  subPath: ""
+
+  # storageClass: "-"
+  accessModes:
+    - ReadWriteOnce
+  size: 8Gi
+  annotations: {}
+
+## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets
+## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
+updateStrategy:
+  type: RollingUpdate
+
+##
+## PostgreSQL Master parameters
+##
+master:
+  ## Node, affinity, tolerations, and priorityclass settings for pod assignment
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
+  ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+  labels: {}
+  annotations: {}
+  podLabels: {}
+  podAnnotations: {}
+  priorityClassName: ""
+  ## Additional PostgreSQL Master Volume mounts
+  ##
+  extraVolumeMounts: []
+  ## Additional PostgreSQL Master Volumes
+  ##
+  extraVolumes: []
+  ## Add sidecars to the pod
+  ##
+  ## For example:
+  ## sidecars:
+  ##   - name: your-image-name
+  ##     image: your-image
+  ##     imagePullPolicy: Always
+  ##     ports:
+  ##       - name: portname
+  ##         containerPort: 1234
+  sidecars: []
+
+  ## Override the service configuration for master
+  ##
+  service: {}
+  # type:
+  # nodePort:
+  # clusterIP:
+
+##
+## PostgreSQL Slave parameters
+##
+slave:
+  ## Node, affinity, tolerations, and priorityclass settings for pod assignment
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
+  ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+  labels: {}
+  annotations: {}
+  podLabels: {}
+  podAnnotations: {}
+  priorityClassName: ""
+  ## Extra init containers
+  ## Example
+  ##
+  ## extraInitContainers:
+  ##   - name: do-something
+  ##     image: busybox
+  ##     command: ['do', 'something']
+  extraInitContainers: []
+  ## Additional PostgreSQL Slave Volume mounts
+  ##
+  extraVolumeMounts: []
+  ## Additional PostgreSQL Slave Volumes
+  ##
+  extraVolumes: []
+  ## Add sidecars to the pod
+  ##
+  ## For example:
+  ## sidecars:
+  ##   - name: your-image-name
+  ##     image: your-image
+  ##     imagePullPolicy: Always
+  ##     ports:
+  ##       - name: portname
+  ##         containerPort: 1234
+  sidecars: []
+
+  ## Override the service configuration for slave
+  ##
+  service: {}
+  # type:
+  # nodePort:
+  # clusterIP:
+
+## Configure resource requests and limits
+## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+##
+resources:
+  requests:
+    memory: 256Mi
+    cpu: 250m
+
+## Add annotations to all the deployed resources
+##
+commonAnnotiations: {}
+
+networkPolicy:
+  ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
+  ##
+  enabled: false
+
+  ## The Policy model to apply. When set to false, only pods with the correct
+  ## client label will have network access to the port PostgreSQL is listening
+  ## on. When true, PostgreSQL will accept connections from any source
+  ## (with the correct destination port).
+  ##
+  allowExternal: true
+
+  ## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
+  ## and that match other criteria, the ones that have the good label, can reach the DB.
+  ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this
+  ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
+  ##
+  ## Example:
+  ## explicitNamespacesSelector:
+  ##   matchLabels:
+  ##     role: frontend
+  ##   matchExpressions:
+  ##    - {key: role, operator: In, values: [frontend]}
+  explicitNamespacesSelector: {}
+
+## Configure extra options for liveness and readiness probes
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 30
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+## Configure metrics exporter
+##
+metrics:
+  enabled: true
+  # resources: {}
+  service:
+    type: ClusterIP
+    annotations:
+      prometheus.io/scrape: "true"
+      prometheus.io/port: "9187"
+    loadBalancerIP:
+  serviceMonitor:
+    enabled: false
+    additionalLabels: {}
+    # namespace: monitoring
+    # interval: 30s
+    # scrapeTimeout: 10s
+  ## Custom PrometheusRule to be defined
+  ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
+  ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
+  prometheusRule:
+    enabled: false
+    additionalLabels: {}
+    namespace: ""
+    ## These are just examples rules, please adapt them to your needs.
+    ## Make sure to constraint the rules to the current postgresql service.
+    ## rules:
+    ##   - alert: HugeReplicationLag
+    ##     expr: pg_replication_lag{service="{{ template "postgresql.fullname" . }}-metrics"} / 3600 > 1
+    ##     for: 1m
+    ##     labels:
+    ##       severity: critical
+    ##     annotations:
+    ##       description: replication for {{ template "postgresql.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s).
+    ##       summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s).
+    rules: []
+
+  image:
+    registry: docker.io
+    repository: bitnami/postgres-exporter
+    tag: 0.8.0-debian-10-r119
+    pullPolicy: IfNotPresent
+    ## Optionally specify an array of imagePullSecrets.
+    ## Secrets must be manually created in the namespace.
+    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+    ##
+    # pullSecrets:
+    #   - myRegistryKeySecretName
+  ## Define additional custom metrics
+  ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file
+  # customMetrics:
+  #   pg_database:
+  #     query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
+  #     metrics:
+  #       - name:
+  #           usage: "LABEL"
+  #           description: "Name of the database"
+  #       - size_bytes:
+  #           usage: "GAUGE"
+  #           description: "Size of the database in bytes"
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext:
+    enabled: false
+    runAsUser: 1001
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ## Configure extra options for liveness and readiness probes
+  livenessProbe:
+    enabled: true
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 6
+    successThreshold: 1
+
+  readinessProbe:
+    enabled: true
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 6
+    successThreshold: 1
diff --git a/charts-wip/matrix-synapse/charts/postgresql/values.schema.json b/charts-wip/matrix-synapse/charts/postgresql/values.schema.json
new file mode 100755
index 0000000..ac2de6e
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/values.schema.json
@@ -0,0 +1,103 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "type": "object",
+  "properties": {
+    "postgresqlUsername": {
+      "type": "string",
+      "title": "Admin user",
+      "form": true
+    },
+    "postgresqlPassword": {
+      "type": "string",
+      "title": "Password",
+      "form": true
+    },
+    "persistence": {
+      "type": "object",
+      "properties": {
+        "size": {
+          "type": "string",
+          "title": "Persistent Volume Size",
+          "form": true,
+          "render": "slider",
+          "sliderMin": 1,
+          "sliderMax": 100,
+          "sliderUnit": "Gi"
+        }
+      }
+    },
+    "resources": {
+      "type": "object",
+      "title": "Required Resources",
+      "description": "Configure resource requests",
+      "form": true,
+      "properties": {
+        "requests": {
+          "type": "object",
+          "properties": {
+            "memory": {
+              "type": "string",
+              "form": true,
+              "render": "slider",
+              "title": "Memory Request",
+              "sliderMin": 10,
+              "sliderMax": 2048,
+              "sliderUnit": "Mi"
+            },
+            "cpu": {
+              "type": "string",
+              "form": true,
+              "render": "slider",
+              "title": "CPU Request",
+              "sliderMin": 10,
+              "sliderMax": 2000,
+              "sliderUnit": "m"
+            }
+          }
+        }
+      }
+    },
+    "replication": {
+      "type": "object",
+      "form": true,
+      "title": "Replication Details",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "title": "Enable Replication",
+          "form": true
+        },
+        "slaveReplicas": {
+          "type": "integer",
+          "title": "Slave Replicas",
+          "form": true,
+          "hidden": {
+            "condition": false,
+            "value": "replication.enabled"
+          }
+        }
+      }
+    },
+    "volumePermissions": {
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "form": true,
+          "title": "Enable Init Containers",
+          "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup"
+        }
+      }
+    },
+    "metrics": {
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "title": "Configure metrics exporter",
+          "form": true
+        }
+      }
+    }
+  }
+}
diff --git a/charts-wip/matrix-synapse/charts/postgresql/values.yaml b/charts-wip/matrix-synapse/charts/postgresql/values.yaml
new file mode 100755
index 0000000..69b7089
--- /dev/null
+++ b/charts-wip/matrix-synapse/charts/postgresql/values.yaml
@@ -0,0 +1,562 @@
+## Global Docker image parameters
+## Please, note that this will override the image parameters, including dependencies, configured to use the global value
+## Current available global Docker image parameters: imageRegistry and imagePullSecrets
+##
+global:
+  postgresql: {}
+#   imageRegistry: myRegistryName
+#   imagePullSecrets:
+#     - myRegistryKeySecretName
+#   storageClass: myStorageClass
+
+## Bitnami PostgreSQL image version
+## ref: https://hub.docker.com/r/bitnami/postgresql/tags/
+##
+image:
+  registry: docker.io
+  repository: bitnami/postgresql
+  tag: 11.8.0-debian-10-r4
+  ## Specify a imagePullPolicy
+  ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+  ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+  ##
+  pullPolicy: IfNotPresent
+  ## Optionally specify an array of imagePullSecrets.
+  ## Secrets must be manually created in the namespace.
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  ##
+  # pullSecrets:
+  #   - myRegistryKeySecretName
+
+  ## Set to true if you would like to see extra information on logs
+  ## It turns BASH and NAMI debugging in minideb
+  ## ref:  https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging
+  debug: false
+
+## String to partially override postgresql.fullname template (will maintain the release name)
+##
+# nameOverride:
+
+## String to fully override postgresql.fullname template
+##
+# fullnameOverride:
+
+##
+## Init containers parameters:
+## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
+##
+volumePermissions:
+  enabled: false
+  image:
+    registry: docker.io
+    repository: bitnami/minideb
+    tag: buster
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: Always
+    ## Optionally specify an array of imagePullSecrets.
+    ## Secrets must be manually created in the namespace.
+    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+    ##
+    # pullSecrets:
+    #   - myRegistryKeySecretName
+  ## Init container Security Context
+  ## Note: the chown of the data folder is done to securityContext.runAsUser
+  ## and not the below volumePermissions.securityContext.runAsUser
+  ## When runAsUser is set to special value "auto", init container will try to chwon the
+  ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
+  ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed).
+  ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with
+  ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false
+  ##
+  securityContext:
+    runAsUser: 0
+
+## Use an alternate scheduler, e.g. "stork".
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+# schedulerName:
+
+
+## Pod Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+##
+securityContext:
+  enabled: true
+  fsGroup: 1001
+  runAsUser: 1001
+
+## Pod Service Account
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+serviceAccount:
+  enabled: false
+  ## Name of an already existing service account. Setting this value disables the automatic service account creation.
+  # name:
+
+## Pod Security Policy
+## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+psp:
+  create: false
+
+## Creates role for ServiceAccount
+## Required for PSP
+rbac:
+  create: false
+
+replication:
+  enabled: false
+  user: repl_user
+  password: repl_password
+  slaveReplicas: 1
+  ## Set synchronous commit mode: on, off, remote_apply, remote_write and local
+  ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL
+  synchronousCommit: "off"
+  ## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication
+  ## NOTE: It cannot be > slaveReplicas
+  numSynchronousReplicas: 0
+  ## Replication Cluster application name. Useful for defining multiple replication policies
+  applicationName: my_application
+
+## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`)
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!)
+# postgresqlPostgresPassword:
+
+## PostgreSQL user (has superuser privileges if username is `postgres`)
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
+postgresqlUsername: postgres
+
+## PostgreSQL password
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
+##
+# postgresqlPassword:
+
+## PostgreSQL password using existing secret
+## existingSecret: secret
+
+## Mount PostgreSQL secret as a file instead of passing environment variable
+# usePasswordFile: false
+
+## Create a database
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run
+##
+# postgresqlDatabase:
+
+## PostgreSQL data dir
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
+##
+postgresqlDataDir: /bitnami/postgresql/data
+
+## An array to add extra environment variables
+## For example:
+## extraEnv:
+##   - name: FOO
+##     value: "bar"
+##
+# extraEnv:
+extraEnv: []
+
+## Name of a ConfigMap containing extra env vars
+##
+# extraEnvVarsCM:
+
+## Specify extra initdb args
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
+##
+# postgresqlInitdbArgs:
+
+## Specify a custom location for the PostgreSQL transaction log
+## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
+##
+# postgresqlInitdbWalDir:
+
+## PostgreSQL configuration
+## Specify runtime configuration parameters as a dict, using camelCase, e.g.
+## {"sharedBuffers": "500MB"}
+## Alternatively, you can put your postgresql.conf under the files/ directory
+## ref: https://www.postgresql.org/docs/current/static/runtime-config.html
+##
+# postgresqlConfiguration:
+
+## PostgreSQL extended configuration
+## As above, but _appended_ to the main configuration
+## Alternatively, you can put your *.conf under the files/conf.d/ directory
+## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf
+##
+# postgresqlExtendedConf:
+
+## PostgreSQL client authentication configuration
+## Specify content for pg_hba.conf
+## Default: do not create pg_hba.conf
+## Alternatively, you can put your pg_hba.conf under the files/ directory
+# pgHbaConfiguration: |-
+#   local all all trust
+#   host all all localhost trust
+#   host mydatabase mysuser 192.168.0.0/24 md5
+
+## ConfigMap with PostgreSQL configuration
+## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration
+# configurationConfigMap:
+
+## ConfigMap with PostgreSQL extended configuration
+# extendedConfConfigMap:
+
+## initdb scripts
+## Specify dictionary of scripts to be run at first boot
+## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory
+##
+# initdbScripts:
+#   my_init_script.sh: |
+#      #!/bin/sh
+#      echo "Do something."
+
+## ConfigMap with scripts to be run at first boot
+## NOTE: This will override initdbScripts
+# initdbScriptsConfigMap:
+
+## Secret with scripts to be run at first boot (in case it contains sensitive information)
+## NOTE: This can work along initdbScripts or initdbScriptsConfigMap
+# initdbScriptsSecret:
+
+## Specify the PostgreSQL username and password to execute the initdb scripts
+# initdbUser:
+# initdbPassword:
+
+## Optional duration in seconds the pod needs to terminate gracefully.
+## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
+##
+# terminationGracePeriodSeconds: 30
+
+## LDAP configuration
+##
+ldap:
+  enabled: false
+  url: ""
+  server: ""
+  port: ""
+  prefix: ""
+  suffix: ""
+  baseDN: ""
+  bindDN: ""
+  bind_password:
+  search_attr: ""
+  search_filter: ""
+  scheme: ""
+  tls: false
+
+## PostgreSQL service configuration
+service:
+  ## PosgresSQL service type
+  type: ClusterIP
+  # clusterIP: None
+  port: 5432
+
+  ## Specify the nodePort value for the LoadBalancer and NodePort service types.
+  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+  ##
+  # nodePort:
+
+  ## Provide any additional annotations which may be required. Evaluated as a template.
+  ##
+  annotations: {}
+  ## Set the LoadBalancer service type to internal only.
+  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+  ##
+  # loadBalancerIP:
+
+  ## Load Balancer sources. Evaluated as a template.
+  ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
+  ##
+  # loadBalancerSourceRanges:
+  # - 10.10.10.0/24
+
+## Start master and slave(s) pod(s) without limitations on shm memory.
+## By default docker and containerd (and possibly other container runtimes)
+## limit `/dev/shm` to `64M` (see e.g. the
+## [docker issue](https://github.com/docker-library/postgres/issues/416) and the
+## [containerd issue](https://github.com/containerd/containerd/issues/3654),
+## which could be not enough if PostgreSQL uses parallel workers heavily.
+##
+shmVolume:
+  ## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove
+  ## this limitation.
+  ##
+  enabled: true
+  ## Set to `true` to `chmod 777 /dev/shm` on a initContainer.
+  ## This option is ingored if `volumePermissions.enabled` is `false`
+  ##
+  chmod:
+    enabled: true
+
+## PostgreSQL data Persistent Volume Storage Class
+## If defined, storageClassName: <storageClass>
+## If set to "-", storageClassName: "", which disables dynamic provisioning
+## If undefined (the default) or set to null, no storageClassName spec is
+##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+##   GKE, AWS & OpenStack)
+##
+persistence:
+  enabled: true
+  ## A manually managed Persistent Volume and Claim
+  ## If defined, PVC must be created manually before volume will be bound
+  ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart
+  ##
+  # existingClaim:
+
+  ## The path the volume will be mounted at, useful when using different
+  ## PostgreSQL images.
+  ##
+  mountPath: /bitnami/postgresql
+
+  ## The subdirectory of the volume to mount to, useful in dev environments
+  ## and one PV for multiple services.
+  ##
+  subPath: ""
+
+  # storageClass: "-"
+  accessModes:
+    - ReadWriteOnce
+  size: 8Gi
+  annotations: {}
+
+## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets
+## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
+updateStrategy:
+  type: RollingUpdate
+
+##
+## PostgreSQL Master parameters
+##
+master:
+  ## Node, affinity, tolerations, and priorityclass settings for pod assignment
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
+  ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+  labels: {}
+  annotations: {}
+  podLabels: {}
+  podAnnotations: {}
+  priorityClassName: ""
+  ## Extra init containers
+  ## Example
+  ##
+  ## extraInitContainers:
+  ##   - name: do-something
+  ##     image: busybox
+  ##     command: ['do', 'something']
+  extraInitContainers: []
+
+  ## Additional PostgreSQL Master Volume mounts
+  ##
+  extraVolumeMounts: []
+  ## Additional PostgreSQL Master Volumes
+  ##
+  extraVolumes: []
+  ## Add sidecars to the pod
+  ##
+  ## For example:
+  ## sidecars:
+  ##   - name: your-image-name
+  ##     image: your-image
+  ##     imagePullPolicy: Always
+  ##     ports:
+  ##       - name: portname
+  ##         containerPort: 1234
+  sidecars: []
+
+  ## Override the service configuration for master
+  ##
+  service: {}
+  # type:
+  # nodePort:
+  # clusterIP:
+
+##
+## PostgreSQL Slave parameters
+##
+slave:
+  ## Node, affinity, tolerations, and priorityclass settings for pod assignment
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
+  ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+  labels: {}
+  annotations: {}
+  podLabels: {}
+  podAnnotations: {}
+  priorityClassName: ""
+  extraInitContainers: |
+    # - name: do-something
+    #   image: busybox
+    #   command: ['do', 'something']
+  ## Additional PostgreSQL Slave Volume mounts
+  ##
+  extraVolumeMounts: []
+  ## Additional PostgreSQL Slave Volumes
+  ##
+  extraVolumes: []
+  ## Add sidecars to the pod
+  ##
+  ## For example:
+  ## sidecars:
+  ##   - name: your-image-name
+  ##     image: your-image
+  ##     imagePullPolicy: Always
+  ##     ports:
+  ##       - name: portname
+  ##         containerPort: 1234
+  sidecars: []
+
+  ## Override the service configuration for slave
+  ##
+  service: {}
+  # type:
+  # nodePort:
+  # clusterIP:
+
+## Configure resource requests and limits
+## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+##
+resources:
+  requests:
+    memory: 256Mi
+    cpu: 250m
+
+## Add annotations to all the deployed resources
+##
+commonAnnotiations: {}
+
+networkPolicy:
+  ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
+  ##
+  enabled: false
+
+  ## The Policy model to apply. When set to false, only pods with the correct
+  ## client label will have network access to the port PostgreSQL is listening
+  ## on. When true, PostgreSQL will accept connections from any source
+  ## (with the correct destination port).
+  ##
+  allowExternal: true
+
+  ## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
+  ## and that match other criteria, the ones that have the good label, can reach the DB.
+  ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this
+  ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
+  ##
+  ## Example:
+  ## explicitNamespacesSelector:
+  ##   matchLabels:
+  ##     role: frontend
+  ##   matchExpressions:
+  ##    - {key: role, operator: In, values: [frontend]}
+  explicitNamespacesSelector: {}
+
+## Configure extra options for liveness and readiness probes
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 30
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+## Configure metrics exporter
+##
+metrics:
+  enabled: false
+  # resources: {}
+  service:
+    type: ClusterIP
+    annotations:
+      prometheus.io/scrape: "true"
+      prometheus.io/port: "9187"
+    loadBalancerIP:
+  serviceMonitor:
+    enabled: false
+    additionalLabels: {}
+    # namespace: monitoring
+    # interval: 30s
+    # scrapeTimeout: 10s
+  ## Custom PrometheusRule to be defined
+  ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
+  ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
+  prometheusRule:
+    enabled: false
+    additionalLabels: {}
+    namespace: ""
+    ## These are just examples rules, please adapt them to your needs.
+    ## Make sure to constraint the rules to the current postgresql service.
+    ## rules:
+    ##   - alert: HugeReplicationLag
+    ##     expr: pg_replication_lag{service="{{ template "postgresql.fullname" . }}-metrics"} / 3600 > 1
+    ##     for: 1m
+    ##     labels:
+    ##       severity: critical
+    ##     annotations:
+    ##       description: replication for {{ template "postgresql.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s).
+    ##       summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s).
+    rules: []
+
+  image:
+    registry: docker.io
+    repository: bitnami/postgres-exporter
+    tag: 0.8.0-debian-10-r119
+    pullPolicy: IfNotPresent
+    ## Optionally specify an array of imagePullSecrets.
+    ## Secrets must be manually created in the namespace.
+    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+    ##
+    # pullSecrets:
+    #   - myRegistryKeySecretName
+  ## Define additional custom metrics
+  ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file
+  # customMetrics:
+  #   pg_database:
+  #     query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
+  #     metrics:
+  #       - name:
+  #           usage: "LABEL"
+  #           description: "Name of the database"
+  #       - size_bytes:
+  #           usage: "GAUGE"
+  #           description: "Size of the database in bytes"
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext:
+    enabled: false
+    runAsUser: 1001
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ## Configure extra options for liveness and readiness probes
+  livenessProbe:
+    enabled: true
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 6
+    successThreshold: 1
+
+  readinessProbe:
+    enabled: true
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 6
+    successThreshold: 1
diff --git a/charts-wip/matrix-synapse/charts/redis-10.6.19.tgz b/charts-wip/matrix-synapse/charts/redis-10.6.19.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..c69d46f59f23c1ad319e9faed3a4fb818a0d5183
GIT binary patch
literal 56701
zcmV)ZK&!tWiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POvHd)qd)IE?PU^(ofK**kW}lx*iVquJ^CxlY>pG;w@vw|(cN
zePW1&B#bG71wcC*JHOBVKDd$KRg@*mZpNH>8jHkrVPV~{uolAs;r)XNVxl)g)9}CU
z;Mv*P*?INih5C1AXQ%k@?#|2S|F!$<<*S{Y=g(ffdj4NKyL-=eU;Y>D+{IvuPr?Oa
z|FyGpU&YD&NgfoFUohi@MgzFq?VvbLf4=PP^j>rV%zZ{;p<aE6aRi(u%*We+f=d+n
zIDiX0^Da@CVBmr>+=D{_gaaK3909{4%oq+pP(U0I1W2F`02eIrMZz#}%q}qlP9h)6
zwmA4G0-r_#kw}&!(U@<;1n~*x+Yk~i_%?7XIG`v1PMN@gY!M6I>)>ciB0PXG6>->^
z&?z3kM2L9M?<-vI5!&w%U(QCp=7WBJNJNCDr03IVA92}Cp9|z)a9yKMrepn=r(Sz|
zdpn=^o;~ly(YSMgXIGR3e9-YgmFakL4hkF{Pfd1+IPOdlQS-q}6~$9T!hxM6X8iv+
zgXjQ6NRInE{mv<m14jJ+6JRczn<6Gi)Elw1LheIHztf}Ai>CUv(;gEsNrr0HrgQtR
z7f}BKGf!8&v<R`g(|g(5{d?!WarW_9-J>yFp)0>D2GC6ZUp(7+wNs@3FJA6E(*Jcl
z8yoOLNQWqdH)_uVnW8a<7%?=(0yEy(*nr~@BaXKrq5^}MAOT`RI9!o11bT@XBY}L6
zOO>~QM1GhABpO42V;luI@`<G4K8;3XoEXNCa9w|_hoY(H#s(ZDjNwQCx<n*I!!RvT
zGuVNCbArc&3pP{yLA^On!tfOP3=27-j&5bp0ocgb7{GL9|2{%foRx4|(DeX3r|?gB
zroX1OBril`d=MheWwWQw?+$3PJb>#j9XU}$>ET4aHPbS5SAJ%Al(8#Gv^9ZNw40^W
zTkmCo#=I{lsahGRuI%JYHA2<fm~tYhe4lGUj=p+C0*&>@+<02@kqw^2vEtR99HNJ!
zz+;%l*capyo1!BUVlO1og&su*WS>S9@d7*~DDrl9Jhr39aT;TvjAnqcH9Dpt@n`z;
z8$3cuD7Zwir~Ba*n(?PVM%iqnnDR740(0?n8*s>_G$K^-!_g5H#|(2EiKm5G5BmL!
zWQbXW1y%w@Kz-g%IA-2BAp!2I4tRefX4s39FeK5~)9>uG;&iA3aJ$kyeNgfi3d0$2
zJH-ePV`v6+R6@v}frkDC(}W8cVwj>RQEm7PBY^`Tk=kWaF5ofpaj#-ED<&oozu^6J
z$9gdhyi{`O%bDoOc`+lGNMO$*T;I-iL(RAK_K_%ms^mVo6tR?M)I3sJqb0df5{7av
zAn-Jns|cHlBw1NYO_pIryws$(<hIyQe||7c4GNvfHs^Pw+p(|nZ5@OO7gC<ZLP*KA
z<Lei4+BlL#EEs@biKG%dM3?x0CXpDxo~r#bH=TmS1`^>A(uv5oF%5cfmQvq<a77kn
zfhkh`Dw$Zes|0J}V<jfbwlx|6jj}FO0k|S!0&;Jvog&*xJD06xy_1LwDf9D=Es&el
z2!$MLoI1gOB!o%Y%()bh0VQH0>-b2bHqa>F4-p)PqY8XXg?2$>;`6?((E-Udj!p9^
zL`#(GRFxO9iyT!g_tZ>RJ=?J%um-bJB3nmh8wjoE%w-PEy*1TM`&gX(ni)DI__<4h
zcX#c$nyB!~>F_EkaXP~WYJ6LIe0z#~_cS@3cZn{~7i=_@ImJTCH2R0!1`&}o`e1_n
zi!(CCG!X-M(E<1)p)8q7>IM+dt7v~DFndqJkZ|nNDBuHlDdpu3zzC6065h1_?%(tW
zDc^-54o_#1&j%p!PGa%^_Fg`F^>@9K_k)1wH8Q)$f<}{@5oLLL6Vbph<7RTBo3XoH
z|C*wBpsT)Bln*FN2{9K)5I^hZ@C{d;W8_aHB?yU+OuvUCTPx6?(@Ki8k8y;Vq}K=-
ziUK+X5&#mi2PTp@ZNpIC?R*!yjfrFfNDf=lZ2^aGB;nPa$!0v$j<UzdfgirfQSk$d
zUw}UghJdPlpl9TgR~$k}E^&mpw#hJz0-}D!j1DUSy)aH^?`>CJ+Ks2X>2Eld)tfCl
zJzM8kzSfvtWX35Lzri7rNUzcJg{Bag5gHU;3XQ3Sw><HE%=y`bVLqW@pfOhCcfzpq
z{)H05%^dD@WV^Q*nV)b$r|)urllqGNa*`jp{-juc4lx+kwkKftj|6jLwF}9Vh$3Fh
zrRF}J#)%?k#-644aN0#GTH3DcZ-6PDDh9mw;^ljizV+i|0J}Ro)5?*b8u2J*G{#I2
zg~vu_8dySIS4qrby>#-Aft3mmkM%;B(#JV6W|TtxQoSp3Sj8)7fMpS_C8w0_9Yw)+
zD3sEfmI04!Iqr;zw`MRtjeHynDR5~i(u=UTqU?f1WBabZA=~uih$KPIa~3;CI}XcU
z)Eu*yc09+7UP_4@MKeGdF-K8E1=3XKYC`-8OwmlTQl<q=D-HW7l5Z2P3<|bUB}5c~
z<HAFV7*aZ9vM(BivlYX~w(W%!1>VpM!3C5vL9>MbLNvso^V1pq;jz(J6h;ut)%<=+
z$7d1kDTg;yDncOnc26oSMi0@i2Vj2oLh7Ti(=nqrQjn`&%TBH)SWF~h!I4`I_=F~5
zAR%ug8cS~rI)QHQY=Xg5oYDY?>P#Sx!&wi0o#4pIe5%T}S`Ml2aIK%ndHR$w>>DN7
z4+)Nh2A0F_%tQbwT4xm+iJw-k=IRUqM<g=l3>ujMNP4?%im4W5Be9SSG?Id{;(d%x
z6_#q6qg&W44iN&(1&OruAv@pdWy&xLLwfc0vqlX=<&794zm&V93izp%$axR`zfz=>
z0MqlAWFY;nb->&=1;<Tl<k)O5BpNf!`O)cnB>c%c7xB_h$22H@?HCN-_kE?k*5k`*
zu3$aF=$|?1<IG6LQpA>^Ei|R=hP_k}il_#NoV-zW2{%iMbVG!vVpRYMS33U$Ls`E!
z2P&No8zR4Ub|>HMA7sp@?c5~Or(woHPLdESJk`b2@!5z<M9`aC7B*^!(Vi_Ol@(K|
z-2)Vp9~ezyN0J9mN^UrkDlgC8<`|}BhTthI!G6Msn8k9R66{pE#B5lskZ@dXRZ^T{
z!Lg5fNhFmK65_D}4VVeQ$KMr6JFx~1sWz!GNcmIX&!S@oWqwzgQbt_OU9od1)vzSm
z=Rb4I(l?SH%(ySY)HI`ZM#*d<fspRi4fr|o>2xY7jaDF3RTyHqQ5E-)%VzA?5f(k4
zGTh^IiayJ2Y;4)-*4HC2f{AC2?aI}RgrX`Bpt~zoq;6^;sxhi`$_9}PthUPLkcvrZ
z(p#N^nw}~hyE~pgK@9n-d>BtqluR*`I*vA)k^Ihc#$dN!$%5V5VyuDfi3#@fDY0kg
z;nBz&5ypkbl1Os5IGuR6YvF`H6RuW^D-9Ml$vC16ORWT75}IUS+3IYhrM0>{PzN7&
zCKq@np`zpt!3e&@fu_tS#*ikfXsckp8Qa27c%~Wmdrbz7VE}O$5xM<I#05ryBy~8t
zB#cH1<t`B;63@B2w%?O5BPMc`m~p~|I&9W!7wb2w1sWz(44ZnO@720*b<zS_l9ik%
zGfqrVgvL0q?aEeu(XGe@J_r$+=8SwCoaTDPjcGJpJR*_QQjdQ*NX;SE3X=9b#3RbE
z9kb%VLkvTjM3P`w$f^-YXr?5CiB3s$mWyFa=xOIqwK{qa3|!G)?sPdv#Kwt)ze@)W
zauQ~02eMT{65*`gwpRK-qiGx(2rKh}Dm#E~pCwU`Pr3^kFU+Q0jp;&n<Vf1NiHt%t
zUUc%RPW8k$HnaiZds)N`06ge=-V}Y-s+kvS!SIrXNRSYFLWEtnB*Ss&4UvBl(y_<M
zzcK9Y>^+|jy9zVX#w9l~wu|W$c^u0{mq;dMKDoVeE3IgqvBK0(*BW;URpm@AXOen6
zr;$C1Ik06c4ol57!~%!2%;+<ewItPx#@Z$$_ihAu8jG2su2m;AWsA5T!iH{G5==Vs
ztia&e;o9k$?(GOQpZ4JUcR!#0_~twJ*Z#YA9T!>5E^=^2GHb1@DAM5QGVLrrsS-sm
zrEG_<`bLBDq&)4>;lHpicwcwXS9ZT3C!@wR*e@th6(jx=nII(FLJ^=)DF*@r_a`_=
zLd>=S_r^WwazWWeccG&@6ii7Z=`-_;*5_E$rb#GB9AYo+i96?Z>B}Q654SW68o)mq
z1-~w%U~&1iA<(R+T7G@DViZ>MBP16_5MUGThvx9>*`CKHIDD0R`9i-lr{GaI(=?cj
z3Lxp_?F-P)uVt^|NK&D5l}%G`Md8P%QuY+-hK(~}LcOU3_wJ7VSOM^jYCCB|W6!D^
zvwc)y)`nz$*iQ#-MT}0W|8>*d;^9cJSxiYJy3Y3@GJ=Tt?fLF6y)J%8v_Zk{GPUIJ
zTlYLb0-yiZg&P<%9K(m7y0<eOSCH)^8c2mJ#J-?R(-1*J%uq&cBm+X6ld%$)7i2m)
zDXXuWQS?PhSp5wpXPMqt+p=5^p^spl33)>-kT=3eB+NlsS>@CWV*uA(S*n-s95H{=
z9Y7aNgO|^{$_(#9DwB!w(l8DBvT;D8kwnK?A4P(A_Lm)j{av?8i&)7ERT^#N@z-Gn
zj~*@Ex3_d_5V~(qm6UaYqOr0Zb$54q>VN&eb${>V4rLvk)R_9p`mE9<7Zw3C?b_3t
zY9=rh^y(_EZ48?+G6v&<vOA?oB-Irpw&fa+k`S&YI5JZR$Y_L_<C);NiWsDp4G*Ai
z-0ai-crpwKQ&ePT4XUPVL3OVnXxb-<Ai$TdEy6lXs9i-P49CA{`<am+Q+K1D5i5qr
zY9!rmhG=rE%1TjQ3gaFL)<3djIB@+bl`snb>%RKdsbkI&x?Z=cTDQAxHkeU`I0Q4P
zhWV0)T@p^HIU2C-C6O5gY)Y^N+D^6wO8-+`MM)TLLqtp6DODLrIwN&WVH^AjrK$PZ
zw3qdcSr1@y9Pa^*VE@-sISUj8h)KX_E&cG*+im$7{zqNRI2Fjh*eV>t<(yEvo?Z)m
zH1b~ZH;tu|(@UQGD<cAbh<uHyQpp~`-+mw|<tnXO%AIYIR&+!Us%jr?I1CqHS~`<3
z@7{in8Rop8^ZgtLN@EgI;UCYoEvYnXbV8N;k10hN(C7`8I=NKD%^DcBs!1P71Z4z;
z>W+wzd&NVs^0`pFeuy~nz4Q~uqQ8;I9;H%iUvsQ>lk-zAgDQwm&G-lT5vPlQm{2^!
z6i?^7$P!5MEy=2SB^V8r+UE?YzY*Jh>=6KSN0W|XP$d&cu`FhUDx1CC3Mq{&ez0E9
znZ52*8{#vGVq*i2sK5hDWO|CF5e^8XxQi53OU-*7L-QEcCLeVGnA-jTNyU{Y4aFXa
z0cG1#%Sd<nwkF6VnqWpGYo%OnR6j&ayKTAim19?CbbC^yhTlpsa_8GhEZWFfJxhAZ
zqnz|8C$*H5%+ZB8^HS@PS9u?T&07y|l_qa(va$y5D$DV^7M9}MTTxH#A>%ETFUQy8
zG-enDa6lu;1Efy5yi%NThM4OAc!I_>q~n>#RezqJ_2*a$J(!};rx*B28<3=cVk`cH
zX9Kl{=DieXe~vg3gpbtm)&SnnBPvdfu~E`V)s-_d2Ldg;5*3WUTI-{-6IGju9;W@V
zW@zU1qXqKO0{Or!kecnB;LOKs6(>C99u~E3uF4wtCpv7(izxwQ=Y0xhT0LC+XfSKA
zQc<bXQXVZ#j~1p!3)7>8>CwWpP79N^228P-;Dp25&*~y0gFd{+f)QW4bLl@TE~GAd
zO%t2`v<!>J1K91o?CrXjA@^Qs%J_JXu-!dEy$Q_ffd%jy9CbDdvYf-zl`ffDGZg13
z4zR++p>@!Gmie`TKf(TmcY$Xr?!!-bwmqGFkm|@!SSj{Sm8|;`Eau2Mu56=mFWn##
z8r)|nmaIrh1>K4QTDR!_eRpqH3)^}5Nxd?1jtcfcMlhqvQ)We-3SVBIGE8|t>&K(9
zlsXlyHN5*hjpQCHh%Qz~%2_XwbD@EZAi_8>e&ZY2mjO(5izz>qjfF$xU!+$*GRk53
zU=oFxbL&)}wyJD%mnf9tddhEHujs1@5>I)m5zc60JoVv#GW_8bK00LTFyaD*q5794
z`Z~w&n+-nD{sb|>`+{NI*S?<VrwW*Eh%jK58Rt5-`hmumRd!kN&fCq#@KZ9xu$F<?
zUBY$emZw`;Bdan1NhQ4Og|#4PyFoVClO)8(#oLHtom8^brgOpp%fA%CRiVu6b&+l0
zG)Ee?weYK|NfANEzLBz4@5IETpbUB{>|TX#)oM>|XhqhNGBxOwo5s0$)$X>;tX`0T
zoc)za*XG<ITVHj5!%+dGI>|8nOL8d#2~%hrVm)mXpjcVprxMsRnlQDoGgkK=T}V}e
zsl~`Fjrt~xy(yzETAA2DG38>+F#jV=4~MKck-HxQ9-t6QqNnEZhF(SKCy->9nOJF`
zlK9%R^tyX}okbVv=A(ghp$A{Sct-B%eu3AoVaI85BsKKCsq@BI@trpkbuTef7GBJl
zkxKP9RHX1}m1H_aQcO9?1?7P2Ymno8qPyv(@4tNM!j~`V`hBjQTxh?=+LBsUuDLvL
z-z!7Nk7PV?JJc}#Ha7+Xa&0;JBnj)M;Y?tDyA}8bc6WC2?e`nHo1)K4^p<b<Tlo79
zy#C+f0Ln;Ei3JU4P>%<<MFhg_-8V{Mn)nlAxXL%4!;YK$H@Iz&wwxx7`s;ry(O1fP
zX_PNLo?ab#{e)+4FNyD5g>&$$FjRX#Yg4a0mi2J(NlIs*1QjT})!Ki2G5viDzJ>By
z@A3z=))OSTmYTDQt$BBA?DkZ(%sRBEQB*?21-yVMi4tM$InHgsdWm=uV_o62z2-Fi
zXPz3C-sO%}C8IHV2%z)=rj77%c)V>}P)7|{gkuOXy2LOHQFKvpCTmY>=N#}FPl&^a
z2q!?O8|6-Z*7l5J%%;SeDGnwm8taRQ^eVzEb$u}R!;CRbS>lupUfC?tdy?h`rR=`k
zcvYCETPoF45|IE8Gi`d9aI0Or3bYOs^r$+QLh$6Z*9FfecK7~PeKz4-f|D~+_YzAt
zH){^uH#R!iVLRM-uJ*Y9;rrU^jxl=!#ZpH0XcW#o)i;2CrQ!h0^ocFJu~)I)eCL|N
zw^cW;K^}z+qhMySR<0_So3pF0(Vps?z;crv*fo>yt*b+f*@&{Ky)mqXZmEYWQ+6QH
z?<a{6&Sm0Ft)T*!@-dleNfljE62KK=ku0;-(d`}Dom1LVsk?-7Mra?oG22x6EmgUp
z9wQ8brh-3GE>34W1OJ_Etz&hXs_yBT2pBnkm(oUSGOg;HlFBv1-u*MTCso|fxY$)g
zbcXV<S_Uz=@3^&(&uShMGuDW`ynpoJ?Coh!d=@M0qdESw4)&jq|NMMsZ|^bw^E#ey
zzA@3A<&KY$P$6}$Cd9-PRc1M<z74U7;T+N#4&a+_I-Tol56H-hs2qB~=qTdaeAml)
z>ULexT51Efc0@&5(G4A;O2`5z3SiSMl?zm4-E6jCv-*23)XtV{w&Sh#>A<i1Cr5`z
zKWN9*?^1>;0oJVm#_K#R<OI9U)L$zC+f~Np3A)sVx+&#Cc`=1Er4K17WrEZ26WV_j
zn|X#a6*7q?LOajqql9Rd<xfyV__U`-{e8t%_HDRQM}IULODQ24kEJH0!hg%L@hc+q
zo%L?2Q+2_pvt8>>-0i_WPd!Y?CEiw*edTt-soRPRgWRdbB~byy5nQ5>1X(B(8bR0o
z=w|v+Z}m$okrhXQ#oO|q7M(2;+TdCSJspI%C2V*!w}_Fy^_j9hLdOAI5~RadU0;`L
zTf|DkUr0^c1lQF^6B2Z9j!ty|Bo(tn;s%Md@ih%j+?i|r=*j+#`MP(M9?g9D(&LwY
z&ly}U(3l+0h%)6pr$c(BvNZ2>zBga`SBwbkeA)&T-6f6UmEw9DXwURwJuQf9KO)h5
zh`BNN<RG(fP+USP(4$vSLqmFrdwP*oaN32|s@>A?rPjtXbY|%#DlJ5dzLhK0@?CpH
z>?rQ9y8`{aLcUX&rb{CV4DpP@7z;hZlnAmUGFK+FoeWOizBxSobi99h`s;_2H?N;;
zN>xJYu(GZRgyebI(Q4hmp<?Ph)u8m`!K3gmPNNu!$?NWQFF*ompr?VFzI5RRhKS>r
z&%yHo?9%{m<>q`wZNR(qNGM}#Y7usOaFRrToDg9t8<J>{aI6pHbVxuA4?As^M7N%A
zVW~~TLC<4T@H`=A;1T%?t6;jXpB~{$%$~w;viqi$1kc0KWof1Izu~v*YYQXQo|lS4
z^F*O~aj7H@d7idBwy}Qe>1*CBN9Q@i^R$9q1w{41;)^G7VbbaB_29rPdPaEl@*cc9
z9JFDm8Bm&dsy*{j4#eJM{wjkPx8}6Xi;SSKr0IgfhH{20@xzr5w!q|;7;nmVHNmye
zw={X-ksG>s+Y#NOL&c_+>8~jI-PhF13}e+)p`$Nbo~o2=`G~KCXA#E>5n2@`X~8jF
zI?}OT$=cH>#|m`i4Ax!^x3EdpOsv#IaGQ_FPz`lKArZL1|NZpxR!Nu5^p{4p_RE(X
z>plAL=Iy7$;{wlBm)F{{paMH30#EtJo!@(0Ad&DM3IZmD9re!q_|n}f4dM91$ys3#
zx9MK$u|1U*MD}MdXnyHtiACC?`j$Bia(2lR11w3wo}{BLQuGCOMTRH2h0H74^B42z
z!`a&b913--RG<qC2uAqI9#vLfpw)+k5{s=0((Bk$)L)TOa3?x9K%)1`0G{T=vP-|^
z3SG^I`O_Rup1wW#<?x^aEnD~5f(dz9f$M82NicO1xk;h`e+G-b?pbKhL>GpgEyb65
ziaF_}?0&IGoyVALDh0MzSk2f7{42*L$Ij7)Dp+XC@pvQ3t`G~_ft+9Z{kD6nPTv{S
z=|TTf2JP<ND|J11w*c5&y=B2!&Ae28xO9ffb=EkgpP@0=Gd1)%UsM@`kidF4y5N0V
zQ~!KV(f<Ewg2Nay-V^c4Qb9J`|DWycz9`xMU+unnwEwT;xxVgy1D9kvP<L2HB*e-@
zJ(XbbCwKtg^wp;Af75yUIkwrr+^Fp8h@jUo<vim(Yj>$8S6=o_`Cn_#S4HzOk<`hg
z1~(vB68Z4*nfjAVPm|Gze1@)<H72Qur-?&;bo$UD4ilcs{sx=saDO;+3Mr9wt8VbB
zOx9t{NF+wk{crC5w<I|3B=p}VcXG`T4|Gs^l!8GgoBJa{q4Gip6vt|$z0R*#13;A*
z5)5)I9ER9O3CGIEz>Nf;%~%A7fevq?u1si82IalKX=ZIqUMePbjQy=%=Wvt<Qp)W#
zfOOb=kzO8DAXK&%Ie0VL8t`T8$}8Kyi^=oSGPMO-;e^!_<c}w6@PpUw(asrX3J2Xv
zj!$P}&AnZCfJKDLwWj-BWFyr5t+DR}i-c(tD2ii7V@4Eqr3t`w4hgO7X?KE(l`SZa
zY31A+b3DDo?0`;ViHqHDU+?ywdpq0kzq`Fx-j3WkC`LmP5<xKUNi;UC^nM_sxQ7&w
zpqr&J=wI#*u|T^`KurfqqH*uyZ_0_{a<>^|^T4FM;}noeUK167DtTe_Y!mZ9wfp?G
zFw(2m43`X!%R$3Mnp?x8CGso_k#-o<h+%CYqys(WvNy^-Tt^;_T{NXu%*i_}sg|Ws
zs$9>0b<0~fu(}%ddsauFak-#;c>{u)EU2Dk_&?%s3VXfXT`;*L^*LM?kwA(7$Xs(#
zc?WE|0(*r9NF>>vy;2U`r!n5{3=;vS@xLqE)n0FR2Lg(D^i<f+fQW726t1wkA)?|k
zP2&)oR2=F`ny1z=q+{auI{P7~>de|lvKe(K0GveQP^od2b%yBQGkcLoVhrKR2?0eW
zj!d>(4!1ICr?s`Os0rzhy?p9vQ`8pENPYjm`9M+orrO2DRSV}i-KPlL+({m(=C|si
zx!c21t>10~r3UAwos=59+is?Og@txisp{PARjBc}&mQ;LL)vHA#)8c>$B4Ofp}y5B
zMy6EjU6(7r(55TaoV(}p6&|<T<Cc5qTaM%|`j}ffUYuRNnX?&7mvvfi%bJ=CZP5BQ
z=5E!xs*juYans)4rZrZ&qM6hB*rHta$+|t6Pmg(2X9UX^>zS;T*(6iT)n?)F!#N4s
zs%uS+z8ZLGyIu1~w^bvxF#Ewo)lI$9w4+$9Wzh8_s{l(rg<gfZtUIr0jhU_649NM&
zQJQG0#DH_);N%F*fkRTFnt4{gb{bj$XjQc;;g@&pTfjJyPeEA+jB>-~e!!;Ah*ls_
z`AS<ZEo>~ApJR0wS*u<}v(+uRB^io>{V<-Oqht!ZJMAH5t{W=iTZ=TR%v>h#>~VW{
z(AnkLHN?eq;9R|04xe_d?;%$A`^e@W+5AJ2&EKeP0tz`H1&JZJ$~~jelIz@-?cOUg
z>vX&;z-HCZ9pQ5WE<1pfC5!I{9YbNqxJ`9Pvn*d<YiE+{3O7zNQURHAW^w02agBAM
zs)S47s=n7LJ@MkRuB<qBzWFxlC$xB5byHuwrItXNzqUof^0>}l|2n&59u6khzmUr=
zCYb5)WG2ce2sBRP(U>^#wSFK)ue5@czM1(5+JFq*+S54WioMx*2zLVvkMZa4NfbcW
zW54|t{PoEVpP;=LF9+Q%CGDDPr)dyZIUxwJz$ygKrsKv}vdHAU1G52q`LdNpYKy4S
zf|2AQlDeliK^fKw@dM3Ibc73iiK7TwBzbF~V;{Pao_n3Yl4wNJXa@oHdCx%3guSzI
zZ~7B@<q6tPq5v}$q}VgPc(NDIDOtpdHj7hxs8d{}=ChoYE?50QQ-0klhV*qUV5P+7
zifp-%-a1yePRLYuZehH2otV{sVp*+0!txqb26z4?X`YN=6aS$cj2fzK<?0n>^>Rq`
z-@3nbyQRLID>N<JsZe1WXJb*QQGszFWH7{uBvjviBh2PBREFQ}px6w{MIm~-*}E{V
zg?p2VcT4!M3i9j6+(l>E2+esaZZpADx8iC|P3mU%Be{GemxU>(B8Wne<*8+JI}ejs
z-fHfvq?HQ{U`1eGKhiEZ$J-Ig13HaKhyjIR8mbRSq-d70d`&UuXpFZNJ@RG25h7vj
z!A|jVQfeSK?Qj^phLCVk{Y3{pblw$@t@7>nO4;&q$62|iZD646Ww$&$S@2(!M9}>$
z>N-U|C)7<^)>ejeNq>ue*?;%*+f(>u|J~u6{j<XlM}yxYWxBPMZWR3HuMPZSW~%uJ
z&+;;Q#T<cLaQNwO94?J3aI2-M0$owLFL)&X?{07RWm|{jtpX;Ox>LQWkqyd84;3CC
z(*Vv)CdI0hk8)7zCUzG8hDHh!@a=1mgViCPq;5K;41?6%*wmzz5O<OlvSv;1`?k~L
zQ+$f||I#q7y&0OW=muc({lA@OFJC+_-2Z#AxA)@l{@*&D>=MQRE_XW@Bnk#5z2<uq
zccxgN00}hcKxTn$zLwm{Wsj)4;@ru{Mn`d6*>tX1(09@*3!1BXX-So~8;uJiuo<>Z
zA#?GqJW5%>PTRCkqmhbiT#&)i{bJix0mYdom6VX+ARp#cTlYmAR@Cpo4MZdgr26u_
zVB-d3*UE+=y9x-axCQUZN-70lS?h5cYaF||U_NIGrPi8eQazGFHszWljM}n#EhVma
zHZ`?5D1dIa%BZO7FszcQHNvzkep-;q!s@G+#V(s+Uh?o#4a|kK&PF*0(8abEfU~aJ
z3e2@dZv*AxFe(EyrEg0s(d~<Atm8lqrTAi!nCrlhbpifN_y@g0_7aK75>;72Bi1Pv
z?V^C`;@(bge$fd=L5MlOeQ><`U<~DX{E<+WOiNP_=vCyQksR}sgdyQNdv7aHlnThk
z_GMe|-KL6NO4*)XV&<8I!ME$nwsK|~DfSX0hQbhs9-l@2E$3s~I8{wFVC?)YoCc<x
zvy00u&fCc5&%5CNMfuNStS1q3MIzuF`EPe`w<Q0)e75^2|E=Sxl>dyFbQ|d}C3z1+
z3~ZF}TFHq#*165g*<*bB_W+J)ggcrgnVDFJ1vM;VqS7fBYbd%YBM=*7ajZ((x~-UK
zp-az}s_VOwT~_q(Hk1>e@;Ucfu3Y1K-1lDiPkbuqe<&v2O3eUs;{Wfwe7Reo|1Y1v
zeEvxP*YT`g|MxTsJq-H4Ix|2_qVXrG>X8U@{wbtB3VVE#sw*3R=?{s@&OIs0kWQqu
z?@5?;Yp)S}LdoaX=ROkf<T@Wg?bG*%@7{hncf<J=V+Om8G$>w$NYb*wh<-wen0zt^
z9<QHle*6gCC!0=SIM0~Ux4Q89|AO=7Memy}`2BbIpZ@{uPbhd^L_OJ>XIk6JtJ*5D
zPD~??Uq9KjoW@A?9*1Y}WLHN`&IP9Xt;H-9<12-pgC~XAnYNq(sfrU&>o}oYr2T`6
zNNL*paB}8+h;5Q#9i5PjKtjw;tqXs74c+4pM?ZAo_kVzx;K<ZeFmejo*Pn@iUG-x`
zEQ*EX5<g<tBZkezFbSIS$9Et0-y9zOV1v+bm4ML3*Os)5V*w;GIje4ksIA0Nh09qu
z>PIYYiN$|XG(LTMbar_3_T9QECSn|?XvTZ!>LNw7K8gEq{r!iZkKTMbJbt~aXQT4o
zr|(suWc!6B5ed>yCqEw@zOmo_(kJnata)P#nE{azY^Ghj-rY(+0305_ezN-yNWbp<
z!+f$}wHFdLow4Mb&~co1|B=3MN@mR!8`2}sx0IdCr)H{)h+ajhb~oR8_TOCpzq<{G
z$J=Ub+wf$^&QSMSm}J4?UXY=zH}2gKhxhxZXKzpD(}+U3M^aHB6$SXTrx^MAKYlnp
zt0Wz^{SPN+pN@Wh|J~b@`;xdG@$pX}fc;s}@!rI<YE|_Uih>FR*Xh4M1%$osKG_Ti
zQ}G_UPj<Rn-HvVhlaAm1TA#ahpJbK#HCl03uJ+AMuJ)7v&)n+i_!{b~$v$yDR4Yz*
zIp30sw$OCT<YuASuGs!lwEvlVf?mw%6pIN?`0^IOIp;rnJI|gK?0>IzcOK(^ujRR}
zNGoOUik5S0+Ak(Z%zJ&Po)!G^rQ;eD&7nJq#yy`hOu4!mRy<}ht=!VrsOV5qJ;Eq&
zb1YaU7pj~0X>MoZ%yFa#e&7XJ43ja2Cl`3O4NvqXj*2jQ1z6cbp{ya*0(|+R`ZMj^
zz#j<}x!w$P>}ea0f|!y>pQd@{^vd*^)|tQTBodfiW)U>(?>5U`tlMz-HATXoymOYd
z^}@DTFx6Hs@0{z?X-p#=i2-!Y@VhQDo|cEFFw&k))}pHGw|n2D>G4^^Q^)^T=>9R+
z|KruG7e)V%7kkeh`Tshe8anFOa#!vll9BNTa6q^ke%YEr&tqIYJ=xqHCPDv+rs2FA
z1rIVPU5J{~F^VE8bQ(%s-+3`;GY+?b(qJlBymqLm=fi0(Et^YK$*A~`=JNS`Z(H?H
zbBY}v8$`>!YaClu^}MOG><Z+HFV-RF@4I`u)>z_r-eg5r?`4yBC@j+deEyHsaDX}V
z|M~OXy`ule?xX+5dY%GRsLUNIQALyeTq@8UXUHLCeUcc3qJP>;C9Cr$RM}A0q(T&L
ztW;%E*8BZz7H2xbp-#|fe!aCnu=+z6+JOBqq*o9`92n*_OjP7IUBjV(*^2?Zc$U5b
zh#3{sr{Ms8esi2_k|ttElPIvsUKLvr6sVZsG(Wq_J=@$}v$thy-^!XMYn&(xyg*TR
znjc$X`R!AI2KH%<4)$q*7U>X8HqQLAlBl!<e-2<@XR%|e30p4VaaM1{=ycg-YMcIe
z09~B``C(y2<wE6wXK>}{^nEt0{L<CfAzDFip5bY+v7~FFtWcTVslghRA57sKsV!)Z
zX;3?&+hNr$;nFmay8un$<@{Ik6;N<UQg$o>+-E2@37K8dx|TYnviACJ*F5~EDF0^w
zW=V)wqX5ja|2%(LJpXz5?D^yUpS3*K<xum*Em(Y?p~#6uks4FcoU@<fTqCPJ`zZ`?
zp|hXnx_{QQp8_3kR#Tk9a_m<`Oy+?J1p$%rAqq1-<C=^b?l)?UsBK4*C>bs`W;BTl
zCYD-gK5?`q*@UrZ#UX6kF>b*VXPAG3wO+%#x2Ht^`6?rS=x5&f|K854V*c-)7mx8j
z*76icXgN!($w^b7?zxTDoZ7XQnU6|&V*k9Rpye+XSyPbGMUNS|Bq1K-x7<gezBvvf
z6mr}F7;%+1SkFX~uK_%LpKx)KMEm@yek*l@ROa<yN}_`9tigUjBY{7Qo@vsR%ctmb
z`zjO4#o_TmHb(ivSO@bjj}PBuFJe2*AbZC!3O+>P?1WPBJqa<Nae=4q_dgQCaPWrF
z*bTU4DgXYvce0d(#m^kGRYECkbP+feDslXdM9Jseu+)(DqnR9)iXWhYR-*6+howE7
z8R#JGDZHQh_IBV?`$nfRN`I<cI&TO|U!?I<#4oC?gAkGF)327N{+XU4|JSa$Cd3IB
zNZ?Ttax9h+3Yz)<bH(g){C{s}Z*T9B|F7e5nL3JN?s(^!#XrU3cE|iW68nST)~h?X
zS*zn0qml=tfHa5CM~g?|uqDl?oz;|2STH#*U{h|t1TCjrnsk+o&;&Z8LD8yN<)%<9
zT+s1q?3A~$i?kb0sdT#mx$YPa__2S%lc@>Ypa5$l#crxQU+|=NW>%*69pd;Hi3xP8
z!#s4il%}rJR`4v6RIaDAO8d@k(TkQS+IL~{EH<}ai$?oJ-<P?#v|s7$vU-GSJ+kU5
zZH8tkTRO;mq~UUIGuN8)vKG2Up|W(wS16DnwN-Z()L-WGuag$#PC(47O7Et+>Xi_!
zS?=76az@xnvRRclwl^1r8KG*hHimXqq4a40-HMoz6%BNoFgb6l(~Y3fh(ts<ISB2W
zcGkA$jZ^3>qCtAPn3Z+kRy(a#)Lv#7f`*tC_owr+X%KGRWyZk$2@aAFv;4~EUJoh)
zh1S$7^_nH<85GWV+n+ouDpFb8q%o~3FR6~U6Xk}Vr3lj>t4}ExB}a`U3Ba{5EUa+X
zoR^v?n)z-#$gZ5`-+O-H#ZASbtO@eJIe&aNKq9dPJ6q+`-GpO?f*=>XEFJWOUPa)Y
z=#MSq&z8qo0tT4-lpn#1ict#GU0L`&e;G1+77GyJK5c?U<ZGx4mgO=31-udTX)O9S
z#h6yCvGDs&d|Ww)$|?A9Rqd(d0XXoAt<3Le`B7(KkCzy<)5zRz<_&rO<cHJOn_bV7
zOV)*My2c+)&c1ZFs`tX2YsFd1e^pHzTVt#e-E@msRPH6KsbP;2F=<utx;6(%)@016
zP7dcyX@I-Xjc9c{Ra+@*#>jJB=+0e&hWX8H#X-J#i(!i5&w`=vLo}{*OR0(e+*HYo
zRs|)_ctUHCHGZgyo~>gbSGm;G7KJC*a+Dwc&+nDJS7L+>!^kc%lelFY=(ZU@jxLM*
zMRRVAp(k&T-yI&P3>}}|e|Yn@(4_JLDk$TXFlpFd?cyd>4=+c*tH)M_k6IhF#>_OY
zd}&x!@U9*}Ro~y|yanx}`~C^fPVlJwwZVL*E0!dF_qo8chN?~;|B4oBuzMaD_TRnx
z@aw0y?~l*^*$9jQbZ3}XfVkXc0m2_n&Z--%^d_y8^$HGOP!oUEKB+)^+{$aUjsVz;
z{Kt$AakW61E0Q0eRE!7;-{26<PIVaVDj_}JNkye1bYskjI%aLxVy<|xEfc?^bz}MR
z#nyP@`<U~y3B!Cs!(e`U#TvyHM~H+8!wa-ntWj(cf6j~{8M;)6=^DohGCEYr>H4Ly
zxYY!ZSPHV&PIBua<4L%n(|2xDO$gectX8#@DXqJEE!3UrU6e-u$Zexs#e9)lZKFaj
ztJp_{CYRhuh1QneNreViv6Tu<K8(Fo4nA|Yo9QG61ZYCkx!bAG)`I(qVNMg~<3=M>
zTBxCQeZc=->TNY#G!5zNK1$I$Mq)CsE3yK)FE6q+^jI(TEh2;H?gAuGeOI?Jaqwi=
zrm`tkH#&WAvJem)?Ym*ZVj6oDI(Ku^Qp@WUR@XhwC|)dUcg;r+s}QXoGLvC9C-3G{
zo@+6;+tO}WNSFR-Kr9&$zdHL{8s1VNZ!Yu7VpgrJA=kW>Z*ZaROWiJFu&Rvbsbcd<
z$juMsSy<jKeEaQcN1qmMJq^e5c1OdjH0{j&R5d9skRblyo0bbRosj^ZY^vaWPk#Jx
zdUmw`{w>@9jd8?z2z-Ke;Revv1w6e5bIQF3U!HE=<;+VPNe37F0SiH*aXv@rkR}5B
zgsCLmEQwT{#Wd<}(GIl%Kd2yvSpy?Rr+_~bE^-x%126@$c)qWnZ015pRuXe9${$Ry
ze~~4M0yo4ZLs#HU=6lS5hoD<RJ}<89*G7V{FKl8i8woj^=G^^Qv{0Hbk7amt4Vp+=
zXJz1W1Z21Yfw7#-g1FOUcU+9Ndd2iJP-TjIv>`s)5DN=&I~!sy`uJR9V*Vcatqh7)
z=najQ#oEj3^=#&D?Ta<tEM*y~Y4f(Gk(%a~u#METxRi0Erp<?89dR-+ED6~v!$?N-
zm$x%EwzZt4F>U&eZH;yPtY%NG$lh4j-YRz0Ds7H+js6Gjt0hg2&8@A}=;$okquKF4
z$n02Y9;s~G7QB@SGOu!UDuLZDo(R;&<%33VMcdrsUW>V!bB&L8WZ4_R(;CI*X`Okm
z#zeR2BLOvS74_MYsX-P0q+7;per%g`5kCut_L=hi0nf{VOTW%S)_nPL8$X!+cZd6@
zwVK1+3(472VHbDx+D$hmRe?5@95Mf+)W~{naK{wAJ^gOb3d=ME%IcsK>=Wjn-x-{5
z;-r-h;!h%s1FkRH9%D8ooGTae!Rs7WUKR_aByv*)TFu{7Df5uDw2RTX0>*r$F8gl5
z*1VIHt&*QRWwnz@+fvsu4i!x;k$5S0AC#QeP2+Vfr?u_UYCw5$RwiA;$|EYh56a-J
zJh5ux7&T4I;T@K9z{jrQ7Rq0{yA56MME<ws$<v_K-J3##^<ql*_jG&>M`X?c*-oe3
zE-AyPa=+}j5UQgzbA+>{M6=rpX7jFqG~&OVklY8JE?Gp~DhjR&R!TTk*c#vwN<snM
zZsnkwk#&wX;j}Y<SsNgumhMN&#p#SMf(aAK72xXdpkFFb!8g(kIcJ8}Nw{u)4I9S|
zt07o|oA=cGyK1?J574BLrLiFLY;oaK(b;40={*hb0Crxzcu}{&4RXL-8NggG&2Q0E
z=viDQA_7lKlEE?}5<sjltY!ukXjZGdEw@BP=)2s$K`N*iSU01qu8H3U3mL$5zO&+q
zLNQWNov5)u-<5Gm@?i4itI`d+R-IQYQq8Lc$yNh-QW19~=5)%q)SpAB=DG;gF4Y}4
z0xi^kQTbo7=&G8&%rL}WKu<&B6ay+iy(CeLwXk3W-&PS6T1KZb2%aUX$X)YruZ063
zWyzI9*%^E7B^?)*PR)GBItx*iR8WDNnV^sZ#vcjhMU{*T%F?Mfh+5>|mGNzzhy&K<
zW3J2UcGVT>!n*KMINzFk+D`w|x~RNvOp&G_1T}5d*;}u3$v_qw<=f9O!$tKd9jfzn
zq4Bz{wi|Q~FOoPw0-p+o1Rl>c<jW~V?9yd%jPmttXEisgoqCLhA&JI6tLn#y2^H|N
zP=6Eu0o@a<W9D_+4<prmbG-~8O2RO0-(`sTat2<p9o0M-%%4jkK=WgiuCMiJj{miq
zBw+L6f4+E8%K!5G`OC-nU+Z`(#QG{RZS_gOzN+Y84J@R6Ua!gubJBV>ce;2^uloA)
zA~-j2-->)*US&eBit@Gjyb91-FrC-@+I4!x9SrzXiMA&yv}bwf?$<%5KKxFbmap5z
z<Sxv<BA1zat+te?r7)np$D5nx%x$F^lOr17{JmWJrm5$0t?T+EuB*tc2F3Vw4_<hx
z=KpdIs|y1@FaN_{iT}TNw)>d>do534+p!_?ZOCu0!1vWRl!yss<ll-b^e+CUl3k_}
z!3n)}E{Cr|4$!#;id?xVsJbMnC?+QIGkknHKeD<itB3vc_fFnA0w15oG_XenDytj8
z+!VXSY^aJP92aWp?9lLW?n?dMX%IgYhA7&R=4q%9GK!@#KC}mg6x7#`>8S7csi*%#
z5(Ok0uYe8AqyIb4o)`7MmoIi6>Hj*O)zkm)G~WD2vjG}n<8x){bp!Z101o$T4=kPx
z|Al=inR}2^$W8FjrlxAcj6PD_|E#B){u}f_8a<X}0dwg8&WmR+3-tfhvsaJu|5~2X
zRT-Bq)Nz8M1<(?lRwTb6!tqx@{Qq1Ov}XT@=n}6g{l~ogA20S^mGXb=Jlg-)^IXqO
z4t{qTLKK#LE!#fJW9X7oIm5~$XKoL!E8POCsx_Hw8ID8Zqx?-jyOyf814(SH+4Ht(
zMD8K^iN%pS%V5&Vqh`T0C%KVV7`OHMw#ye%Ec=+g<S~6o9x>YH2&t^_n7pJCwvWk6
z?ml^m!N*(YE~&5In7X7if?K8%si=IbEFQX@TO|@HS6yNR3#SojtTwMtdr})SjDiCi
zNqLAwA~*S%hIBkTEf#6?Tqw2I9wNCzbv?N|N@??$QAIruKOo}u{bp1#6z)GUp-ML9
z_xq=3Z%>vVdR05~W>BcJ>dY`kZCgIeiqlMsu2wPdKXr1LEUk&!VRYowFiZa9htsn!
z<=3*kPe(t$|L*O{1I;;8K-vF<)H5z_&s!8tQWr}-Gr!K7GSBFNv`IWuEIBuC%md9l
z;~G(_T5)!3bpvfZk-eQ>dsA4i&P>_kmwvBof_p=!h(tyBu09V+4Rjo$wR{iliQMht
zcHDW;&T0@n1_^baWv(ta!uQWVy&76QZ<SXb19i<gk2FKM<B+5keJmF{v7*6S$4#tg
zYnhmd70oRdFR`M*VueC`cN8kIWGAS<^_{iTK0ngp3jvKn&Ya#qp(yxdtxKyKNL9en
zQV>Wj!mS{(YHdSHhE-MVR>xG$S6nKnYE>^QpbD!Br&`t6(sW^^fmEwnyr(Ft%aexY
zbWe9q8w%Y&2;#78c-Z=;RvR1E;NfFn*d+tQ_Di21Y`&;Y0r+>HE^2PJsA84JWKoaF
zq8^h)<#GNoS=3{)sN6FmkI8`^?S6j_!`NeTAoDyX2YO5nRDAiE9H@3jJthZwOb%4o
zEq{i6^_U#Ueg0EyK#$3RnpKWwOfC8%KjsL6#~eYAIf5R%Hu;z%=t1QOs&`W_+w|`>
z<xkrD+@wFP(*86N|HiyOE!n{B693$5>Yv)13Qp#q_9q@Yt#?4n{67l|mkY{ZZ7*t6
ziD2cr6%yEdA*OL#H0J`kWj3HY$Op7^MxY8UWx?bctyGVyyg+j@1I;;=n>X8v>_B@9
z949tp2&&n6H5m7pC+IOxP@6nKi)^_&&S$f5N}0tI;apclQLhz>Y7wx&ZYq1pj#B;u
z64JQ0KW>$ero0FbA{|Wy%Ws{H#@xDIA{kA&_gm+pX>MwXR5UdWFPDj?MWc6>h{mqk
zf_Z4l)s{&^Gj9-gnT6&yGpSBObN$dms{g5;#`tfmN&hl8|I5prQvR2{m%ESg-`4T8
zaLn9nN)DrF#>%t9d{vR*>gjsx+%T2p7fTJ3Z(`xhF!j}Mkr*c5*xbA@6~*hatP}vX
zSXP+%m9JYQg;~jH7fT6K8^5Mq(|MF@!mBb67R?QlAJ?r?!{nQ2nHgqYrR#MihS8+$
z!3Z(c{9mF{dY-zp95A2%KP$$6e)W9sk^isbX>lWK)!hAS=Ig2FPo7mbaQ2!S%|v)!
zw~Mp)rWS6);fw9LOkNJ%Wtf#^^E^{ZG^S=f<QC-iZR%fNSE&8o?Koetzlw|ZZ8>0N
zQ%5a1Vav(|4ZP9CdH!VWi#hWxHau_Q_Qh@IUSI!?1%ihn02KMZ6Nz?Zeay@M@bXnL
z|HJbakNJPr^DN?vWYgm7V7gmPX(42RuRu2FR&3pFK|1JGiwE6~W{MwT^hbg_77qD?
zx<Q43KfO()RI%a9=Q#4+qk-#{=9kd>zc<0*l#C<F@G6k1@XXEsvRlaiu)FtS@7d%2
zU&pfn$4CgwA`XIrMgh2*;0T5Z2?G+1Ax8cM8e`t;Y{1!saNtR-gdgA&9ELCs=};fQ
zkZ8OuHxClz601{M=RJyo&IUwytfWfVj2Rx0&p6O_i@$93;6oJ7fJUmO91_HsK}aIp
z>-657emWJD;m!se(CL&$@XNs|1cdQUZ%jmA{Z|ja(;NPq_0@mvi^;ez|6_mh%c!3<
zG(`SI62pjun0LPE@vFG=O>c-UI^XofH12%!e>)rS3u1&O91h>S<(*#4=)bTpIz19#
z)Ys)0{nwxIJVNjPlehbC-oNclgFES?asTh_>^<AvE$si@myh{h*7Iz@iPAGVAJxCV
zZ%%}W2YnNnlhFPa5Dq8;6kJNpD1Zw*^RyeakNgQ%q63#(vj>Ml7N#SCBVc%h8N-1j
zD~JOE$pL{2miQuJ7|hjSP9h)6HaYkxvfi+=9Erw!8zzWPFyDrdaKX2MWA$Ik1P;uP
zArVs)b2X01EXFLP<B*PduhZGsfU|f1cyscPPUrmmT=~Rrz!_FTjPZ9#bma8T6Ob$r
z7>+5RAOLf<03<m0px;*_0`HmEJ)chP?E_ntL|mXSgz3yP@&n}VC&(eV<2YtCNPI;L
z*F6;Q^a^tA8P2^p9gC9u^-wo9;4l*Dmrh3!f7Lq-DHU8W1$S^!M-FgI#3UKI1GE2n
z0rf91^VBG|Ai!}*XHy&rppk6or(}p(gaytJ@gjZIBXkSQ;S?lXuA!J<`1m6Zr&;F`
z06jk0vTO^cC_-b*dY#U929O$n3g3np5^i~r>K?_hGnEVTMonf5MwGdOmMEv2*K-(w
z919%i_DN(%%X{F!Zh|-rF^)iBF7yVuqU=JC;pm6MqyGmEqcOvrZ-bAS@XQRhVH74f
z5`pUXn9(T~6P$1fJ3(XFy@JPgKOLXsXCRkX?PawmHsD}Fsl*8^uH-n>@;O6S?dz8Z
z2He@lPUoLA(R)?5f})x2T3k`LF$3oeXmZJrDPd0;JHJjyhz$-o{WPMJZn-ZQ#(jN-
zDSsDe3$92QnqC2!Z0!12v4BFl-&11;*w!GdoBUFP@=V9Y!R0%%X%93y@Cjln3vcIa
zB2k${Fv3U@P)TP2BY$GB3Nft4KB8eruShf=bUHVt?Y7TNVJr{hx#`?^i#>~$U(a*X
zxq(wFI!}{OkT}GOEe;XKRjcHbr&cz$<$LfQmQu3R-e)v{i9~G#Lo!xHI2L!f9&k#c
zafsoH5rHA5BoeU6^*fFFTlsmsx6^fMaM(<tpeymMyBc%dJpN*~`kC2vzi*Q1*lbt3
z6MJzq-ZJy}OMx_0)ic|?qW)dYL$c~)hE-S`P6Xzijt3bph27rn-d{VOCS-f^2T()S
zp7nOTAr|PF{C@lk#Ef1NPG}@$GmU(bkx9yuL;+@@BH|<(F_g-3MpRHThvmwKSDevQ
z7?E!^sZx|p{<OkLgr*qIGil{~kO@i)Nmr6cT2FaRU%4S^RL{Wyie&?4cJ|&vP8O4V
z8^gzA#LyH=1pR$;BTj#80moW^Q_`twCi@Cvf`k<^Y^ykcAYmGWYC^h9y=72b!4@q%
z3^usClfm8H2PZJN2X}W!NSMLhJ;7aqlc2#hxCINr3GPndaqs=UdavsIIMutm>h$TZ
z?!9}jwfeLAp7Gu8XFmL(%W=RO9;fugyjm)Sx=#&&u6?F=X%ep@B*0SY8j;enKqLgi
zTrrxZZ+UJcIs^XmEcKlwwy%Y0i_wcIcBIz<0k|5LRsegK57l+&mic)^*5XsfqKXI)
zr}NFv;Y<%ahOG_1QJ7KsKuDlw&^BXqbF3_wb+hQ&*F*6izJK!#&Q4O%41saW?yp{R
zH?u}B#J#OV?4;HM@BgyO#cCsNa4Lm6G|A(Bpd*jz82fU#J+5{KKzf&Dgyz|0yGOG1
zf4{>6?yp|sC4bvuo0kIilN#YbUDuzsPWS4_pkwnNF)L&a2clBA`9rh^)!za=06bWC
zdf3344<9A?wLzJi>pw4y{$wdHY}*~_Xw_beSM|W33?ZgYdKQthm-PQ3$0O{z=jy$y
z()liq6xsStI0Cr%gC7Z-rvG_T!Ka3ULqe7$L=GFsvjdqD;U1Qgj`GA=Z-rle30$N`
z$3{XT|6Y+10h2yl-XEXD`eK%M{BpK$|MG8z3xf`h2tR5&p`;WZQ*y4Zy<K~G?S4ej
z8`f7IiZDJ#cRm2FAZh<78dtBOz^C-~3l5BmQyFb1Q;IZL@_Q16u&%;~5u<r3TEcL?
zx+lOz*}o;c4lT??p1ZzM-naqGA%mZXB2?$ZvDV6<#q)2$!59dJ9ve%4MjF9L=-*|s
zS6bnDA``~O+8=iRNeH=f8t~GDusOEj4qyBgYVt-@9Py6K(vi^(yIJ@p7U;Sjcq&M0
zPMhfWl*NX}qDUqRG#*cu7JVYQd1dh+h@_Ef(!Z`N{rc&NVgy7PtH=Q$VZVziqcK`{
zxZRDC_6My@WejvVWkRGkclfB>mfn@+rg+wDf$5>JEh51#thcB$`;v)v%A!yZm?r_h
z5<t&_NqDHw$vAoup_%Wi<gH8^H@CmRU<pZHYzLDj7ZoJ_0V1ITFXwt>&E$VW+y5Yq
z{uBG22eYbYWH?7rhZ0UX2#4^*b88Qd_zDnlK~aWSqF45jA7%1g1&W}C>J<`BarUsw
zblXKj0?UalxO?{nmw@n&xCL@Jk@P-_I?uPkNwVzlV<*v7Xj#)2)G&%)+)ulI3Dp?Y
zIFK}z?mjZdU~A|b1`^L<y<x9mZl7|T7H|EFvQ`On-(E0U(s8|KS4O?Sm402g);<wu
z%Ins3z=inVvvz}B08-%ORTk8DHf)y;g!^8p0;4Lb7s0QS%lDVC=*K+yE@8jN<qX=<
zw>lnytc;m9*pr7uL~iR(?|Is#jT#YvL;U4{UaUY3!+^F?k=MbGbTAihn-_U&)c>R7
zvz;<%4oRT8F`Yux+=-<XH;A}Sq}bBZ^TlagxqXi1Sow45>5-u)$y_LEwFDQm9uenH
zxv5+Hsdw?<BVsSsm(!D@qZ)Le19P)ur*xP>paH-@0Li<%cA2k8+X+2oMGT<*@Cl)z
z*w*?a`S|fi>fHy?1NBbv{Nqq0ua<0cdAy{~w@%pr$pU3k<}QT!#T+N7>L?;IX!zPi
zR6y)=rWepl%`CGs-*#D5-LXEP8>d1v@jg8r%a=%i0cjEU-b-)oxGEO$zl2_kfrSJF
z)h$>spos3I9^CIWVeGmNA#TensrfjzbnfD)0wU}ko($=(fV#4DE5jsccp~`{-cj5<
zedB9AZUkd*Z~dASk!ikxd)MIfhFOlJ%+e!~Ye1c7-6s{x2U4^rvE820pkzQV_5ZI-
zHTTPcjYoM8y!LFn2@@VpFjsrA-IN+v7(mjIHUOyi;MI*!(W9hJ2GuV~(UyK8sF28Z
z5~E?t+!*}{;s<AB9v^ia?Ge~J|A#E9Wcvet$n`z*6CRKUO9dq<`Uj<I#q>P`=GvhG
z?*s0vKrUl7Ht^AqKh4PXuXH!o56@b213V<HR^K&F?%Bqj*~GSgiE1M`ruO#lUDqXY
zwFD`;@7H27PDkzqDJfsXp`w>fOBCH<u<69LS*2)10s2j>#3Y_!XNuNLL{GQ(A0tbm
zWwUg%)IQWj$*O-1OVf`meCXEv-kHDIL7!CzfX|`0=bj$QIp0XzB6eis25rj1-OZH=
z9k?FC6r1lF>EA(NfG8x}4EdOQtS6;f^I}{n{0+4l%3HGN`f(b>&uBy3Uks&gTu8IT
z0I!6j;R~|z++|r+a@7+QpkSps9&jPS6xyN`zUW2x<^z`X<$rlbq&NHC(M14M;}vc-
zlNGcfVB)E^51bPxqbWz8*8SMtK4fOt5qW?WRF12U^<!tEA}fx$Fxb+C{6nUzOXsI%
zA$M0-2`Xx?0y14B(kfBDWv)7D7ObqwQD<&}R4!y?TlzV!rh+LQL#$%Geyq!+wdG;N
zcnEmI91ZSZUm?OFoIoT;OXBgh9}5FvX&B`BH*dns1*>;s6^qPI%&+YJ(g2GgmaJgZ
zk(z!Y!SSd>Xg=7i;sm|4d01QzOjK5U2}bky3h|CcW}XDe=x&k^S!cS*xZ&LDb)==~
zJy$Eyvq}R>9)HhgRQ`p1sE5jPtv4ZI?kI}&<Kmvos*btS%A=r)|CBY)N|_}G&5eZC
zFh?2&Y-syf#OYm92&aj0QIKzji*g{s9cS;c0(EG3!=$Pf-Zarb^TcW&Sd;Vq?mfjk
zF!!q^+CM1^%>UtKg(J)f-Vq#`89WBBsxSke$X-#bw~n-Rsm<aUWJCTT71o0Dsb`tf
zs`%y-tXppaoIm4sS+}~o^5wstY+M9;p8S3&LOj-tTEELc+%d0Z+s_yMtZ)})Uq`Q8
zb}gQMNmH(DYU1ZxoxI7iq(McXUN-_qQgSwS<2|-2#7uDVD0|)Pewc)=Tm&ya{Y(>f
z&&EXTO`S<aG3DV_+6Z27W_q=|`k}ppBEXkdGKAc-+Z~k^RrYoJ*E2$N$L%))x?3+8
z7@iBw%R^u(C6!=28yy_}rI3%h<lb6U9|FK!!adA)X?Soch@|T{siOz%sXe@UwVUPs
z`vn!We=`5&qm+>Q^LLtI)_|U-nGERdj_p!3Um$l~oo|}%_}3lr^i(t_+I8zaQNIUP
zo0Inda|0}-gG;ZRy@#2oM%W6brIxLjfRDy0=Yz(jI84FK`zlf1X+b()RCTd63DtR~
zt{4#W_(2a$@J)ojsu?e*g}A;sH?s%*2$2P8mnK^vFZ(wIX?m!1Hi>ys`yMNFmN81Y
z^(`?K<1c5{^!D|gM*Sc&EiUe!a3ckCZm+>4b3UphwLg{fJYSsG3%x$u!b~lFYh0HD
z2S3qYHG^#&=tbR?ss$$UjUHVP;F79^)V0&L%d+|7K1HjX+&l@Melc2o9;HkdVqNY{
z<SL}NoVuHcoq<>jo;#$niu+GK0YrQ9LKgGe*DlB`M1Ebbn8p1Bw;zYDA<tefzuQkt
z_7}roo^<z;kjp?N&vw8LSFZ9Hj&i6>0KD2iJFe*A?vcYu6gTniy-|Q(<|!L0{0+Hz
z28#*`Oqj{)<BF&0B$kO^ghBp0&UhD^|A*L|w%Qv8%crv)uZCXxq^CQjqAs9E%&!B;
z<CGx%U);ro>fA;VhGbvoEjMi)dQ{{i0VSBu)@Mk*l<UJSr94d5hebnW@Y@Cctih%s
z7MHz`|JvqN;J9;ltYho!r8v^2!hRh-&`7$&3{)-6$ZqRi-H4|vP5bu2-wbMS%xUkP
z5Br=fntGXH&~*qSn^$4Bpg@f_I==g~QD+I_7lHBzK)3C>)KQ~}PJ`RVzTI4P2womb
z^jZqw+VAKXr$*z%2c0-YEQm6#2;^jQ?CDm~;U=q6T1+I6Q7z=<taTgq(x;izqr>7A
z%ny}`f(&pmioIK~)9bQRX2p?;*Hxi+C=vF)(H|YJcPOB>=8=l28=F^XsHU0+&rYEO
zSYM=843~{^Bcxv!7r2<;%CCg0QE=&W+1{H`@BWg<0eG66bRtV>6f=As<v#)*S@rD0
zaK_C~yRM2p&zrtY&D20~&7lH2g7Ev$a2eu|O^K*s{;Xh)H}U@<3@m&l9=oOv-Ewai
zebs?G5;o}Z$+%NWK*wNCW&UtH`VD-FJ(LMIuj?OpKu;yKJ`Or_l}Th+mc8o*I`iFv
zf))mxXdTeUOzV{;lSNW|eUgM*9Zo_>3+=;1@5mSa_rVgyFBnl^Y`y0q`1ekL3<B_f
z??ljEAd+Kd&#y5Iblh?a6f-_9`yG=!M}<?qsxyfX3w;+i2*(eeu}i7;U74l!gbr$~
z$`?6PV#{5Dh1b?wY6Ny~mt#ftC0vN6=Jm52n?k;Q*4W#0qnya8Q#!!)wf;ovw*{*t
z_{BEL`7QmrhD$D=j(h-%a<{C;=|k&MjRgBZG7s|s9TYFFPy%UzEWI~MhUXP&cjitP
z)GG?oQ7E#<f%}A)B;rDckTKjs6#oArg^CvV<-arZabl(4=1zKYv@tcsdB}8ipJtbm
zJEQ}io5cA)2RW7+wMVFN{```?LpK#@J$Eu@e+)Gc6g0&Kjw>oO+bOhGHL+#R245QN
zaN0}qW_#Iso4FgXAY~`S@8wbbA)zwZJ!*j=#zok=Bc7_1*)kCwb}h&?&d<Pi<r+oG
zY;Tcc(xmfqR2?cQ4h%&(OIV*%Z<w*Z^ap8(bV!Jb-S3^hM(=!RARi9D66}(nkEuqW
zrfBm&%Vjzt_7a>WuYrm$X9>qgm0xeMU%kU350>93htTDNZ)u4CF@%|(Nt>u-boy1(
zO`ZI0xnA-hPxI%<taF|_K?luIQT^FG@~5gZcy({kfj){uUnemZ;t_v-A<>b^f2}?c
z(DQ!JRk1nsYs-Jlhay}Cq>-w*|1;kmigQij+WUE%^kAURpN3IZhmtgjiE>^9AMDrW
zFsveDvmYv6F>NCs$H&ufav6vqoy;fv{p2sxUbNM|gZzE4Fl`F%+vA^IbZ$+4{@`Z7
zK8dl6ymc>Hbe>8FrHS1;j2+Z|-7d_<&FuJdd65o6&I5C%{aM}f1xY7=k;Ro^!XN%;
zBM0fA{I^{uL5g0F|BnfKaU0Ma>i>#Nr&viRzu1dch<`Y2T|F`6FHO|uLxmIf_%B1Y
zT2Z;#$+d?o_K$+~GETcDR&Mo#oV|Y6x!Ybz*HF}ilQdz-Bn8Z?VAa(Izg^5E^rZRg
zulD`R&~e`UU1C3G(K<{axhbVwG%w}oaEmO?L1~CjSXZ~ZB1N8OA_AhR8T*m^UYNKe
zNPbCPNwb>)X+B8YV)^QdTU^Siu}dItuo?+?Z1Qu~)IA$}2cadM3k!h~4S%CfH&~A8
zPkl|Ai2hoNUa?}cb*?rdJao&d|Na$X51kS$TqK<R@bYX??>%UTh%m0D;nB#ol$5d~
zkQ4ZR<M~JN=H<Rxf`tt8Hl4Y;@_(oa!m|q(m3(jh$#cBWpxN?$Hd@FO;eb{%r3vKH
zn|)3@zD+z!gF6|jR)oDGA#Ic|eLl9pU-DQ>7)y1e(EvzzKN=$4ab6?W)2~1vLTB`i
zBCzomjETl2hLh?}+f5$^-^J5X1N6##YtCM3&PM&xwYs#_I#8fY4SWNUeII4`8ykj?
zG**y>0v`mC!(Hr%yqrXEg#Y|oL8rz2FL=7Fakw@?!#`CmB2(GO{wHDv(UA?SS$iv&
z)K~f4`t2-DbU1Onigwg6KL3t(;GcwI#P4406LR@++BP2&R4@vCgmpP{9@nH{s$Z9-
z0%zy67zrwS-S5Kp2I#}L67M4Wb~lFG3{WaF-`e&4FD&%P{+grEAi<b?=gV!7rnb0S
zIR0cTSlZm2OUe1+XDJ9?8Y6h@x>QYp&bETg!MQxQ*1!@S?DSEugyLJPJ>OpXxI~Y|
zJgz<ZmTAyWMm{U%cC@(OtP$(dsU7t^8@DAwI&(7}gaRxiEj5FcM%Dn@2t>vC?YeaQ
zH8%Ry?t6~YWBx5^B3vUm^RJP0jv#(hA*U86z2ab}4%ct2u8X_L@`n_}S!;DDL%q6&
zBg-ZYEdy9F0^OFnf`x(^>_#8v)5psEqR{+aeZ;P1;&;tXIqg*QrqcP#wZ0PXnqz<-
zy2Qz^6@N@n5EBDkI1P1H>zH-Tr1TAlxa_?~3jO;ET^|m2(EUOY)5gp#-qmpitaH*r
zM=+_`xeU-4oV`Xi4|kDY+g0y`5A+%|wV87NN&8z`jw%7tFSPj=In%iHkm#*$7DkZL
z*Nj?NMLDlkzpsK@4pQE`(nW*&pu868l7F7qO`h%hj1kWY(g`p2dZ-NT7Db%ajX!vL
zaDIu<P<%Z7!}*P(k`_vqJh6Z1ew?(o`|8Ji5*97o%(M{sjBE}?g=-)2ne0RT5X*RO
zM(l0rC;VBE*DK?faZGYh6htM*RmzNn5*S<{d?ztbj^jYThO1Rv`4VUeVJUxN_dOb)
z3n!n$E1KHyW_1ew$^nE3trKeW)q)&T^f^V+j3rfVeZA<W#?V!9nITRcLb)yMLSr)d
zQA86V-JR$C3~!p-aP4iwE@|D}#63oozH%aE8*Ye$Rw-gkc(tl95PTeNUQr1SZ=HnB
zBs<;23rxBL@_rV+AxFuk`EtASA>ogu@b^!8!x+1)igCj3Zbmc7Wqb9!NDQ%&S!)1^
zJPYsv{dcFR$iJ|ygLskPElYxKCVn);63VK<lbe}oUg4>FdTNDdNB~H^UT2NK^>^5$
zM1mCpiT{mJYw*Wa^_QoAl(-a3tXUQPFKF0h()65A(%jqi52Jt}g<0YLm7IzD`+MAT
z<vp~P0dvtyQf!`0(octgzZ2D`4^ABRr8P$lNYd(P$;ZB;b_AIAN?d$+VOBl!cV7i3
zIT=bCI7T*hDWpz)L?3rI30wO&oGEahyk7o^ktX3DPF;zce)QRTH<YO1LQm{Z8Av!X
z@ZE!C!%<eJ?t_30hCxtprU9kO+OYTP=K==<<XE?j&u$Y+Pvb&}cT8{R%<*#*;$Eg5
zHgDhV4W-w7f`r|GGODlX$t;(ETMZ*2p*%kA#C#vO(&HPnK4*w^cJ6hWN@qjS3xA*0
zk|y<@r=vtwqwXae9N?msh_#!9Q1Dd$#<BKch`_PyW+sxjGu$Wx7UZNNwSTcwLv*TB
z`88NtssAGe0>B4qSQXH-jt-`As9JpZ1Gu7`0bxk^L`5pGp0XFXUPMPm{iY|P6MuIY
zw-lls%g2m2L4Zl)_wsz3bEH0#8L7;hir?xbQQ>xYrAxJz;d7N%#A1VAqLBJF%}(Jz
zxrf9zK9piR3fyuFTtIeQv{v>u1R9O2uSRz}gxF=XkPw6XdM|C(e92R?#PWI@5~cr3
z%i@F*`tN4fFs+<@NjA=zC;+r#As0;xr;5wE>QIjSwvhErT*ZY!VBj{SsGHfrX$A`&
z8}*Z(*HltBp1#5e*;`U1VeEaiq(Yb_)vb<QG9VSiYO!6!{bhf#oU|p?xa6-wORFH|
z-vJ12;xvej@|Tfk*<}t2%onAZLeq?4in-h<F+bILqSZ=Hp)_-e<3?qaFo~J%JJy%j
zH@x(c(KAmZE7D|lo`3F`Lw|x}x#eETpmh5<&uT4y_kF}CV5ygfY1T>Ze6slW7Whg&
zR1?>qZh6-$zXsKy<)|0)@P%4Iz#JvBlmSJt>q>vqVw^-#1$rD}NjLZ#R$?|h@ab(M
z@*j_hh6y*`gYmu6P-mDG+wH*_{a%zS*W-im;!mE(qPaefrxjeNTCNn`@AhibPV*cp
z_YF;7Kryf0AwQcRMcgWmZv>9C%lU-ap(IAS`AT0!qAFY(pI}l^P1cQdAQDnzua?z4
zcI*+2{6>=NR`((Cnx1D<`ppkUO_XcVoW?opq$Eg8hN!c9aX~H5U?D&VAE;##f@G*3
z9jm4^YICKj3^tG&N`LT_yZvrb&|5E48kx2irk?fdMdLKD^W~*=>4rI;ENv$GNo-r^
z2PmqR1$A8U8Ephvo$lxOCmzlr^BN!g>irFrj%iXs?yLZDpQwge%~wggu@z`gj86J)
zmE4NUh%I5~R4PlSkJSlvD;>FDbAoB;vEoj2cyHpn4RcjZkJNU{1DyrBg7M#LbB0t!
z-Krm#wX=&9(CqZ*9(-*Cz_G&EC{!#K0ryDqrDuS6mMH$ovE>y(Bsrf7!-_3-dt|zg
znbC;fueF5|{pvj==vG>S6K)j7meXh8aLw9TkyssiT084?zJ8_#JWbdX5j`+jDRGL!
zwN{R2%*vZ+12AQfykD@!6+g6&5Ep9gliBluuz<%_B1DFB)BdOq<;u7)X~IaS1JDj6
zbc!*JNN1#t7XVw4lM0igpa=tr7MC<p=Tk2fLAH-=HodrWbYd!QbR|5s8eV>yV0zr3
z!YZXgmYvyEQ_0P0sSEjFSpj1fkf#6!g}jj!Y0}etaQ}Nz{CAx=T9hBFes~@;JX|bQ
zb&-6r=`3ulMyg@$$Vk_d$>Bxd4O1_>?7V<*eQ)@B=<cPcn4mj5<4v3GOMIKxpIAmo
z&tCOLFvZJnnN@nZ22R=3##5;|H~fe)L5B4`djU7%3SICT^&|IA1Vn}Fi<)xeqI88o
z&g^$Zy9h<MKRu)v8sB#dXwBE$cUjmrUlev{YViNAt$g?);a_Fg3pl!7a?=e#$+=>V
zwP(aHl_0hLnOWA)C4~{A9xm>XxDHT=WzC5}TI{6Ir{zM9+#Vit7?5`o;P?5%ozQ^a
zh^0Dnpyq4yIn<!x5E7Nu`U`td8HLJ%BiunOgplKEI(C1pCe5X=Y_7cs$Ih*b3`RUM
zqC=0TmCjMr>>vU?G5^k~M!=c+7V%Y+bls%Zr&7vK^ih-636f4dvMi+{a3hT|!g3(I
zr>I4z$^eLCk&F|@@)&A8tO4adZhpYG{HLYd3noAGs{VB^6M&wa9(Y0d?}#w8{8s?k
zLFaR&3r4p3tbrL7nw=3h@5~nmrZm1e{EuUhb~UxpwQJDtnQF1GRLG*UeWlBDL4SU)
z{Ptu{?yPahX+OSW$M(uASS+kFY45#O#|o@@&=1=0Wa+65b2{PU9ecR9-{!6`HNexo
zP0F}rBU*IMJ<01!#C{~dEqPaQq)-|6WB(_|u?UZ-?W}thYD5vCUh=imUdn2d1AVly
zU;A+TZ2}Gh;=OnyOce=jr0bf~)4s?QyHO^n*km!~hql+uuliNrQudrsi?1w8NZ}~S
zByH(*kWp`O`R7oGBes@JVhl{`RX138F@4^$AL%@;6hhzH%-54O%kuE5`^qbVNz}X`
zM662|PEY+tK96z4;AD+wS3+40i2lXZ&Qc=Xv1+D%gaPf`;Hv~4Y5;YO*!a<pJ=^;@
zJV#@*S|KE(W9qWAe8fb3O@N8qhld&HIlSRCV2UQWe3EH5WAC$+Ye)PyV{(=Q?bs&_
zhP|QK2Oc4_Ye08<GOOWa8Ro54dFR^iSMhBg<a((B+*cKibz`Nt+mD^*|Mr_sr7u%L
zOOb5<s3~bj2M<7jeKOzvn~e0rmD(HBV(*E4Wo=NiOZg#Fw)fO!MStTl>Uqn$E!c)J
znOQ`iqm_3;*p?_Qa6Bv}A@7SyRHq5m{3!~n3D(xv&@x2C@}mvUlh-M3RZ>wZ8xuDA
zJ-Vs$&@y}PYCC`DqWG-K+*1;4i0)W1qUtl88)~&1M}WWn$yVkn7P-F5#wAgZ+bOmm
zl43$Y3RS@w6tAtY;!Y8*%Cn_z{-%N-M|3YkBqM|)3n_)kvb2mh8HT%+iSps$g4M{v
zDfzw>u()CEc^b{fRSJsb{HCU~|HfIS$v(H_^i;j#&nR!^BCFo>dvw@D&_27T($|dU
z#WVkld*#?91w{ZsG_SZhL6%BTT|`&~d!q~L^nIi=9Rpt2h(VGjxHuo*a)i%6sdTSR
zyUq>s8vH7?{P9)M5Ryvh=r1qT{V9_4W(*)MF^Y9ea6E3miFKX{F<zna>ILkjDdc(i
zbmV*UzgZ9q>0CYTguNuabj<Y|MCpzu(!~<I|0LO$b<MFq96<4AfP!+o2~j;Z@M!hu
z7`|GAXjipq56NoV&IJBTDb6)Y;WJ@%QK^!o-C(RJcUWXeB;RaH4#ljO?i5eFT>tR#
zpK%7niY4}CfohoM%Yn<8vEP~TudE5T-&|&GITN+X$J;XI>yA2tMKJQ+)Zat5a`Zx_
zZNHqbD5#u>labU_)`J~m`IhZ#>cI9Mk+xZc5CS}=!Xhf8q{DTmvu3+NV`(J5jiT9G
z*E>A{ca93?H@fIr90MY9*6$<BYzS42B}-*$JY;;hb$muGP6Shwy82`m^m|52b+qg}
zbjNktg5spuo{4iQbQkC`@tb|bJFy2p6<niHqO6J#?HG`jaF0?L|J;-%0yk&oi&DU-
z3XBDDD9T#MjMv_wOAT3t1Bpl&fvSJk`=?}CNXVOy%~EZ4=RRJ_UUEAr3D{wO9=-5y
zU0FGlKs+^WSv@?y^8E&bAe<-FF`39_eFvcu`Y072?F5&HaE8AM*KH;rD@$lRe<@^^
zDL|irym6X(3R-$RXeqsU*{Cpxgc~pqCn=Dz+ovfzdke9;f6IyMiAF9F7L%5#=dQ;!
z=C0w0hR2cWA9c%W&S6B--gT&R0Nnna+};lyUJP}fcum}2wX>NZB`UkWv|uA-3A=vL
zO39w`VKS&1%aBs#7?jmDVdeWC4hD@{@MxgaBJuFCG}k4nz{_%7kr4$;3e=;h>klK`
z*{P5)oM<&u!_RERA?idi#ah%TV=9A)7E5^FF;{1X@XqfG`K|ZXCETZ}W6*x(w_z#F
z1`&@ZMU0KEg<H$1L#r6qEGj5LsXf|n5iO(>=>~BkU5X@#BYWramEIF=rz@w;h_Kt5
z3o>Sb5=RFjBg-h?d0|qxxX@q^Cc#L5*~NGU`qRty3(gJf7cM9`Ni+Alf+{B=)&$=U
z8iaddybmrKyd4abrs}$erE5IDr_pmc5=bYjlpvs0Sbz5Z>}_IEyUJvshi_XxqR9S(
zvU5JuBqE=%pVAs$?x5KPY$XITzS)k&QX$BqhxVRm9T1)eR3wH%Jf&Nc`~yA7gPA<*
z1JsObkhWp6-0v7X28+yChU%1)qeJ!1f}LUJghWboS6XTdlmKZa_^?rsgDs;c<t45~
zgEY8=z=ob)#B{tj#?V<eVlNUX+R&&{j5t~n>44KmOnN;twOQp9vV@yVLI~%rP?Gx`
z;U4<8iIx^iX3;+^5R4BZu*xd*rs#fKnd_3Cfo}NbK<9`^K&k&+(ijZ6$Dqfp<OQ^^
z2eO0e?i{J?)ue=H5IJsZi%l|7bm&!r4S2`qLf#Q1)g4;F7PXk=Xp>c)2P)X<>6_hY
zqlhXa@qmF)PHP4rZFiFN45TDSAGi_ChSVT08;LbJh_aDljt>M#?Gy<tZb@xdG9k?r
zt=E{I=O*Q75%3_W-m%X)?=95n;EY1!DwyAbl>BF`*+|BSBH~Kd8Sw`^(b!wru(t4(
zXjKNb!<BFVsVV^`bkScvov!6G#Veqc3~wMC_=!4HYcZ6Xz;P%MERJLg1kJ78L|yWB
zo#AK&-a&1~q`#YIpIP&~6D7~yVx&t~h$op;ZWI>Uy1>u*J1`cJwWuPrhQi76ipxv#
z5rtvSf@;ZAo%o9YSJ~C=NH#4G=KjbIXlOe+Jo2XkJ$PfpJ%@;KzRwzgtQqmcAOR4Y
zyW7gayrhd})E?_h7y!oo$y;4NQaDB|yUhLg=hSy<x_=baaOA8Lihfs(8HyJ=Li2fO
z<IDggk4uM*#hb{~gg|;$Y0e6GLt=8)Pe{y40xaPq)Ay-^gCW?-mfO^=A}WkDIbyNM
zeGp*Do-X|=OWRVUl?HkL-c~w=?tx1b=J!GimVphFZEZ#*w6s5c#>MF(L--!JG67)H
zV{Z9|esxyTinLvGDt<2VE#LPG*My=!N(FKDPt}W4T;&6tJbbWxIp&*th2`J|!?=j3
z>`9db@7_`*W%r|(#N3M$YYa|y6B$#bTvcN9ke+)=NBzo!Lt_zS5xFAC;Utb2cyjm%
z8kN(irGVZVUQg|f_F`Asqo$vkjU=&_Je07q?{cCrKOFq%?NvzZC4voAB%Y_XVWMyn
zo^1(lw(rJ$Nc9x?8^%%j9un$F(IK7OH|9~S$UHr0xyZvC-Smah;IxV-OZQ18mP!W2
zNO<^4hEBNA5Uv7lpGx*Q`@$$J9?1urR^}~QtQMEIUx@BXjYEnaRkOrIS-G%cta85~
zYFQExd_<X8dJa`4()fke7%k3z1nJ96gL$1M>nJ6|{#xoJ+X1_`(PYqYegGuDV4rRx
z*W2VUmarDOd=0e~7gnH9)N6TUq7b@mcT#cCav@>`Fql-JJXv8y#saj>zF{Sowr-ho
z+x@Ax7Cr$D5CG}XcAYs@!oc{ei|`s5T@K15oU`0{C(fUcNZhh_T4Y}ftNTCQ=`D3T
z?d#N$Tb%{Sl7aD5X~oIF)Xxl?0Ie*fs9-IxHDJBM-JjuX01HwI@Xl!rN6lqRGy@?-
zaSoSCGmO)B{-|v|Vwy_fIus4m&tRTS9lBe{ER9+3e74L@ZsXgeSuW>X)S_CLih7BP
zcA&=3OswjnJ))+BqJ{4apdm{Hsc42y5Ck9TDA9+6@_q^z999q($W&I;G(w?G<I^No
zDYcA)L^c8sSeKD6(L+i&8i-j=Fc1DJdDO|6u;HP7=~In}+RS?<O!1WQ`7?sVY>I-0
z*FCtPpe~&$Lh79P%AZZm{Ix2};O>Br^12kG;M8Z)pRfiw#H)i@H_tKh80i@;BMN3*
z3$&rL{t;I8D++)S>AP&^O9c8c%Gg_LSaM0o2f4UMm6l#&`?$s;$4~f<b_pdT&}cVK
zM^PUWuV|lqy+H*>#6M&(C2P1A@o+fw)Lb9{9vMuFju!cT^zASTt)NEf$!PqURywz1
z&yH>8p<I1k+OkC@W0;0=EHh{xq_9^%y%q&A3@6P7sdfW2#iuPV_^px_7m>LY=zcDe
zbB9|HxYmaybQ5<We{+O|QkQuw=)`pKA_TsDxgt#chKBb($~`rX7S9eT%06?;W9c2*
zoNz{XJ}wcqb_6v<mwBh2j+j}q?5lI@Ob_LcFIt9*6g=-6MtKbB1+5Wj(bhCShJb9F
z1884rt4N)LHaTiGKI9KZ(xxKq2JojpHm>3Aq${YkT|_bL^1IOKqNCzcbhCfsX1O!W
z(<8N1B%(T~8zG2fXjzSJB@E7746pNTVdFk|cEc*Bi<drYan#D4AtCc??q#TTCzS%x
zLL=*y9B^S!M{gW)feAw_iuGz+J3%Zt#>^SBr*@Ot=20R!WGZLsWttNQ)LHE75*YWv
z-ikMEP`M;=`bY`$yT3=Sr5nZZqT&wrror;gEap*8V(sg1zv|G->2qe351MdHcFatt
zCbWoj#|%(u%_rQIeX>iJ9b+x5+?<+rm>f0gV?aNS?n_a!p)zUYuH}UFgm~Da4g(ms
zFe?eiai!*GkS_J)PSEgnBhxCa*eG0jyMluDaIP`!&Ykg|QzPpNAkB5KAWKaAD2Qj%
zcg1H7`XtfkJP5-I-mng;BK}DH!C!kt+N9%(n|LJHl?LXsVvuJAW-6}I%TB#0=Sk2A
z4Z3#Zhz3jk`m+?I5THgvJ6)VfM5bUj0u4_c&KPb+@S%+SG)pH7gwMS||KxCRz7)c`
z&dWlBbdi$qtDd#}*Kare<XYODE+RZrjbLNH^uD|#ND&Zp$8cE&2X+&nQT7^Wq{WkZ
zP|JZ4oib4mw&4q5D3I&==4_uNtSCA<3j79tZo9%#k3pR;ktArMMB8h09;u|a2&KW|
zlJs2eL4FOK_NvUeI7m?)p~k_wEWS-|)taW?nRi$g-iKk(4tKv$fzWB^DI6v8|MVEB
zT{qCA!X<S-mAn(CI1yAk{{C&o&C-aN9($u8j=3tF6T{Dgn+E}mJA{14rupuSKA`2a
z4ALrW(|})0q#?XHGZK86LN+4J`2e+&blk*Q!?_76<h8>4%p}l*d4fxUr6y0WOJ`u4
zdagxxq>G(^gLf}(!7Ga40-&Bnp0*SvSi(&~MUS$^*OZmr!z;y%*3QM-Jq{PY(b3j7
z%x7U`H)k<zCC_wembQ_>Z~|<qrumX%TtBH3Q|bMSh)=X%{rok`0Ejo>$xlw=(w9-9
za=ig8#|eukEcW!!AN*J0a4Y&wiNaZE%1osS`=F$E68fO;>&@G^zsVnTP*E0YP-xJv
zX9#rONXw6T6V1?}14Uus(^=ZA5<ut=LJnMKqX}na!_%#R49YDO^b3?*5i3sYz3IVF
zVS_USC%en&|DK3qUq(m4AlS~6G0^9vLJ4_%+JaAgI<p=Ban_<BPLL+Z_}6<!uY?Q`
zBP^pVmKLtfiG-0m^p;g=nCv9D2>)3pcVzTT7CIdMI9R9+k)6jaKMOY?F<(475<)8M
z0WYFPipUKI7mu39*XY?;0z)lx@1!nu@zDe#Hb#nZ^JWKpAUH6lhP0@D@$@<37g-8`
zXn>ASSPRrc8wIBTt|OLk^=Pj<LTGVE)V`=f`N+rqDCVDD{w-Zfx;2PmpLOW&aFN7#
z<J4kZs=wz&nE09Lyv`He6%zBpDfs+&cPEvQly-O$n)Z_URWtpcjywWAbzY8&MH}E|
z835CZ^hRJ_229y}g^+Y3#31cMm8OuTqc3|>wK{*~Vn~O7hTvymkdH+HFaA_k-!Ro-
zEn{IHjk3CN{w*^o1tvkF!s~l&M?KEa?UamY#PKQr8FcoNT^QWs1uuF8IRg3}a}mS^
z0i$PHcB7K1l1t=r`5$R(u*!>YH*vSN(6&syxmzgc7jV=f>n>bcnB%-p3ov0aThY_q
zV%MH07L^yp2J`5d@4Scg*5(yncEr9q4n@$jM$i@ZEoPU0jBPU5_&Gb=^+zTLris17
zp*J}kzh(&`EAX7`p%7^F+xkkyXH+Ca3=rK7Q26u98}UJ7JoZV*b}(7hh92HEIM_3T
z{tVXf+Wq?`^uoy`R^4zoks{cZ{;|qLK=sw1!?O-AQIZ?3^8_(iMd5_Kpa68Hw}H?j
zDxm+UUb?{vFi{ySlfkD?T#_8wpZGe*PI#z8;@=$PeFXo+EmA~%=|hI5|B}Oz{mPk+
z9%n&Mw;b8zQ(Oo7+O4`%5m>lxdtE3!jJ<W8&VPWa{K5~{T(B4lP%31l1i3W|z#qZA
ze8G4Pj5hlQw`fdU<V5u*sj8R?Ufy)+L;|&-Yn6a<F~DwV;Z^Bi1DUx@u@)o;<`>P4
zM<t|Kl$)#;Dyj)e5=VZD4e}2<`w<n0H_XUe&r<G|x(wvO1#-8y9h51AF{{0s9)^|X
z5+HWk6Ki#Ahgu5-?|;K$uQAsGEguy&{Wz0nPpthd0)SZI>Lzz$^Sq-XING?=BM2+_
z9mXUJxXF?355J4d(qrGXTg*qs;ZDaXkTMM?t%u;F_4k6eCo~m6&3$iH&TuX9(%Izb
z`&u1Yv{WeYFG4dp<-q-nfXR8IENJYcqA1?aGZ<~^6`h`)1q!T?vI+HPyf)HeqRt>e
z;TWoTOIn-?z5;u&H@k^~RmAE#Q%=MoX$iO)A<!Zoe~o)AM*%zylC|>l4?ikmpcbml
zR?E<o_}lqth>KHL*UQ;LL4I{E_KQJnYas6r$yFK3C0;zwV2ezXoPPPtl)?xqn*87J
z?wFx%lUzbEE&e+6=daOP+BPzO*;f(mool{*3q@=A)Yb;|6T%@nzHf92arhBgOHW(i
zDM|h{<VUzLcR~CrvvVKU7PVXXQS2M7J2{3~btGw?Nmcsfn0e9w7^wUyQs*oA6@FP5
z0I!uHQ;yLxX+y@5rbHIsb_i!%tK6%WyLbPNJ_C7aIII%nm%2=c0btaS=gwvopv~<k
z=<bkhM=w4ZruQfwUdD68<`ckgoq9`77X}_B&ZNvo*dN8*kc!*Y>#an?rGw-=*<?P!
z0;6|~WFk?Mi2?In-q<^Xgi9(@`Y|tp_y0idDHA;FExv!5Sc#4&4shqcZRQ#H?tgPG
z`7NWOKT2thpOgktktWWrQu+cy-vKHCV}#2GW6RJ29KE`GYEvE_G^%2z#~DZQ>BcCu
z(lj7oFg-OgB+3LtAoK*s_@O*{Cc{1y#gM>8sGLZMoOz4-9F_JBEkCORX&=%WYt4)p
zLzN=Ui-w~mTDYzpwXOmEm~SiOkMjwNqS7?oKcJ<?0w~<S<~QM=Pi6yF<cCJ|pZbk`
zFYE_bmVbg_jY?mwi!z)evCnTQRX2$(>RL1uX{mt{#f^?Qfkzv&@*zv}*B@qT8eA&b
zw#->bHqS!qLdhxj3($qT`DsU!c=RQmCt5zEYlBG|@E+@pVAvg>RRZaf9Q-UlZ}f3b
zW9CiQ**R3ju8rQFb+d`5)QIArO|5gLiPAn1NNRv8ejFx7%T<U<^Em+qzrBuwLbm-=
z1|f-KMfCHbBZfDv0H?7PT_ozTnThzt+g}($Jp1NPLNeuP9wav}I$+uy96TG|AN3EP
z@s-AycxCi>&H5Qs0<v(W88wfP)U4i40y9(1-($c5;L48A7U3FcGiqd%CDG>p?mayQ
z)FU*eE3Zj&f>{9g$kpT~!+JYcAtic};E+2qa%>ZPkV1egXJrE1LO*g4)1thYZAHz_
zMpzV?z-E`MFjB6+6`5YrG%$ebY1l&_Gdu{A`Ms?DflDYT$mRNHuuRf&jwXhiVz&ar
z(36Nuf))(Fq&Jo-)iy?1queSZGAfi{xlnGAUR3HEN(d`){cll_hUwT{P|^beqp_pM
z7hGB!23cnjnke-8jb*@~R+dt-^HWBwuW9iwD9Z?v=Z{#XT{*~(l9oVBP6H3FP54W(
z3hv5X5K-{Ucfw$*1R7nS<z5t}RQh4F_NM+(9YG1Zr0s2?R%9|H^0a)~KH;0ijhn%P
zV#<amtVT7$(iztr!`sl-$TS^N<E8(gMo4JG?m;@{Kbi_))8ipfQq5R-%UFQZzUZD(
z<5S!<OV)fiamLfuX2=M@XD|KIWOTu)cE_hDi=j!BYF&Nv1<f)Rbn|&w>!n16KFXfJ
zomnmhTb)PUJcO6oBASPrYF&kv2Y1`<>2_|=H2+u{k0SlsEB1^qVi*!=BdMWQ2A5aE
zNOdI$%KmHbZure!2=oaq!fs3uI@zo6V)r3DK`z|LY@QfmEz6r2*&0w)!~Ud9Du_j5
zp6x-R{7D)OBdQaC?2IaA1wpR;q0O4BltMvV?=rnTNC`%i3Flx=J&(NO3Pia(&C8iF
zn@;q*+xENO+I*p4b>HYRI_aw2QTPt+6u{hQkWGS7k(f8|WIGLoTOV4B>l*jbR#9ie
z5AHuDbDwZE!c4&}+M?e7=FAM0n|Z#LlJ++ZP=%U;U#R<0q_YG92Ps8plvG1Q{q@8<
zC||?T@(cVPPJz{W3|Od5Wx{I`Bu$>5zo>EgBA{GUSA<amR9B$mV~TXb4o}}9mX&q~
zSBm%DDV7u^VGZhWha_c@QdDu0Q;bl&Ib`*t*(F6=e?0{vL_Nq&1@WP)LESucA5r+|
zNeSZGAI26*HAG^gWVLJ>WUkpm9RH1kEwTeto9%7bz+ZVqQ=zZkTg4|)?1;!wfJQ4l
zslaG8f?lCg@tnlg^yKI?T@)6;z;l358jQ4B*t@O^lNDr!3%#39$)Nd7{s}V^QN~h<
zlo8QzM2`y7o&2P15OT#1ZC3)Q{V{3sxMo*NDFTa=5rVA?goub6OaV+>x%gf_q5=#)
zgJ$>I{zy4G`tH_+3hoHfQzNwS=IPl1d=OTE{u@<1B_k#SPZS$mp+2LmcoK;>)xGF9
z=}N%J&|G_ia@J&Yf~rp%)JZ=f_|(G@8E}Ohy!vcZ&{w-)E$W!^KyaA#H%5OM{KEHl
zEW57oe~<)(aaE%5@jvojgQIc)244PvHWRPTpdFC;6;_dM1&3;ulvy*q^@3#}rO6AI
zW?q~pF{kM{61Q>q_W9-rZ)$#ie-ahV`tu~~N2=^bv$!H@D|tE+n^Bw4;`3r9ElxTL
zNL{v8XIb2aI9l=OSbq8`QYf-MHGRSQ0=G0+=AxOI?l-yout6}XbUJf#FD!by7-I5m
z?ia?SDcKJ2lEwbuS*nk;qV`s!UY?QMXj0vCv@3At^~u{#nR~NXe>p`M@WS-BV|xEz
z3agurO&D8C`wZpd3)<WBKfemYH;4zjSOWi{1&LdSzBIN8u~x7Vkz`#-={?@0R9K9^
z9Q=8n@A`)`+f|?>M5xs&^pD^sZsN_8?(a3J5{ySPYsYEujI*@OvFr^dQT%h8h1$GD
zhV#Ru|5ea6+slFe^L*`7mD#<1*Tsu=SMX@B{|1w2?%ar;A@R?Cq}sgsC60?O^4v(f
zU|B<h#6w`B%aKd@feg%AjF9J<Li%<O_!mkF`kT3WBz0P1IRj7AF4~V|t{~jO>z(xo
zHXXh#2OThKiufQ@Ln71E)WUfay-`0w!<%W}fYKG7Xd#ulj}U>tvd%k1J;j`6nbX|&
zJVM4zxLFwHm~t==60ZEhuzJ2MS%m<Xw>M}Gy^ECKA!HooZO4MK(3LO}HdQbjLM}f$
zHIo3U98mIuDS`S7GP0au@g7aA`k$y#M~cD%)IOJ|MIa#AC#ZO$`wiL!S6kamg`j(^
zTSGaw<+LhT;jA|dg_$bI_uSuWz(NPl-40RtW3rWmAU=ram?G5~u5x}pw|N73dM_JQ
z&r3!=nN6|j?r2{<R=TSeBb>HF9PnHoBO#D<zJ&jU*a<T>2KDd9d!~q^!Z;<p@g9wd
zIp(R`yw8yh;k=^4>N6gCa@SE9$uG&}j@?9{@?~j(C8!7u*Jgx=<+92k@jS(4F#zcW
zqkndc6_KGjNyV2OEmN21tvNQr+k0T6k)S^rNfJ_>%mLJw&gdUYCa=tn0cBc+BQx!*
zLuV=#CYYw)iilB+V#c~luH9BOK@w#GO#zrYXaNhdX3xo^|Eey)NUO9aQ3fI(3;}L}
z$>iiH&O{X$fD{X5*<gL;U_%^gVqe-GE65zdMU=c2nLbci`%dL2XyUCsBpd(%Y|C-a
z$SrKJs1UHyAaF0Iwd8Ngb(n}_9Xb@AH#t-mlMiMqbH^f3(6V7@;5vRmR{H`<oNL?e
z28zn(FZAkHy@U*e0<@Tkl4%d#D$)03YF&{n;`OmfC1D`Zj+KTwZWjVd-y*KxXTJt5
z%qxuzvG8hk@QFzgP17)AZ}QXpkHpx!gWnFWu7E<+^IZ>uc~r>lqOKM8VtP?@ia%-n
zARnJ~;?-$Rw*gFz-r>gWQLGQG`|73FKAWl?H~}`_42>uF8;I7{f!yVV_30DN^NIYr
z@_9K|5(szLFe-CRrO_*Hg~#-g?95NG|BsyJn}<0}i;ouXG_qFFa}vfUYcgn3Wi)o`
z=YqTEPV^%xHj|Xo4fOQy#3HG1yzI_-lQ6emzBcALb7eXrw*Ye{v)TXA_$)-xsx>DH
zAf9Evc-d7;YUvNfVkTg)20~d8j}Q<vm@_sGD4T^_^1S+k<n@2`%smlkdxq*%=wJM*
zV<`+f#T7vUq!mQ?J7VOSJ9VJ;&m<0}$O33&qwUXREIdh2lvma6Q5W8hVRb7O(FW^C
zv{F2^Xm22rbj#^R$fhzvs(x9uMkTE?tC2)7Z%!>w@Z#ZC#^Ux{qHb)6`PKYJemN5g
zb41V>wvtmz;~!5|_1HHug(>iDKe37Wy^3bDbUw?^B4usPH9N?105Mt0V^djQQWk6p
z2wc)i$iBu@r&9k8CYAbU@;1W-7;QmKHUf)FS4IUip+&(arLn%jn5ZMR_iJj<zAJ=J
zE6K-Ybj!PO1XgO13dc<YX1MuL78E;s`B&pt?&|~B{HxhVz56_c3rB4Ge&MineZ?$l
zhA`+fm5XS=JS)vBBZp9Cq@!>@4IPxtmwRMtJ)qO3-$~`wL6LQ`Y3CWF|9v*7wfgNA
z`1oR#PZUe4okT0Zej5_rsK_M!C^61T&S;O}hEIJL9)?Z7&pAL9@sQJjlv8%i)OY*R
zKHL1f6=XjF&4oF|eEy7wOV6sR6&1GnazNUZ_mZ(G?E&@~emRsbNqioEd3@P&({#_*
z4?0dd8#p=LIwn)0_5Sq+w{8D+U!E2>QYa=5A7muL`@Tsn5nG!nm~0;LUj|uNDs%Ga
zSb453Av!bhN?ic0J`lZFP*%xSp&(OJ3DmPL<9tPh9wkekd=zQzD4b=j;M3^EThyk>
zB8W|>!u}vR92RO2aU%%kLm%M<Sf7XTCh<?Be?&}%n_MBIpuJwEcEpV;mXO(RuUFUU
z#Vg2~zJd2KPOaYK8(qpY6E{<=V53DmRj_e|H(w>HpbsB<RK#1swYWED;7eX%lZH-E
zXdu3P{JA|7cf8^sv~V6ivg3Y9UY^8#_P3Xqj7cHL*bexU{a0WaR%X1$R?Rtcyi`*9
zakbbDg{6S=z!0l(<`Y{&6jF3iw1O#V$&8U<FrV-Vk7b!bIDy2l6b~=&LX-xYl}Za9
zrlM;o*}!ip@!umn;9k@2xH0}B?!sW%;t|OXFb<xO2qOU|PC@Yi<g+H}iAj`1-xBAn
z96cK5wfXcL7M;=$I?%|EZD!F-uh+UH@@m^C+Y<U|_=dh=%c9s!8^loFjcl<cyoC`O
zmcu6SkUd-29Y{YPeBPMcMH>FdtVx()FUrL*ECr524Dh;-O3F?8ByOmaO|c}YJa+CC
zN<zTK^ZGGlKV&voe$ZjRc8F~{#ZkcnC#`OrITrNYJRX9JODkB!Elio5krTlU`+4p;
znyS2*WXU}h#{@<#kq<3HRV+*C`-n`PRj=08X+k_oo06hsz~akWF9zAg=$<<xRmn8w
zmpd4~LB|ZE^v63Hp|9nxj~%<dvF(?xS4(GS$pT~GSr`8#)m)Q&mNa2u;$4&(#lnmu
zW>S!k0b0!jOAH5dTSR{Dd<6;7GKk$r^JyK6_wgQOkxl%V!Sti)f_^HLgLUR9^8N)h
zl+O_==!E(?LTmx5<VT0Z*>oC(XF14GpX&34%qW>7LhJVn$X@>-i#*tR@S-=2Cmxf|
zcr5OmK%0e!rNVcNSqVQGZ8USbz_~(+^pIo3J=8$CM>ff{@HMl^F^S9jWke?bvmGWR
z8uQ%TBPZplLrF)4HzD_g5i{*>0OHU0FPYQ=LDJbw?7hMJNU|^lk^aOYr60D03Pz9?
zR3`RVJVynK?#r{Vz~O?;azegnF$QqjP7)cGSu5DBwcV^RheT)rK~32=6lY>Kmu%t;
zr3WGff4xiw%Lj#}$1;GwFR72DOi`06urPoZjmz*v#;2}G*0U9L{!Jfe7@EyRNbi>s
z7MXfaseoud`u8PP;(YWwU(_5byY$-@r{(?<_D5kS*M~4ze@N19^5SRdHOs|w-pe~0
z8g}0f9qCjeRDbUtN+L2J+lveRjX2JX$t1*A89^2Xmtz1Ho>>u|LiaWPw9Dgx06jyq
z9O57UMGVab>kCS@+_m;z0^K@(?Eg*P_r68mo2+*W8OZPJfx+Bo4wR$Bo+P<U$<8c#
zcaLwJejOy_HVvk3p3>024Y&NYW>&J(y?X8$8`1UdEYYIzw!=;A*H_1VwfpJbGSpk$
z1Lgy*Q?3fNcFBPvvoup_9HYx6IG^M=&%?8`Oi)o01_`H$u&1EYO>Y>+{f@PehK5GO
z9x|-H{#>;Fh1T@94TAdaYn={j*ZjTx{gH*A$4<`9f%$G>=`}Sc|5{%{Bxj?)QGff|
zk~zP8WwDXWKyq+G11?*TKa8ct8_T$LadQhYHg&vMCy|+8-Q2zyO2D!k&t_0py=-fX
zHn@&4Z>X*@`rg@@(=-@_!~%Es7%4|~`@@*q<)5^)e6=xCqMG90k%KkxgL7}C6ZN~+
zxYy&2>&Ir%Py5kCUe^_r-7^i7C?xks1Wbb&85t?~Zb0N;BEJM<X>y+qa~oU3w=y`5
z1)Zw&*J8xP`Z!HH4-kT_sw1vHw@!TP=ve)?Q>8z7dW7jU>ReY0WoD?3M%d#r0k~EB
zF@9~A?B(=GY>!Z!&n5jo6kT^9Ti+M|cF`KuN!9A4_Nu+wDr#4$O^n(jwGuPhDq1T=
z?Nt<2drKlxdyBmyiM@g##E9_A@Bf#V_wKv*obws?9#<c2M$*WL_>~XF6{n}C1su{h
zP*5=HbHBQ)^RE=R>td(n+J-<S{IX7{bjjg^OP8{iQ&u6At=R8rX6R~iGS>DWMHHZn
zh>}hF?VMvh2P~KDedz?;v;|kCE}c*l=`#jEuAIVEo_oC&BEjc*zn*;6Bc`E(kGDr}
zZ+jfvUqiJxIG^sLl`yDtRwIf<!X}AP{=6l(nW7IFR?argK>#<d*()F(5;!j(muusM
zT`e4Emg+`&f|oGMFUy@$;&yMC=$$g8rn?>=9dYVXE9)N?qJHmMwPzny4?Cf=kuH;X
z`<73P9pRFlj?4%Jj$_#^wU)Rm;ZY!JdbIXRskM@#NX<k{==p!h4&RptJxs0v0mn5n
zGtKlwQDxuma!^1HToJ_YVRFu(-=-u^AC%SWE`(2CO%K`sV_4=(HKmWVy<H@g<+QAu
ziJ#517R-`pOe*NEkaoplMZpH8ezQF{gZOx0rdGY?^`Nb((pfHUM!J~Xw{&f>4N<32
z0){6O<1B80l3ZuR$qKy{&72tvf?Kvu3F_lFu*K|=NS?7kke|bH<339y5j*>e=)?t<
zfOq^0D}GbrEYs~4<USQ>7rdSKyCsYsFLYf({`h#|k6_WHWmM1LAn!HqDVKu{2OZwX
z+I#*_o-N(o@(b_)Gh0}6Et8)bEwKlTtH>3UlmsO^qQLnT6~te|`9A2(G^5gc{zAWh
zyDMw&GHMT_@~l$#Vs#v?#$3+G%)x>31mmiLUuQkV4PelQmw?QznrhV&#u}~Om9VJ7
znk~Z->LjAOPCrLkDGUDLlK9G}i5PatbQR73xbUCe=JkPZaBAzus|kbet)0`EJ$CPt
zs++8vgV(LP_shE_|L)wA_1d0a3Th6wINcD?E?HDDVyljO%J0rOP~r7wQkI@$-{YU#
zm8J0M>Em*4gYj@w($6IEyE3i`GjUk{wb3GU8sIWZ!~3YR($Z3#v4_>ruh3H+%1Kjw
z*YXxY(4_tiTYSsNniDz)4F?UNq}{cg9Si$<68XXw7u>6>DbLN8YLiBS$ykA4Yw^R2
zJ`>+>FQQJ#76xw_fQ<t`(+Cq~i1Y(%)B%WC7zG-&-;O%YKL{jm9<LK7$IE>{<2Zqh
zl&mad*}GD#kxogU<hY7DsoSF6RASG4#1{Xm0U>ByKD${nd&)Xl>_qU$=dC#HfHJf&
zpbt^oR7>06J0iX{C|~MH(_@Xe=W8sDL%1KK_5HqXw-0Zn2?eZs%n9wf4^OM1`+fOE
zMe)Y`+oMLMpSqqEWLZ>q@2>kIA#EPUje`LxA3-4W#mUk|=96N!8Dgf#;b4VpE{^|?
zveZCT!7ftGxB{{IC+YUeSdJ&N`><U6FMoOg9nqkMb)VDxLv?N~c!sby!vXaBaOlTx
zP6<-yfqwHdu8(=5D(qHDqgNTbOZj;Ov0OF8?Kry-;8}3Ag;IkDpQ3(Z1n%+FnY#$M
z1n-(*F<U?_a&jnhS0EU${d}L|1Sc6ZrFAW+)dcQCyvFO@!wH;cBd4d+8PXT(#^QZ2
zpp`mdNvmmi5a#g9#^Xo%(X>cc9f(y4qFw6+#a(J*RCOl^Wc`f|ex==qD-#=$1mGsS
zx>i}i#ks{W*zVVBhUTnJU!tOSv}!PqqBt0Y%1UP;K_SRLx9;Wmx>?`_P0HO%W^*Uo
zv;IRb4URGksuSXSmM$t-L&B6XC54YF7O+^X8W-Tg%OQnl&UJ)LdF>!dE*uVTXrwib
zeWxK4upEghVQET0tWA`?MJxfR7QRm;MMc=(`_MwX#jL`#$4Q%oZg8jc>-Cp+SD}ho
z@omEWQD5<11FiuR=79PcKerE7%Le{R8GRGxaWbJH_Ns%_FiTV`TH_tzFXGCq=lQ$f
zpyl2qGz!UY`6ER}OhF;&gQ`SI+jO<dXxi{B*yO$|FoidB%UW9(K4fj>JYzJB``4(?
z8@6ojr?02$X=YjPO%2TYMC;>9AT`rE<dl?B|9VXS#(>t@*~tS+Jqu2WOqL%~7NYQ0
zvoZ%?H@nmrf>X3zbUWfqyxHF0<7aaAVD97Czl%UwPIYpmxxJ2dYigKrbX{r7?9+^l
z^>8O6O8^NOeRI2|j^)v)@tx(q&8?<=e7Qn|PMQSuVcExl^k%d*$J4Q~v3_>-7~RIu
z|K!u(jrL8ViKMV4D%wS*nK@HA<Yc7ItqbD9EWM%hZ%)T_=yi=yC(bp0VtEx)!kA+k
zC&QzZ&u&Tlxe!<GuuJk`bR}~KygOTXr6<!`nVG${wKYsHcLD6<iYJO@pt4q<K-6VF
z&ixxeCUPC>C`-H;J{xEinVaqWKAP+~Rr&hpNOtOsnlTzf)XOg#k4NXIpj<|ITcNb0
zbRBVT=!b9LgUQIqwAtL=ZR4E-X^vp44D|{lpBEuZWjJ&G*4PHm2po0q%><`L!5<7W
zs3M2+H2{B0Ew{`c-%^zS>(<;v{Bj|phLJJ0+!6_QU+&F*et#<nxzM$(vqv{s8qY{~
z|KO31T#}q`i3xWb9>7;QR2TYhOCOxSAd{o$vQt=Hxp4N<vq1w7oW#TZqF>B$j;VCR
znoE`mT@?Bt1RQQ|Zh;mS6lA=MRN^h+QnX!Y&+Fw<6(8{qx??n-_M@^mx8n4L7PD%J
z6M8@c8u!u9&%?8c4Ulf?poq-vWmHEX7Eb#hwa^@up=aecy_p-8-so3!Z6l_yT)Bdv
z$v8mZ_I-$C7unZ$(J;&ITq+^5wg=xon5igtK|VynwJougs=oow0rK?xsfhV|e!s<N
zA0N2ffc$*elL0iK+gR&IX87jjlIypJa+P9ZVwgIMHtx{h-R^r*0UO-?Aoi%{VkphD
zJDXx+qFSh9rn8Kj^4<IWQmuR*){|#Q%FaxuQyqvmymGb@C>C02cd+5pKjH+9)0}@?
z$DRDRN{R>GYvuv-={jq)-dld<|E9ZCHFERTq`GvoJQ6}Zv1$Xd{V;p7?so5cl^o|G
z1~ef~U)$u(>{w>4Wcerw^tc^;<Os4ngFrwavPiyYX<Jo+Cb&ylMn*+2XA+(8rfH|%
zwPgFpLmv`}9u-C6p<stqnT1Z&6=9HfXJ?bN`}62E)8i!x#a)p%+C>Ksb<y4a5L#;9
zxb1TA<tTP^=04G5B{p-HS~Iy|5XTc*6>>6v)`D{)7Y5wdeZym9WaRr>SkSrENjRgp
ztBoVb!=lM_b#L@I?ID^6V2A=deE6_=lyTWiHG-uA_I}Ca79vGV@)+0rO}e82h|e5R
zzHiEc5ICAY-+1%39XheIB5L_^Ba)sZBHFMc$izPRvv3lA>W=tP>^yC0@^<c7;G;jG
zcE*XgllksdDBniNyh)>>jUrf5*(N*}S6e9GP*hYCCGZ&s<jMKyezG%kF`~2e=R5N=
zX>fSRo4@BjtJxzi(2h%n4~qNOd(CLjj_$S&JF_iZSO^CZgSYAt*@r#YtF(0l^%pom
zHTrJNZ2l-?%4xk34e#~6H?Sqd0hAh6^w!@mRSRTorgedJkMx7*tH<`)xj)Mt|HNRJ
zlShVP?lWlRm36qdh;<@qNiPz>-~sw575Lyk5J(k=$FQI-#ITPtcl1!ri!a$^S~lR9
z-*+67>y52KLIhJGn^&g=&i4Dul21IXGa$fwd@^btN39!r-?T$<iRU{hpIEalIRO9w
zjbtSA#4pv&@TH%`0saAe^YI<HT=2>1@#gX}t6I|cu=FUa`FQ1RG>?x#bfy2##ZNzf
z{<N5#;|?n1<lww@D^K(KZR$12=;&ycF?5m!Q{Otj|3~LEf?UQ%t4?Zmgun`PEQ5UT
zn2QcT-TC~oRvJ-wQdDn7DoP%@ukC!i>9HkGUbzfwRS4o-?)c}W(}B1gzP{Wp9g?eJ
z`_9+*<+HNQo}s)gOjo^bQ_wx5TBF*aRYLtc0PBsbkK)&s36r$pBkPS!%8OJtyqE}v
zzBA`Av<(c<$bkG+u^sUyeVXfjLn^htX`7o{Lwns-lcV4_RzEIgXIyr4Tl1A4oKTck
z9~kW6ANk;Ra!crYdjMe~wmQxGPIoVvBZoZvPh`$=krJf#lHWcfioTW2T%y7%(oye|
zt+I&7AO;PD5w6tGo~}VhDLyb7al?r7Q`K2tl}Fbg+h(KB503UwZ;3)RC%?0kgXl#)
zhm$*=+a@N*WheYq<$IW)S+(Pj53W9`v@8kfc+D6>`TcO^B}ZA!3Q;f@dEsspBdsXg
zu73lKN8D5nJ<B{>cPBc~U`S1M*FC*{&b|4Td7rLjV#Ag9X;R4V<(M3E6Epc`F^{^>
z+%IR1*dCW4$0eQaiQ^Am?TBUYhumT4IN5diEUa2seFx@*!4Cj^vQ@ST8J9|hb0yNS
z`|G3HjY;`#ZN|^7z`^hy8Z@}5G2BTf2>5!yC5PIA5GT?vUbLltjcG9})7@`>-4|l0
zpX#(6;ppVV_jV#U@JU%P#Dn=@f}>B(gG^UO&uo#Hl|FLv-hT##YQPIVyzs5hH73<N
zFi<DDWy~u%*=c)|sbq#nUs6hv#Q))-7;|0)uPm$Gl-15{d~rQZa;PqC=fEp{nEa1<
zdU<)f?p+#ttmB<}?72H;vM69^{JnCx5D|U?9S@f(aNskIs%7wgbKTc(e5G`v@aApF
zExMR&o3tcE+nZf06B84eU7T{;`}$pJGZ^Gr)Z?eMGD02k3DwoK9|0eCfcHB0*+Lu+
z^qIQUwlacbTnY#dB~|ua$zr0;ZZ0lL2zP_E^=)NDOPAx#e$}>D>SzY^cXw%ydkV%D
zJ99(R+I>37WdO8_{ORP=d`|6muJ@ufejtdkN|q2vJg!>Gt+YB~fCkX8OMXWIFBb~6
zCXKVi?K_{~rgIel8lmK4QuffO>iqC9<Lcn}7fmazfsUKyqgk9s<DcNKO(Y^^kJ)Tm
zFNYQLy<0yd>pmrUrs)CC$(@?Rkm}D)q01ZNJ|qhCQ9;vA=FW0L59V(fGB!3gWo4Da
zDYllcHvMR9`KC7|`<`gPbY#y5NMO7@;;Btm+f}x-0t7<gdr;ed$!`R`nG1-#I8-QJ
zL2PFs&}scwOPH-E`N!P6*zL{*$!XOtVJq0)c$Q0wR!J-^(}&2F?$vxIWH};(d&v8H
z5?<c-t7wJ5sUJc8ID=3ZT!u#Y_E2WbDG<ct!{l=~*jtOl_hVrGo`vbYGH7$EpjS(j
zC#U(VE~efkghJjLIUwx+`*-1vz+Fh}`O(pkmjPuEV4*rbJ_#7ZP4or^xR@>E=PxZ*
z&rEBlT>ld31DXJXKq8`&0qcMiCvz<XI9ZX7PP4)?tVTvUW>QL`x9@06%2c_5`0d*I
z@4dafmtk}_7Zw*si*yyh+m=uQfpcCPHevAGX71nTkBi8lHiRExq6mQUK@ScNbIJQ!
z&m_j+a#TXgm3ixE#nY$86}$79UrE*BJMkZ>%=@*%U9k#amo&|*F<!OM3*U}ZXwbX6
zh;MYm_WLs`VX-#vmw4MvT~$+P6bw5#!*|Hg7~-SPR42Xp4oyoW$7BVk?u>$iqUJbj
z!h@mfjUl8PqV73H60Ga}9X*!y`qdJy5&mu70w-j%J;w>`A7CvReJQD;Lq4sKyyFQx
z9~%-o?7pdi_z!x!n8$NF>Yfvy{|%fS-+II*+P3N(qY$TGba<74K|)G~2-(N*UVOnz
z@SJU|f-O@aHCl;sLgDLq^;wLj+wf8L!f(8JrnbLQs4=daVZOu0hBr#z{~@$}#g|C^
zO?8`XnhFvNMtp(Drm@KN9rSB>s%u{f@Zm8@4E`|R-~tO-&)J_3$^=+VWiJ5b5Z<}`
z)#(vUp^+!xKj&1{Sh+T#E4+HogZ*DGb*x(W2*`-=JG>V|_iw73FP^UxOe&%*+x`MB
zC$j7kS<a4j?R}=9#xujW`RZSpm^@WJ4PQ$zr@y^=G1MpP=95<g9Z$I>(zp^k1O{An
z9crdCu5&Q}uSrV2=FO`x5eMsGQcCJ^&CScv2gP9#OlcgAEz6sWT@eqi##L%_`o^k;
zI{+z5fZGDz%%WCs-$K_ClU{^^u_ypJWBE?P*;EfLIT;!DKz5}sMRWlSE@k3%ygocR
zSs~(Z0NGu*qQk^c?&GUIb1>Z$;ImK>v`+(Y@zW`ER)P->cXoGSzKflepf+*K57J$9
zOJpu0+Z`jX|KM5+CW*Yk@}v3aPZvm{HGQa1iia8GY|~#2gUtc}nuF6m`rWPiRQT~g
zW-<dGI(FKPtg_F{RKGXi%&nUHcEahpFE<^~qd>6(71)(5OxwcM%y|>F8!|qD6Qj2Y
zg2NDbR0}WF2<q-Wy7T%MdY}9Si9luL_!U1O-Uu82xaQJ?+|eD0`|%{)hTE@6)O@v?
zZEHb+eO&XjEHm#1OnsW3T>Sl^>Y~Z2{?01YHWVF17JBHlbvnS!Xgzy9ugrHqQ$9La
zQMu!M5T-Q)?ckSULt7(f&}5^wIl$3jY|Wn1k-pwW*n_K!)0AL!_stnPo-*EwOXKR`
z)tY*yBR~EA%tpgBbV*apnqgrn@Z)t(c~_%B8v3yQX&ggNRi=IjtD$3j$?3?^a5RZb
zH1iuTz+Jc?XocK%C!31B0fgS1H4Q3Ro5;vF*L9(q7nJXWS`@LbO&6UzQ_|msZU~ZE
z9^!`kJFS=pyPj5*Gbv5)Kai_()kfRadrg?Z>~F+9YsjP8dt&U{81yO4A(UpMmEw+O
zpl;||@wv8}e3tdxgL~6R4XDGFE6KF$wQQP8iu0&eo)(xPhO#uNy8#xX8#zLjjXP%Z
zGu;m)C2N!~(FZ<#;tsc}pNn_!JB7WQX&b3Nrlpj8JR?JQsWl!IDtc4NuZ-DZSKB-!
za}%4@Ob<&cv0OLyODZ4VUDa|fyT*`lZRInEWngDlSB|yMZl?etb^HIoXjFB$Y@y+?
zMS;AoL7ZRG5`UM?SzT@IzK37&_t%f6SzqIf4dYE}0$SGg=pz%O<@ezE`?B;0a`d)m
z>FqG-)<nHS{#nKHa*6yCmtg)a-QIaJzvh{_x%o8~+CVOFTUFV0{D^3H&n+x(c>9iw
zz)bkBg-#AYs-fuj`ZHP?@Z`EvP*_szc>DJVFE6j;`uY;9b@Q^mn@L7S9?N{jay9$?
zv?Yaa4ne#R-hYdlmv$-#pw2dY7Z>VhxGP_)I7kjW1`cmdV>2u)s0`TcRvp<ay~&|C
z&+?twUekn+vh{zw4M&m$O*}nG!zBgfIap(b%JKHd-Ky%Zb!s#?v68MhQ{Sum7|;x{
zI@_6FV$HguqsAzd8S(Gp@KvYpF6EzVyl50n=WV{$q0nf;@A1G4I;erw(dojmU*2f+
z$^pl=#Tu`urYr`F8uD|E9=w*+owNivTpFX9eLI)SeQ-*EHmtw&mP>MYM5($I{<fS5
z`QykHjY}n4LFBbx3*1E_&;CnJjdFJ4txBC_=#~b+GBm9G!C;wy&cl6k0aO$9x}rWd
znOpu2=@LDQ@!ezQiUR8mzmxrS!7X&>AMMOlbpOWg@%V;6{*??pkcX#XZmxj&gxZH8
z{!73o)qfjeKl5XOGJSZzRPLK)c(^&faTHA>esIPxd;i;$|0N%mEH0buors_m!5HaL
z^NoTFVF&xZ8qoS4yG()H@h8u8LPTnb41N0m+Q%%6!CT`OM5Jn0u_Ip|yfGxLXEglz
zW%KpiTp@>6<y)vs(ssz;v0M9En%7(`ys7}X78_A@ZZ&Kon}*sUG7Y*s%Jo&TF060E
z`Jhg96Ux(yB`KueG!FQk4Xr7TZ*GXVkP3^(G;-}fLWiosba+@&`C|1wpNQ-17l)j8
zX|o8A72)<j(V#p(^;jJ)<Lk`l5mQl?Hx~1n5oJD!Eio?JaQI;4zw8nisILARLzR#I
zcaUhFq5So0WQLyTjA0NW)ei*Hx3m?May~hcI^BYh1Yyx98)<yO)T1NTL%qQ(E2Y&E
zGZmD=758a7#pQk95Q((l(ehAr^$5dW#<D~{eL8yjOJ)cVtqeEEG++K(qG)c_Ex@n9
z{lyieA=q3L3~c1`jSlJ(6%*U>L@m6PM;5_CTlx<OlPWPJ=&aK7r%#{e<&;GCb?4>f
zt<f^-<>!v1Xhyk8oBXmeE=7l4yAJ3?k<8YK$p}Q}|J6XT+dp|#KJkanc8d(J=@(74
zMk`8WfCAF+1cdYF;h3AOp9v{&&)Bff4#W>#s^8yZE6VH3{2`t%-}ur<1n9FXawTQE
zI9<dUlK!4fR1D|;(RcGHwF1p{Zy*&Gc(4;<80W|5Pfs@}D)b!gz1&*_4@>HIa&okS
zdo3=o1`ZAg??VVKQH|h+D>Mybc3?zC=7;cWFTbsXOQm~0tBN8DkaTYeE4Gz!{cJ^;
z;2wdYq;jsYk)6fImBSUNpbO-^nT<psIFgmqbPA8!E>TuiR=(0uua@1RG+xjxhdvrY
zdj}`aRXJU^YW013m1b0K5(Brq<#qW5N6CXm<F{|$(qC!Z{&q9jY`ZApI*&DJd3^jE
z51+Khqf(z6{j|n{%Iyf@O6-}@Zrjf6m(LVQ^xnjv=(Bq-KL*QVm5)sb{9O(TiPd>}
zY{948AwO!C^t`HZ{N|^{MFxSo1}<q)qiGJ50RlOcDF<?*<%!QNLDfBP4n12L_(Ds8
zitZ|qoY38laL(c91<jIdqhQeEQnMP~-SzeF<-$PSmBAc9w(pex>5%~~is?m>uT9Iz
z*|^jmjY>A~^Np6cGDaUpXrPQIFT{C(6%W^jf40|=22PDzs_`@iP5-V6@644<n(P0o
z^ZkJD%5`i>LH66&C-RYPFl_?$kHb#qR?|vhWS%FqFqnpYOGGXN-N;7r8};J{Y08qR
ziKKk?i#2LDP4o-aILL@>;Y!L>&9R<**zP2Si&artx=Q*2^7r>YD*m#$xtUOV!pEY|
z0`zENL)j>xHOZhG7e4xNZEb7>J`w!m@?Z;bG=Jtt%T2LO^x345KlCoTtYXK?cM~><
znne~N11EmV%}3Ri>lqwqlJgc#J)0?3(L?#SWO`dp$ao*V{c_Y6)+XY?5`oc43;1ky
zvNIM7NFYuh0W)umR?F7cZni_|{gQG@a+Hm)rVA-<C-&s=-7YVyJ9Hb4?^oRO?fi2x
zT1Juo`&b*6l+U5881n@m;O%;!u)bcZSD)5-c=-4FZmVl?3Oq!S?C9(7-w4*gKC>NK
z8-_(*pB{fFx*QP^9-p{v>Y7)T7e%5$iTHQc{;d_3i*M6}jQO-jXamlp0{ObTPJ>)C
z*362QQhJMWwnN?V)3HQiOSkv>NP(omhvMAY4`<Fmi$?!lhDkZUYhch<*@DoSv0r#o
zT(kf67$FNVJ>)U?@l^KdbA=qoRKccDi7@%lPxDhkotd}H?fHd6GhSD{i*(O+d(H78
zf7s?^VPj+C=dMEr-G$st(FgrH#W2~<PTop2K9`kVFN03|u9Nz;Qo-CFZI|Os*w$BW
z?UP%|QqRB2cs!d1hnvCqX&6e_(+@o%_LUn|!sIAU$jRKu&#$>y__MAfoDG99j~38A
zk-FQ~Zo8Y+I>1&Z9m2Vm_{u4me%<e7gjm3=wnD>i(Oi8Lgqx}Jl#aTSsQ_+`?u~*f
zj9sDrk>1M{yGvr;zlv54Hr=DmPxFm9>sby0mX%3t)|kKET_7$JA*-X1f=T)D4MUNB
zdVF$%Q%rj}KF8`=UB5XsT!chYS!JdmZAZ`5wX|HqAam2?h$|j_I=ao?_yokwsHmv+
zck8eKY6Or`YaR)!vK<8BhS@#3I7%;y*2?t1>Ti=_%rSAkX<TX@vb`}5QRF5X?+$x_
zx4-geHM33Ssg^U|j}Vhpqp=wK#*WhC!tmz7;fkFA=d-=#_lSIVx8iCuk3sb^zLh#T
zwm7%o+r1llVuzx#w9Q|!>&Bf4do=l$?LCfjX5aCZ74>YR6(83rKohfWrgE&!FmcNI
zS3djJ<Utd1lWD*=A9_{hxha<l-t)&ONTy*RV0^n!=D2kGD+dSP%9M^$_S?E}NQr-Y
z(p~^HdvbDB6F<AdKbv4_qFEjnYWb?<2Ff)jVS^_-D?>p=6li0J4M{BBv?xL$xt|6F
z)nI@X6{3?%I<(=IOtHA^aZ^bNTNHZE7@0`)C}G-VzBWuN&M~rE`J_N6{``)ArA7lD
za{(>a^(?gQdAPDjh{K%0X86oR#YZ=9bhZ+s<&wR{eZ1%=*v;a>(t1Qh8EwfLxcD7V
zvicL1v$j0;H+>0RK44Hp_-hRd$K~yy;}vE?FGESb%8Z5f@gaZRyDT*iD6>Vu?evk6
zjSUs~G`^OB$k+NBz=K|dKS+<5r-kiIS4^*}@;YQ;x!(2$R+H0#aFPnBjShTy+c6|K
z_{+gYZ*RgBvOy?w-8T^3tu$QYIQT^8i0ln(XgGW~+2>gB%u!I`tkkCKOGmVy;`;so
zjnTBBlMFrHI|KAVi^lf7Zz!ApaciBrQ>9S-kG~`JRRQb!`zb?vqP4`2pE}AYv#sKV
zh34AoGby56i&eG1Y&5X&_cPQJVGFqLN}=wjtexR+K8$q6{X`X4i{<30Tc$@44w`sw
ze$k3c8r<@wtmlx74EgAv8SrlgmQ>3_2NYm5L2NsG`0(N15l-<V^;N|%yZLQN4&H!3
z*YJo4PsW)U!3(S}{m?&Jo>y32qM7Zp8rO5yBmEnK0)+0pI3#bAPG-{OXz!72l2Uz9
z-z<hlWn*u-?~2j(e_$}!)cs6t=SKh}*VC83X7%$W`sc6T7H!ZNSnbIQz$w`y&zOj_
zC;)nXD;SYWnch~J!T25=uyt@QeFB5kjCfL@95zevqZz4lny`N{F0Ks~LUD9)7>}*A
z>tLXH;^hC&YV@UGWjTG0>X3<0F@Tks*_@D+jI?;MfZ;P%4p|m!iQf3C8Ak!3-_0Qz
z&aSq$cDD25nbKgTyr2Gy3m?ksXw-f>jZFFr)fBcK8~gXW74>P%Ly!15W^L^z76A?=
zpM|KzzxkP+eVx=8;_IvUf7Rfaw2FQG$iPQCTKvBoFK%#(Kg_Ci=u6g@>6~nPA)~yN
z@AP3wY(78Veg?F{@?!sCG#mAh@;h8~J^EzwpinAjAVXzQVM{h-l^mUkfL*@$c}|sO
ze|9xnjDo@dPtJP*8t3PsBSfBa%BAyAhEtu<bNpb-;2Gfj{G2B=i+YYwyK(g^`rG+=
zEw3T(=U)!HP|A7Yz#mT|1<Ai0;dYCgFU~m5&TYxBA!4cPw>#%v><$hl+(7u^Li5j2
z_8&@n&jH;!jCJ~}MNaB{-93BHHDz<|a6XEP(oKw{wXMmwyZnPayk$O8qW{_U{AVUJ
zhBnE6D*ei13c~%+#hk%dGGqMZ-|v3k84~Ax`cI^-P53H95-)v1)5Ui*KTbW0J$#;L
zQ<Z^~a1=;^Yc|FkCD8mx`kR}qs`|Io7?ob<y1cdd+K-OBpMK{?&o^JFZrt~W@oFCw
zv_8@P6^vf$zH)(_ro3J48*nxH_C}AL*eiDHVjTtIz3jw9J`9FF@AU_`!nN1jAn|y;
zCk<ks!<<Tao=Uv1;o-mCt$L)H)}koM@OWxi?t#@{!)k!TZ^z38a@D8ZxH}Ro-eUQU
zk?=Hwd*Ag+f89a<a$bGo=&Y{uE##9uLr%)WXxl51ufN3Ej{N%f!5{|sKw*gQiB<1l
zclXbt_-8mBAWJhMr@t*_V8zGo_xi&siFlds3v)kyE+uom)Sr)d`qUu67pOwdC!gh}
zZhN)h&V|Iwjz>oY9hU=-41*Of&Tg?A#s6UI&KsqjAEy3I=f(r(+&793J%uE*2t4eM
zZqlh~W3Ol?m<C?%P<i%+vv+s*_K&ndMbyX0_B)Zzfp?miD8C*wFr_70vJyHq8SSPV
z-kqvlxLEY|%}S2?Lgf+drlzIr9a;A3UiwULpsWgXa`aBGKW?=<-iZ+E{(kf63SUjz
zGxiI%JI@v0g-xd=y!i|G{XkainK{i*r~lnH=xL4N<B-J6k&BmY-W6WDb1&=FfuEM&
zPgPsbH1hQ?l{cOZ45-M@2ucgfo4o*kETZc*{QacsL4Y08&xMRNVa7RzSI8!_{yVvf
zY1+$Tj}#SY)2GL`IK=M9*ZZwLPL-G6UQK#@c<bYI_9Ib%f_&eo_>k~yi^|i-<2ZwR
z>ML(d<C<OsMM;YO6K@|L?Mdm~mCkQ0awwc?lZ1W}JtI<9fXzPk`EVe_+uwh&+d7A=
z7ifFeVS6ucZKk?_+Y4e)l7dF@Ab3F<ueN`;D_h)_d+Rkw=CWR-w*FZ?F^el1i4U}(
zCLjI%<~#IyVb-aCWL$pflP3JJ^*aHSlKl#gjdyxE{|29N6d7{q%~-D!AN|ZbbS$|?
zhU#lAN|VY)BbBj!epx=z!AiQi#<Am8^|FB}MSS5fpUUm!@N=8|^;sGl<N8<i|3cWx
z;5gj)jpX0If4>|%W?3u257!L*esDaYi3Fs!w#STdoL-qqLDE8-QX&40<G{KB4252p
zcF~0d^&d|}ku)ibWon9P4buQTm|vQ|_5F$e-jbIvhBWzEfdq7-I#V{b7JbOW;>G2k
zTNY?!j}wnF=fUYQ>HkbTtE5iEw2s+S=ug$wNhs9T)2EYZ@*lGZ$rH=K%)+A5243@e
zzP&J%t1A4xol&7JDutDGr3?Uk`+vl)7R{=b^2FDoU(9wX*81JMS6|Xr*(DugetG*^
z<EMVq(723;suBAxXe;>N=d*kVXH?2?WMYK1rG)Ft@_B!IL&Gv_ANVp;gF|~~T;}j;
z)8WRXv9vTB(ET1D{VYxHRnh+y$xG6W-B=`&qS$jHf3Vz_qOnD{r+!@a{HP8NNALA*
z*0-5CIf4W$^|@DOaQ!D|%YV0$)4RYTOH6=zkOz6Eao^LU41i>?s-a`%kUk&G+W9L$
zG#N%rX_Qy^e4z1ze9Fq6#O?ViA(c>axs`p17U4-O@zD_!%EBe-*#B;{nTFvQk+FrB
zMA|^t_bhr+#@;8=23@82h)kj-T1FbDT@<8Q&D>RV@iy<hMmRh{T?FR4+-uXOHeVAR
z{GI-v5Ay%a<nf8oOODbajfywZa^UjhxX+^xQrE9D4}=nGb=|p!Z-M;k$|f^7IDDCz
zQ-rKb4U;4$pVqW^_azI<Ks8}BO^-2&{i}KTeag`w4eBS*)Mr%|Z$VKUmP@VTs+qWm
zE50Ug+-sZfoyt$0bKYXDUAlZQb~okCGZOthM~x1LAr^WVCn@}aq~3DpQ<`<<ltRBI
z5jLb;(g}L(d`Qr61l(Whu?e0={p8_hm3EqMRW?@&;-+|p`eH5<zU^sr{jU5lJM^H0
z;oAAm=4NIC7|arCW#&xC!yX3z$$Zb*XbZB<HOO_Jrf%jgW{*#<vhz1bc1JK}o9%m2
z=32sl+)H%K?8=IK;AnJH04c5+56*j15MglFd;QhE$b7+T#NKPf=Im-)J*6Ve%8JWM
zt@*iVV9H0t+WPuR1m@*F!>%khROZW1G1Atzl+KBpalhK&e+RgcG%_kHi()taIgDNg
zU(Or{ZSWfgO&lUHs5yDQkeS-DAo5XP1gB<*HBM4Vk`!&W*Bv#4&_D&pJ0EN$Wf4}U
ziu7|dZy4=^+O-V{-=6k>!OS%Ao&@^pKDfImLi3+Qdt)#5sS=ZCr^K39baU-e=Q-z-
zJutQ0JShbBK{J&aXOnN)YIDbEsk{48y0tVZQ0RDH(^8GRVydx^c5mW%FHpi<_K3I!
z>y>w`uh~CnwUlA-aT=)`H7onQKCmFLS704bE}UFsfr~A96qI41u`e214+(NAvbKG>
zmcH0!m2P2P?Sp+bH~3pyu(UND+Qc2?uWnIzPM2~uO%Ec2x_aBgV~eJvTo6HKqK%AK
z4wTK+OzWbn{C^`sw#K9B4Ueq{6@9z)O29;#9(|!dOEXbI(yHDat5xyeK3{Oi6Tftv
z<sNMSTK`%h)z|iC>OD9VksFuZs@U7xqZxjIHT~P0w=hB1xX&cUK3=ELteT`a9&qs^
z07Gq@X<A~6NtJ2NhS`NRdiRg)Cug{``3Rql!ANyZ%D!g*inot9_L+%@ReHN4Fi7Ex
zN0qAy84C!--l`n5Wppd%7Bck2ZSs!F4Yi3byfUPYHbo7Oo;t`UOlK&uHu<Aa?y2*c
zaLL@81*8*Z{DIv9friSdA$v~2NH)HdzEPBA{ZufKN<aC!_^q=KO>;A01e<FC016qv
zl~uC~F{0O?b1Jg!CCZNkf)!qQrRjS0$&7D|_t~1`$S2i2`6OLz6cC>S_ZPI+3>Y`A
zFquZE)693fNw|?JwpWj}f}nbQiUTL``K_xRgIV*A%G(bbVO5TnW6F@Fa$7kiHevI9
z!r4<fIeL9IoF~u?8;oGxVdqR4zju@S?y{`4SI}7ZR!0Xnh3JtL_~@>>8_gugl&vV|
z<Y(!K=fMly&Dcf)>fNVPQ_8N%t+Fze1~mV>3RtU!b_I^E?+cd_9s5MlR7*nxpCfC|
zJdT{aU&%RglHUPV-qIkG{~J+tLwa*^EGpd(Hm*p{nE%6IE~Nv?;^>3vSj0Z2%LRcB
zBMuMgT90mD?%KaE8|dZZBQLa;LUpc@I^ai3aiVC!D!XW5um99ojd<86gOxn){xo0j
zrP|B^(XPL0sZxB_!!Hm29;C?1G?mmmHy9bIG5GXHHnMEy<o_yBY3X;GRPy;HMZ*HQ
zFgf(yOc-=WppN6AYv^n^4M!60voB*suJ3hgDE5Fh@qpc}1{r=`Kk=_YDih{Vj!Ebb
z8<_;5K#BQ~MQ0jqM;cqpRgEMM4_`x-Xjphi`hl#iahRK%xDt@V;pViD!M5&Vq{eG&
zJ8_rEZEOY+c^>TfKzRP_!ZYOA*rYxUXPKfp7h2hu2XfrV$#s-vw1=l2w4NK(oM$I7
z@UTuqJ|K+%ocx0_{^|oPMFGGPHa6#XON_SyLn=bX22E6qD;&0F-&an|Zx`yms6D83
zbNhqT*473#1AVmua_^e12|Q4DFFOg{452r@V}elW{03)z&g$OX$SBY&^6N{Z0Nn+(
z8*ig-a9l@RV%i)OlC1G9eO>zJne=nI{=cOyw-`<ByUM3t#v*g4v@4g-GhGxI8Ha-*
z$M_%~7@E3}Ew`+++O+CXbXr(uHhPd7xU{mi@^}K8Wo6A>Q_A9UwsAMh$z3blXR%(X
z*<<8)&$S%VB4-6aw{ayYdE(sv13Iyf;<$;foT~6PLx}iWG~-5OmgZoq(e_{VtSl|t
zu?U&o>f@G~rV^ccKilJrh+joupPi7K9Jx58aE<$1n4~!@E|jR%Qx+T?+~05f8|g_Q
zkGI9BM$#$Gmec~VYp+`VoFF;}T|V$rXr7D-65=w`h%=|Xo!uAJgJM-xQ208c%>3TL
z<fmSYupLR`>(`}-b7f_B4qG=eDP4+rsV^g<oC66a{ydT6=~Y%%S^1B5!%A(wc71es
zvWkayybMS_D|4>?@Norg(cmeJoH|Dn45R+gn^hDNQiKU&#Poo{(UEHvkM<611;#6|
zo#k<9X4c%2feL<0Wtcxde*9o8s;;R4T28CWuVl)4?QQnqC+g3!sP7&9huWZmCYV_O
zF#KsB(OS|%p~!t;I@k?FR3XQ-f~R{2wE5QeZyscTrfM$Wh-OTFE~Bc`bN$mbLNdw%
zm|GUUPV>)pt~^@@ZDDEvAMAFU8?>o|I$2UByF&%Yh_|t!Zu1=8tF09(IsqR+Qa@Cc
zW(LS)vS(*^k#dF>$D*wD!jjTjQ4T~tK47vW7%+GIokLpoZ@DME-FVi6Kugjt{B|Lb
z#(={Ui&7@{bq=|sgL3f>ptZ-z8HZ_qMrBym&i@u*B2!*I)r%zT$A;Ffj;M#5h#Q64
zSNh;0m<N<0r>RA$7KaYrq31a#(>((eozZm#IXSri7Ot5Q*WP^Q-Mf!jIOQ)tp){VR
zn)$4lmaa+WZ557m&d<-s+)u^w?ec&4Or5dUL#;BWoA-Dut!Rw+1s*~?BocDYHqGl*
zc23ia^rapeUm7%fsI_dkdJ3Yyhz9;E_dK^9Z2gqqj$QNs;6!(S-M@_&8spK@((1Kp
z7|d~P!eY@Cn$yO9U|2v-MDxQ2xE~SMq?=LhO)630Q#`gGfcuq|6$)ujCS`QBcjEka
zYyux^PuKQmu<3~qEkfTU7v}ZDJ{--j+Xe~&54Yp?meV@yEvDZ*@$1_B26T{e*ne#m
z@H=4i`e^A%r+#0PxSjJV>x%BoboW4m)Q%FqU9`)AJSW`V^pK>W!XbI;YL6#D>g(%e
z^vEF#Gz-Z(WU_$KxHPrKvp?=zP08t=@n9BA{Ai<KMAu*-Ln`ANr-iJNBzh1W-|sdn
zySB8~Y_*gZ5p>amg;Q~@`D~#~DRE<^%+j#_S@7w895t~kX(?d2ER%u^>6Y0qUZ5Ig
z_<s$r8zvlNceK?&xer`Mr<(9xDnM8Q*a-`+b6Lzl*7_pqDN8+xIk?RAkEG))`+x>`
zoQ~GU?Et%Vs0`WZjk|{#X>9}6tPj$I#hiQA@$a?25Ut=LA_lK=irZ}@WE;pxQj~G|
zEM^3=*>w%s^ZuxK3p;ZUegA}j50Dfto|zoYO9ZzGA#^mM(_II0*YMVA7Du59A7qaL
z@Z>Vgfun-G2js~Ma2^)*=MD09nDP)xY&_o#vb53NW%%5oru3MEq>BzUT5>wRd3m@r
zgrZKHH>xQxX`*82RWst=`si&z5jFvGfy`y~w!fe5rkRw-h)l0}FzT2`Um#{IudJx&
zOg6|rFWI`Y{-?~%nukACT=m0fL3I0goo-hg7l!E`9$0eX?bMn5-t!6ZI4CgijI*+J
z>uh?QHNJ~YKYfv0--0w06e<%iK0Z3}Gy;Iw;jIH313diKS7I?biosJ9wk*%Um0zA6
zpX&>ZFLi?b$(v>i*rx`QJj$6c0|TM$@e+sp2{OK`-IoMd30%}c1s-h3iLf(pe*MhN
z{g3z~c3RmJ5ZG3!8?T$K5~>{N(z!A%&vQOBHwRqh(G(T%*45XiZ#v#z?%PK$l6Blf
zTqgdGLl21>mr&1&WR#ytR7<{0Xw!gZCnX(VX)40(`;z{{Ci4KW0SL4$iV6<enQLj|
z)ALtT2Z377Q<L@=M1p-kV{6$Z$+~VLUNMOEwA9qAFMpVMdT!UINfvP$T#t#y_)|46
z)s_K4@^7uto_B#U^5esu6Xec)5f$D3?msHkH{2wi5cWYH?sndL&Gub!Px<iKGX5?z
zyERTSN!B`=I-Fq2jv~!A8KQEapN4QY=o~9vd5Wy5cupSh3?K~V?Y!(rGnRw0Sze`4
z><R+crKAzg;u|9Zs7yDPn$`ZQBhvuaFV0{keaer29l7?28^XklO26Fl%1SV<H%ZQg
z&yy!DG(YbZHP?zJpA152&eOB<a38N<Tg>YGA9Vg&s4T1>AZ=PbB6O^4yS;}>rM;X0
z&+9>iA)2@VlV(-`ZJO>+c7eSnM{xgmaLozF^qGXYj4T{|Bb%T}@|r4~Wx&g2uZ>0J
zPJuD`874*#_EyaGDa7OO>k<@oelUOSkN@gmR@<vr5JgDv+R*Zzv6*z1JXl(Eu=bJm
z?<`#X-T=3iwd_XA81Gg};g)qx;mdiR9xVTHYFf2nN5=tQ6CzmG5F(;7B5$)cgsBLj
z^Sr8T7ws`{X8#9;I`3Dvh`8fqK44L0*E((J#b2Krby`|OL_?oJVG`swC1S{dII|kZ
zI%C4#bN+gRo5yD4sk=ERv<UPYWP-6Jcm#@WPIQr4o{h<fbbv4sbC2W8oF;<&y+YQ;
zZ#sN7>Ew3t<hfN-6*8Z8`fL2eAO3a3&bEOCbfr-*u<}vR5>u8waWjC#D{MVmSUKi2
z7So4SsWqS4ie%ZvQa`nGzx!gvj#)qu|DABBoLkx2gglY(2Kb6T>X_(P{=H+<0#jB)
zG?SD<UyWK}E?b=Y7naWkuTMx4xrwQg0{G3|DVlpsl?=tlbFs6_JtmRE^Q<rg(Xos!
zKNhdHi4-m-MHP?tFFz(T7ZU0#9zA)ggD-1*&<GqZPlY!>RAF`Ksug7#7uY*sX1Ijk
zthlPlI2wJ6+seDumtNpiQ|o>nDWm2*b!ReCQ2E%S>Oh0#O2qRv-`=z>Mpct!&ho44
zcM91CvJ}AjEnlvi`K)f|-sT1H_j<|%-6*Va`C5j8iTn4L8h|jb!*lg)1E;gUT*;OJ
zq(Ey~*1dhcLeXbYq$JxD?vO>Ea1Vi0+1|nO0NXVs+4Hq6)hmoM8Ot(4Ou94o-0O;L
zT2}V^+$iDei}`qNIkQR|QcRzl%GdP*QBgLbdmnecCGk2$C((MP>4Gs^X({&5yT{9-
zN;ivRqTX3r%5-8dL1;=Z+rQ~7KK3SH=HsQcsnXD1H?&%{coDd$;7Q@{*}$g7p0Svi
zlc_icwvCpwz&S#r*IRoMJWN7C2hh|wKm)1@ej7$k8o?beLeC4utE#LgzjVkID3vl+
zbT-g-ROPG;jDMx3h&EI-TKbC~^d6G@fGSNe-m1DX4V=Py!LTeZN}wWg(LYc<Vquwj
zs|!@q7WF*K(kO-38XNzBCdxq^912S6n+l*6#GUyzg1dl6Fm-G1OH&ijSDx!l=-EO?
z(=n;&Q@@_x07qSYj_IwCIY>|MN|}YepFzr&oL}!NFXsuIAf`LO%#5btpE(liRs!a|
zJo|zz){;d4$_gL0t{!O_%u=;Eo?fEA&bd0}sJc+|4d4ssV4ql&TGN*Ssw={)%Q|$l
zBa4H&w)mqEe)1}Rv;za>J%A?^r<3N?3~#|YXImM(Foz5+d7O7+rXJrWjQPbNZE{Y|
z%)~#kC`N;q(6zod6cie~r;hhC8i3jTUfMy7(-@gSG#YIoNBq&b^}^<jGP!H8K1#J_
zmdE;;Gp-yPbA{2IF7m4m`Za4AvlY+o&a0PU5zKtkOfI7`INTPR;HNDe$m3h5d_v0k
z>>7}<epYe_lwX$i3BZ44PiwFs$A<2Q*yXvox^6UDZ>=~uVR})0GKkgqG4G$v$Y@tI
zdfTvEk;iGY(zZ>y{QlJ=e$=TQEs-kqjGwG|M~6)>qluh?)9UI0*SUq_-zfgM4ol;r
zpiOHE1rLt2Fx$BVb90B<%%cS}Ft#V=YL3a>@X70U@0^L}`x=gw?UCF_o_<Q{Sf%}S
zc0i=%T;!G>7K9(~+{Bg1fm|E*)x=wEzJ)_H>TIqWtS-&jgT7e=f|!`V=`)R6OKp)z
z#`8_wAM~-$>Vv8y4w|+y{dGF4J`ImiQ6^?bg3o%ELxfczr)yj{e(cP>@BfZ8+(;>9
z_LFV4dm%e6QF5#VjSB!D5`24>S2xc}OKSze8ozBh9&aGecjl+d<SsdWxb7aPG%jVo
zg`|G-T%U#A4&BH}FfsC7Z|P7-%TteC5Q)?L1msH3YVa;kDmmy;&=8bT-NOuUk2#Wm
zjoTBT>#>|3JyQuHlZMd}2t4-ug^BUE$fD+u%9&7&4UAQW%%SUS=WftnFP*GJb{5L-
zMq!Rz=<L{pmR<<dmcT8%m+^pR>qZ6#jG9zfFPAB96?rMVnAP<gzmoH96Xr8nKL1$V
z7vj&SEzDu{f%V3XN{pk}rfbOlNkx(m_zI5#h$$7CLhMHz49MV_DD(6Ru;brsu<Z8Y
z7!9~Y$eTkk%0xl69M>yVRf2-7>`z%KQ%Bp3q=mwt*-mZzjKtFwrHP3N@>%$oOo~V4
zw5YenZ9YjO`G8qn^z}=f(Cm#6Oml5*?dS0Df^mpTCg#g0za$^OmU)+oSDRh#D&V$V
z&|l&!3bOCyM|Ma0cAt>-!23qOA6fcAhxgA&>#>C@uh<d+$xINC^7G)pmDq{$iRFgv
zA~@Y8eF)4lsAfCS^JQ-CflCQuGLsE<mc}Qk=<B`Y+y}ja31(;wCElx@K_w-1nVAsw
z6e0~pV}~b8Oe$#95C``OlM97L!oHS_7Lj>3SvqxaQLh{QAxwmCTXWl=auVqLoMXGe
zEby22)Tf_8l*ub6S1vOZ{u$tVMb8!D6|U&FxE@Olh;klQf;K~wO*jABe*D2L=;L@a
zOlhnDHSUIMg3Y_d5m|W|YC2#@?1EafP+wo4QnY?(ki_D_Q&?SJUh3EwgjU71T@d-~
zwijls5$sP9(7#C?P=ekW_m1WStU{>rKa-Q2jkO?4mn5_gjk338H*ja~Kht*mSj&lQ
zXz<Z}-^MkHUo#cdYpDS&#Z3n)w&^#7v;r0>$mZYOM)gC)Sy*ZFaTlDMU6;k0Dd$0w
z{&*M6L%F`vTNP4S;J%-p4`j`e5A@xeIyfT77V*4ggH-$g5u|qp7E4T2Uhy68^oy+~
zvhUKOu~l`SOum!M+~h3XdA)~OvFlKy*AGUJ!_08Laz41IK7_nEZJ7}vpH=SG;F(A@
z33~F>1A%h1=@{pVz9`+OxA-RrQB>Y>z@-mLl$Pr<H#3h5ym(yahR11IO_UTAI1ss<
z+BPjPzT1l4uU_xAguyHt>OJush8=jk{OHKT1uAX3r@SoFglkrp-qEjvK`mnSqXWe6
z-%rHrT|*7s8q8?1w(U>n!-jVn_@L8^*L%;y6vt7thxw{ISVdYzUrLcbS&%QeN$46>
zh6Fo*{P=O|)3t_VeAaqpP~O0e$uSi!nvEI~7;^OA`{|X4$#;O~xl6|TE(YX{&Qx(@
zE<<j)0oPTbzqEBWW&9pfEnLMex}B8{3$X~sH)h~@Q33r-l_dx5)9`9b=*dG*pV4gW
ze&G4`48V|T0z7H73E-*rIc|%TGch>7>-mYHMrn02LjI|e3HLJ*>*C4i1h8K)trm_D
zqqJv?A{3GFwpk61x?w^Y98fKpG~Hkd?I1s40xAL<U~;E9%XMvKCAr9SbQ|}R%}*qJ
zownyu5*V7&5E6t?yFPEBvONW>QH4OxXrF}EE{l)*@cz!cL$s<->8@4OL*Mp}&4sA_
z4&-iJwKyh;XQ*#%qnE+=e2h0>N*?MHdR8~VyF%@fZHOoMhEkjN%|AW_y?<`o`qhU`
zlngO3q9sTg9+NW}HVb<a5D<W3?WDoG@GUKnbXeeFeG~j~uIzG8c?>fLC+&+ixKHm<
z#+`so6~R@GSa@;4UsckRFe$WWpfG$zMONeu=E9J5tx0Y}U0s&jXeH$v0Ch-m^H!{0
z-G&0~ku@WuI3x(?1zJnsKG?w~Wo=o=JbF_-XN}$E84PlmR)mug2iYcqy~}+W*0{gr
zZWFn{;6<Sfy-Rdo0e`3LTm~ka*F|fJk`9ee4`hAIeKx~$WITm5t+UPv74&4i;+z_{
z_C$r~)}k3EFI~v=I8$|vTWXUV*kzM|O#=HoV%vHVSI3Q`xEGC0PA(*yWtOVw#fPp9
zJ*3)u<l*7s3WW)Wdbq|0yVeJF@YcZ7du0>sF%IVb<<=EIrIiC{tWXzh=|LBF=kKO~
z;GK@*3)i0mgHK5fC4VyhVgf4C%H~x-ybc0SRe15~Sju|1!O?#IY^nq6UDU(5Anb{5
zm(|RFVZ^P*Ur{y>J-;LW$ngsM4y0q>RfPCIG%s*<S@yz>!<pog1NrOl$1bDypWXcZ
z+zHfIeoGU3oJDP}*>j$EwJP*a4RonhCbw1u0hDDe#65nnjFe!TU_K9z#|G~=40Nyw
z$hg}lz3GU5nWw<QZM0pPDW(!D>M~L4M<~9M&(N1V=s8W>5&pDMZ<h2y{j?x^Vt0BO
z#?3xpUiWH{H$ZfKv*EdwgshLbV>wnLI*QrA6ABMceVV*lab0g_mb`VWQ_>u_3vJcP
zq}iF{70wQNVoKogwzkZ?I;lT=Tz7_NqgfWS@!XG21tjcWiD&R^*TUY`Kdld-kg>~#
zCLORW1?h@+HN1_3*$WFXhFlYa0`GOLP!K9rdWx2?JZX`iOi0MF2D7X;ZZ7Pdp;@#o
zizz<gJZkz~e&42L9D)tHg1D(b(fXs7qNM3&DrI#bCzP<B1rz=0o9S2`VPJQq#Sg;$
z{+nN2O$NQM%~+4awvRmdP-voEq^2=Z4bETi&{01}g-6!0-+Mf-<$nRa8balnYxDEn
zFK<<Q6+;@g1>TQ=_U+CDZ-Dkqe)D*Cd3lUM!8(MPttlw@arNphve88l(BHxs&VBP`
z7Kr8oQ1X)=K3TWs?1Mzr5ceKEdYs-88(QLY--5LP3W9SQcW`aiH~x{P?9SOIONMrC
z+^(0mz>*lNH*-{%_3F5#*sHVO(gO)zA#G1)JS>WE8y%?M^XkpFzrQ%yclfYj*Izy)
z23J;A-Y?tI-9=qyBNvrUdU0d)x@8uNvb&ir>z~rPPMtboTUASZ*PR+;KW2N&Ns}hI
zCOlqtzw2$YlNn@DvfJp9dcT`DZ~lDoVchjSbry|Xe<8K<&Z7GzE9<wGj<k`Bj!b*e
z$zu46PQL`#xqkb|{5CGCHv9JN8x|6B=lR3XO;y7_x4&Ix@oxH07O<{N39MR?Xx~hS
z-P4XOa%glc*Zj_%JByuTTTivH&RnpdWl7xOdal;e)e9<{jn(`8k#x`M%J_E`AVarq
z-8_qjFZk`Z9><sUX_0UxuKtLEk+$-t4fj<3sqo3MIJh8Ye#qJpxhZcRFYcH0+vVRo
zT`jyee&*rB-c&_dtF@u)TN{knn?75PynFKdoch+O%|5()Q(U$s7Ty@<IhdG!=+K~F
zf7oQ6_U`pT4~zckw{I&;=5c27!kGEXmUTFA=+M547cE<K@lQXZJaffrO>S<T%Y}Gx
zdczjLQ5d?y&1&1WZF!1$B8}UE!OwKbD@_H4_P(nrFx2LrN88{KeebeuWEZhme0p_&
z^~(om>-UU2zGtv?S~}2Lnejn7o$k_Bb^BETD>74_?6RzD-uQc^(&o&WGoFJbO>U-6
zTUi#ktK`|O;^x-YbE1AqGT*&>H}E3{dU$LcxA&W0R;{{uV0sJLiJ)P_%;q0Suh*zG
z)T>v^y?giGKcj2ZdFbMa&aoFD2ZvL-q|Eh!7tPG-Xoq;Z2Or)Q=Qi56h3@SrFE200
zB}1ppoay21-5~kR<0b(C0c{$a&uZiJ&G6yFfp)r3Fe)R!t@7I?OO_lyal$Ju&dJBe
zXV{1lQ<pAnXLfOpXzYj)Q?s(ZYiVgI>D}9M$&w|1-ku+@A--bd&dR$ve;+X_S?_9n
zQg<Y9*OIqylRFF;-y!AoBlp0-?^;VorlV(9-FUEi#h}DQ*SD`L8VwjQfO>eL39!H~
zZ&f#EPL1YyWHh~hp`iWy_wP>^;^FBT8Mi<YmCF9(tMwB)+1WJ&6^<R-v0b}%p1`|}
zbGv=ZMd#yrTVx+17Ps9PJbjw-K%lKStGRFXH19!QEKw;9`3YDMKi%&0!TLhmqJw`u
z&_6J%{m>+H{*MMMprK`z3}TZk30AAV)ETqd&;L31bad%i_55G&UM^qH|NR?(5(zX|
zg-5_D$di6*op}OXfVx1x;!T4X*+UpkArKV}Qw%m54XldCBLsme8T^H+h3z2}Q>e5`
z8eo+MgF-L`ijemFGvLg#^IDQAAH|SDv!jTHt75>83=k<%wGu05Qn<&@Y4o_NZ@P;l
z5)o4i^OU(!3Ay0ubRK4-Y7L+A&U#gVP<2v};J1iH<l%rXpn=SL_CnBEh&{+y?Tz$k
zZG?<{7hi#^9Sn$J%vz@4D3X2<oyV#8^yl>H8klF(O;JR_QMJQ%arLnOl``!~>1rjU
zRzoA2D5ZczDU2zl1VU;M1%<{VY}QCrg-BH>7E5yPuhZ}PyT}}6&O+cxM^P2bJbsRt
z_uNI*FzmW8FaTX3G}6!;2qmE|Dwsk@s*62@s7M~tw2KhOvdia!FfypY4iXK4NHtm-
z+>?39pYK*JkeOd$3TUJXieRvsAQ~=}?guYxj8TdV@I_r|k)(!Enm7hLjRl?q8SQ9{
z8Ty|AY*q3qje$D<z9FU_F4?#)7HNkE$Plql>Q@J7g%~hy4_u2;a;PU=I)r2!g#b68
z7@~ssj?gf4xKaiM^U{~aS*9~E_<^*{<3QFK*l3Uh>Sox0MwsTBpff-TC>2eE?(-;f
zeB(4cJKs77eng763?|V$XiSwjElL2{Op*yWp@d*96%EQTXuc4R8MlK{B%+Em!H-q3
zQ@9c$2xyIAZ1wzzR+C&obbbmnVI)<nw^X}am2wTU0+!|M{|I4M(3iiFx&K(|@@;&+
z_~o&BcoE#o2>aKmI&x`sDg4Fd@RyXtd=I|@7=JPf6C-7U5DM5d%nz^(FcipWk7z^@
z8;q(ETuaFzXAuO&X>mfUmP0*65DlH^9!VjDAF5KJB%;7EB`JqofW0h&phy^10l~|c
zcXDMu0Q*j*LR3LXn1Yl;PBaoQLCK*WE<JnqVOFv`59w(H=fvX7&>*Eo@&?0|NL6g*
zT9BSNFc==~i3Lw)u%2*&7sM<~8sE+kPX<yMffdm}5~xrG%(gouk}IWTKJ$fW(H@0h
z2m$0Z3=uG<#MKb0gkTD^Ku}r@Uk59F?TwpY>WBtv0A}z+VT^)?cml!8GzO}Xvh}c#
z>8N6er;!x*;P{KdZiaAr9WXr-idRGhsnB=?Lr4a?nm}MBO8?Rjc!bG;{%oE$q;pM4
z`DUa{GY%3#VLHW*>mFBT7)Y)H49ltxo{K#Z6%3f3VNYj9LLdZ6g9Zr`DTY(4q>@^N
z0wKxZXaXUlag~zcScbo~1R_Xxrp<7+5C2uloc;l24AAaSqk&`Kp_ng$#+0+jQIe{R
z@!tnG{~WNY9?mW%!KzGA9>khQ8UoiK1clOkY=o^Skw7&SqLMU7jrfb)N*`t<##pD2
zNu<-NYFJuV;7SB!VR4o@$tDDGq(|7F%SQ?*B0pKd@UUB)6)D9KDgh^AQ7no}bC7^K
zrGO$Jkc~A9*GG;HPQB25G$eBL3?uM(U~$7(k^rAs2pS0`M5BsmNDU_eRZ1`hCT9&R
zU<{<PICfm6v=LEtaD?LlObi<S9JGaFs-!PGK3v^W6%H$<5iAM9f%+R%O!{XPFinvW
zsu}2?FHaxGXkAFi69<kE1oXCyhAL#fFv)U={V7x73Roo)vDE)9beg{~U(K*-#v;ss
zDbAKt<4QzD0|ja{sw5c{8jWC_$w%uSdwMp2yF)VW35|V?69l4QePo3SMKFpPD}lCS
z`vJkUsN=!#!9rloY7$b>Xo(DTzC;4y7)t=4)t=2p*9a=n&~T&}qF_}YfvagIWke2B
zL)WS#LP~_BP>eA?K;w2YgD(uLRCt0{BEuO*Bjiql>Q`%yMp`u(i6kk5e1Js>28`)H
zkOKU7#sxI`Mvr4xoHb(&#GqIdfsmwskRMDbqK(kd`A@@eW!0}DmciW>3fg(CnO%a6
zGJYz|9?vec*UjR&R;h{!8_IY)2*a5H0i9<(U6f>}6lN+yN#3eba#+yO2vps@XOQ6K
zA`uY*D{Aar;6Qf|gYNm%z5$(&s|*SxkVAK8vdN$!6cmXAMqt)9$jrm=!UFJTW1M#>
z1Zz+l$yNxVECq%ef{`pfKAUQ!FL~@^Da|D;EFul8h$4bQ@dy!7wSbld)HkXX2%M@J
zqZEitiveE*RUuLI&=?^f8({WvCB#890`rqX5-AZ!6#Ls$B!xxsrL{RQY6u?RmrDWa
zfI&6op-aKas1`K=gTSv<2^4}UaJ3p?q4?RNPy_-NDy=*ioNY!mBa}>m6Nrq&)o>zM
z#%w5?U-}FMtX(2yxXeT`)<B^P%OSB7@Q}oOe5i()il}-##4xN}k**Oq6<w{<cA_d?
zI`4BhIZ74LFaay*{3=Z}jA_*fK?6e5F*DS7<q2rumS431_9q97nZcG)(TEfX9E6Z^
z{gC3AG!i99N=j%k8vT>&I5$X0B1+OzMbh3Y)D?}wZ~_4y2@;RuTEm#wi6ne(#?_@O
z;kyxwB!MBJZ4Qb+k$6POh~+>whz5!<5kcc>xEg$sBt~ibF*1-13cw@{Hq1oT5LgN1
z9D>E81dh@C77r6BU~*D8v4c>RL6QI}S&(ZbOu@{=@o2z2@^x2+P(OOo?L-2&U{<ub
z8v+w*7=xn_C08$~Wdu_Tm|YJQjH-<Se54S4SXOmavR*C{iDJM*9X7&)4~1|M5WeLI
zBoZeOj%Hf@Mj%iGuEl_~;6|3F0E{LtF9=Fh&1`0%#D(29-q8{<3qUS3`&kHL2qvPm
zVElzbz{AM8<YPcw5fzFdhI00d!=DJNH7a(5g$T!D2SSU<$Y}9r1uobX`(?rwOhW=I
z+o&UvDmdzMJ5QG}-EoP82_6grSy%!fDI}Ik)o>!?ma#CtVD4cGRUuM}Qi+8*2}Glk
zM!<?#6&@ue(PRX2a_rGd9U-PUgRh)HkEY`mYBek+5ise1$$-HJmY2~?(}IqTz|`Db
zF0fOjDCjAtmVggW;uyCL<H6<Oco=xCDuhB*Nrr$=1SkbW9u~#KW5C+QAVjU9l33Ad
zYIml3G@Kzp!c+{TB_1i|tOY4YF4sM_d5%IxNlT$YLqmeRJqHSZxepyG5;6<BiUd3Z
zG&SR>(4s-$$9!6}hj*axcwpEe2@b6HBn8H_6px5O6cp*eG~qzU{FFupss>lOS8<+9
zQ2f6r`~cJzj6tx9_6#TlA{EhyQmaA;dkB$5$sjRF;Y6(Xv$pMEr5eRh8q=Be_ymzO
zwN^!;8WketTOtK}c6_2gV+?;{NRS=)uK~gTTLHnU)6WC}+4-cWpV?Poy;b&y3XNqA
z0V0}IsMw9Ko;{>QG@|Nll<3T)u{+?v`=@0v8d+sXWXAiAkc07D%1mrW((G(1p2;jl
zN}&k?h9|`@SdGD$pi@i^x056D(ZqmDOvgxTsjR2z%D6U6ah3!qKSaS3&6yY?-uV;r
zt3`@n6p^ICQH&A`zDK~UA;SKaDull{NO+WqCUC2ao^oikc$^ZZka45MP%0EfAQ~vZ
zSNzYy#wNtJKduDcmI_f&IKjve3RfWnY>+lU0l_4RM$zW-XDS^dE6ahYhL$hD!g7$%
zb{5<Em#rC02gPi^3OXc>Kqy!miNKVW5U?yL62y`rhf>5Km&~|vm{3HE<&YRwD_wet
z=@7hdqzpEZu{De<9YEy}92p7NG06eOC{)V*;wa#L*ECC?6Ctlsq}KSj=Kn?r9QzvO
z{^wC{W(b9;L9~?>2xC!n*huW;D5L++!Bsp)WV9hG@JZP?Uv+<$_9Q>s1T=WpQpQs?
z7)(|CYExR9jcRIOHd<W8*;V6O47e*WWe?^!QmcXzq7jVkf)b64L<qsD1i>*8mZ?F-
za>zjmQ?Rf-QX8Q}30jIIanV$^X$ogrg(#eF6U87U5-*HJaEB%6RfS^+G;9PDJY(%g
z{-}|RH7g>9(UgeA21Wz4(ou@)Q^6jMgt)Vj)dB~?vy`+k3iT5vxe3a!n+Rg5*i<pG
z*q&WrtSdx9$|T^1DS!-%M@bZC_XW86v=~bT)D;Yyk_nR8LA3uzH-%|cDtidSt2IZv
z$`H!;2#7|?9#TZ(I3Igv>oc^D5Hbkr8l~w0;TYr|8U%U)V@j9+18=Blu&<Xr_zZQ1
z0yGE~M8S$!yDA%SMh8&EQf4lgeGxyP-xw|hnjYxnPy(fp08GJfDsZypkn3QSmt56m
zjn~dxmQRu+3{j@mkwl<yAxK?qLxN57O4JYtNmlXsLNrR+W1@h=AC+X!iAr{k0&)82
z51R`oARO~VfKLt_adr+^x2iUOL`&fW3adajU<#}iDXgK-ThO{b0wz&~l>bB`l!HVI
zS_DolmrNq`Y7+cprh(3g1hMqXjVb0Q0VXI~XRz7%{(jCB0PzjPDxE|TxQcfB1Oz!q
zG+aAe{GSj~!&4zQWfK6iOhceJ9kAz?0xu)0e&9|(8{&0AOcdT=QAi|^KTaWXPRPh;
zm4=cK3;}Z&rllGm-V?Dhk3g7^554=x$NnG~IIbw|p>Vrl5Kh<wFN0s{_KZMAv1o)q
zfojD`uuv5$m|%`<3Hu9Zr(@{cHW5w!CmBY<{(h2KBr%G5R`XN7+DTvSq))Vy*sTk8
z!;78|W0&`TLd=^X?@NZfnUED1;5HRG9{LH9;(s1R4dQkf|Dp3GIOh?hArM#zdEgk(
z0l=sH&z)j}X3*fw|M2g@OG&ytslw2nAW|rW)No=@ERw(kkbr^074$`t<n$b}>A;{3
z!AO`w$w+#8OAdMB{x}uH1{;B#q?;1-OfUkUa3YZ&<NveKM><YqI!yFGGyYfuX>9V>
z2;|oY<o~b;B%^i$5yJtmFR{Z@y@k(>Zhom~;Qyk{CSx;22^seL=rLp5!_VIuG*oEP
zQK`vG`5IyR8e#exVfq?j`Wj*SHzQ0;G(e3|(TJ9Wyb|e4j0EHW`5_d6DwyM3%s;Ci
z4E;}UXd-NLj0p=z$ss41i_A%Q53)yZMlgQ8LilM{2$?m&P9DS!@V{_QM^eR<6X<l>
zmE?mNwBo5spos_v<AS;qhGT7zA{tS|N@I~E`pE}hB*|W#6ac&tUxfDS1w{<aR~w7J
zF?EEd4a0l<`T(OrDhOBuG!a+<ViOq{*FxOKsfQC|Ya5$SbP{Xk(C>Vpkx&w@?Lu&t
zj)`-;3Y<W2(!tP<6xRTwlNPnC>h{Aiu*RxbE}V;G6ug85ml@DV2tyDhduCi>_#%hY
zOpUxc1(m5HU_~r{?ZY5AI5nunR0v6O2kQA+>Cjv}tOC|LuWp1Vq7$NFstd_Ggh{xT
zJ*5wM-~<v71dS3%sUa9i!73H~UxIm2haA(jmh;bwXqcc#2Z}%t2j-|J|H;IdN+^|*
z;B>K3!<>7-@XMEM(nOln$v}gzHUfeE6+*aGLNbkWDxEVm3`OJ+kP=cu0vAAF!UhIn
z1GOrIJ>kt-Vj|wKWg_P&2_fKLw7`W)2<ESf*h3_4BpU1)+m|i|EClA+8(?b50@<f1
zZ~~HffKHomtv+c@Nf<wt6J<2fyfW1o^{d9!W{9d+F@Xf@%V1oy+YW~LrSEPCJOJQL
z5(pFnv=loMY$kh1!*m-~!WudNuLgsiglh?UVH;GP9~=uj34)#sL!gnl1;gEvp)Xmn
z&jM+1l8Pb_GET+s4RO|l(cKtG3c)G_2tB$Vo_GSre}aJ6CFG3z5U$mvur>7;r=%Dj
z77-gi1R{oHP+FRlH9N#<Q2+jrqoB%2;Gp+V3sTr1z90p#ZahNJ0bYb4SfiBr23M8v
zd=af$4FfYJ(C9r5C?y2~^x81Z$oTZMG%=KxM&G<Qsz-^C3Ie4~lFzLRI9W#384s=>
z9S8A7qoRckGGpv!L<2kIOyDFO2-fh3Bnlz_*$i}poE#mE>vyQ7IW?U4AGBs%u^ZIK
z5$fNsDgo7*z$6#c!Ui?-!9QgLl;rNc;W(t$Dx%rAm2u@p+>vVh4f>}oa`_n1$b7Y>
zO<!Q^@eh14^vG&rFJC0dD;`w{uE7cTs|u;y-K?(6%p;&2q6`PtSvZALu<9Sp{U~Sk
z7(2)fsy^3F<o~F-j)sBOqWcViKL7XTSlE)OX{MX!92FHzQjjyGMlmhLg>wWq0c*C1
zKPOgKWwX78&GZnGk1Gu|+EoRLhV?@rn7@3<J?=4Nm_1hmz0;6@k_e<i;CKXzP{CNN
zi7i=fqxNt1ciDpwLok%Sbj-M7r0{_|@R<o`3_}Pt%0($WqG2qGxrB%(U<kpVd|<DK
zv9UNh5J!jL>5v6~N0Plg37W57xv3YP{-IN?Mln>0L>Rp32rbEZ*Fp!Hc_Zkn>s;;i
z9b@nHGq)z3dbpb2nh@N913jXzC04t&S;Kz2L?SZmwL_^=q4($>FsR1jf>^c$)&Lt>
ziesuIDcv>%F-i0r07=Y-E#%4F#PS>{jD*|M%?RW1u!=xnWfI4=U{*=6IK|8r+92i@
zFj!<B+?;`Q?xceTAtG@?&D|DejBenE(~)c?U_W2L5Q2-uT^SD*B7uF3su@caj>l0Y
zlmHVL$YUpB>KnqXoN8-|KP^F@Mfmhb8x4!fcuARDP+uPxgcvF4jgwSR5@{Iz|Ju?T
zMsKFl*Yw!eFN}`6R9k4ZMOK-MlJv<8?&=?Vd6IteQ&Y96T3%+TPSz(rVDSI@$=a`f
zU+_=({<Dl!L?dcg7DM9Lmu#c<_n)1ddOG%~`u?+{)7ST(|CPTK5d?{Cn28t5Au$_Y
z2P`0E*#Re_9GHJf#K7<s18W-OWv=KlX@-NYVmXvT+cILovju#jpm+q1s}L9y+w&h#
zN=1LE<&g_RZlI&Zf}QU)=8ITUOOwpSY7;H;begK3PZRh|pwNH%V1}WwXjG|0FagC7
zeQ<_}(1}^WYj5~QuU9~VaERH@X-1>L9>Xv-7=r0D9t`dU+aT7wseMpP%sidW+BZgt
zwak7^^&6AM8kS6$SW2JcFs`A>6q(2m!Gt0jr4R+BB@i)RHcc?RhG%(eq8`O4BnlzK
zrl|~KPY^LrF@9PXO|Zb<v4JrwaPN6><1WaSCaU@`V<usS=d*Z(zg^EhH%b0SydtpP
zYZ~z?lo(SpOkn*B9`zwUYX)i{4yu`%p}%A3+S-FmF}83Zs%19K+n;_CNo-VMS`|hj
z(d4Rw57i<&YncSYsT)w`XN?DeU`m=3#iR;VR#{*SnRL1z3WmU`rmt|Km^Q#`_#T3x
zU}cL3qt)xLVI4xBuofYs^~ms`%*69J;wq)mYMmFsF_qe;$He-8YMLJUIX8Aoncu0a
zoja-?jQO&p2r90Lp3e|xj9T~{X~qcb&lG0=SZUWFsnh;-F-aPA`>T}vDkX*A{}m}o
zv*1@D`6;A)Ss__1&i^R_^Z$pfPj80sfm*UwbDurbjvDQs(6`qRioYWWMdB(YLI9D#
z^__#Gpid98dnN39bab$g_S+~f#2JZVuuAyCtN8EiYj*GO6GqsSqA{?9;rs<#C8R_s
z7*&z~ohdSSgv@)YCfetA=xUu7wm1xts1lJXV8VEEKpmv1+G}JO(_Wj=F|*H6kpC^6
zR?GMWut#~gi@zMzf2Yp)p)@W>pNt`3MJzuttdgtV;^(QFFJ}%jbbX?D{}e$c0{@@(
fH5~o*@9W>!zpsD)=<ojp00960cv&y>0QLg_?PB4I

literal 0
HcmV?d00001

diff --git a/charts-wip/matrix-synapse/templates/NOTES.txt b/charts-wip/matrix-synapse/templates/NOTES.txt
new file mode 100644
index 0000000..5204f88
--- /dev/null
+++ b/charts-wip/matrix-synapse/templates/NOTES.txt
@@ -0,0 +1,14 @@
+{{- if not .Values.ingress.enabled }}
+Synapse has been installed without an ingress, you will need to manage
+accesses to the services yourself.
+{{- else }}
+Your Synapse install is now running, you should be able to access it on the
+following URL(s);
+  {{- range (concat .Values.ingress.hosts (list .Values.config.serverName)) }}
+    {{- if $.Values.ingress.tls }}
+https://{{ . }}
+    {{- else }}
+http://{{ . }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/templates/_helpers.tpl b/charts-wip/matrix-synapse/templates/_helpers.tpl
new file mode 100644
index 0000000..5e0a3c1
--- /dev/null
+++ b/charts-wip/matrix-synapse/templates/_helpers.tpl
@@ -0,0 +1,219 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "matrix-synapse.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "matrix-synapse.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "matrix-synapse.replicationname" -}}
+{{- printf "%s-%s-%s" .Release.Name .Chart.Name "matrix-synapse-replication" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "matrix-synapse.workername" -}}
+{{- printf "%s-%s-%s" .global.Release.Name .global.Chart.Name .worker | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "matrix-synapse.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Get the correct image tag name
+*/}}
+{{- define "matrix-synapse.imageTag" -}}
+{{- .Values.image.tag | default (printf "%s" .Chart.AppVersion) -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "matrix-synapse.labels" -}}
+helm.sh/chart: {{ include "matrix-synapse.chart" . }}
+{{ include "matrix-synapse.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "matrix-synapse.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "matrix-synapse.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "matrix-synapse.postgresql.fullname" -}}
+{{- if .Values.postgresql.fullnameOverride -}}
+{{- .Values.postgresql.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.postgresql.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name "synapse-postgresql" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "matrix-synapse.redis.fullname" -}}
+{{- if .Values.redis.fullnameOverride -}}
+{{- .Values.redis.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.redis.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name "synapse-redis" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set postgres host
+*/}}
+{{- define "matrix-synapse.postgresql.host" -}}
+{{- if .Values.postgresql.enabled -}}
+{{- template "matrix-synapse.postgresql.fullname" . -}}
+{{- else -}}
+{{ required "A valid .Values.externalPostgresql.host is required" .Values.externalPostgresql.host }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set postgres secret
+*/}}
+{{- define "matrix-synapse.postgresql.secret" -}}
+{{- if .Values.postgresql.enabled -}}
+{{- template "matrix-synapse.postgresql.fullname" . -}}
+{{- else -}}
+{{- template "matrix-synapse.fullname" . -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set postgres port
+*/}}
+{{- define "matrix-synapse.postgresql.port" -}}
+{{- if .Values.postgresql.enabled -}}
+{{- if .Values.postgresql.service -}}
+{{- default 5432 .Values.postgresql.service.port }}
+{{- else -}}
+5432
+{{- end -}}
+{{- else -}}
+{{- required "A valid .Values.externalPostgresql.port is required" .Values.externalPostgresql.port -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set postgresql username
+*/}}
+{{- define "matrix-synapse.postgresql.username" -}}
+{{- if .Values.postgresql.enabled -}}
+{{- default "postgres" .Values.postgresql.postgresqlUsername }}
+{{- else -}}
+{{ required "A valid .Values.externalPostgresql.username is required" .Values.externalPostgresql.username }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set postgresql password
+*/}}
+{{- define "matrix-synapse.postgresql.password" -}}
+{{- if .Values.postgresql.enabled -}}
+{{- default "" .Values.postgresql.postgresqlPassword }}
+{{- else -}}
+{{ required "A valid .Values.externalPostgresql.password is required" .Values.externalPostgresql.password }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set postgresql database
+*/}}
+{{- define "matrix-synapse.postgresql.database" -}}
+{{- if .Values.postgresql.enabled -}}
+{{- default "synapse" .Values.postgresql.postgresqlDatabase }}
+{{- else -}}
+{{ required "A valid .Values.externalPostgresql.database is required" .Values.externalPostgresql.database }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set redis host
+*/}}
+{{- define "matrix-synapse.redis.host" -}}
+{{- if .Values.redis.enabled -}}
+{{- template "matrix-synapse.redis.fullname" . -}}-master
+{{- else -}}
+{{ required "A valid .Values.externalRedis.host is required" .Values.externalRedis.host }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set redis secret
+*/}}
+{{- define "matrix-synapse.redis.secret" -}}
+{{- if .Values.redis.enabled -}}
+{{- template "matrix-synapse.redis.fullname" . -}}
+{{- else -}}
+{{- template "matrix-synapse.fullname" . -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set redis port
+*/}}
+{{- define "matrix-synapse.redis.port" -}}
+{{- if .Values.redis.enabled -}}
+{{- default 6379 .Values.redis.redisPort }}
+{{- else -}}
+{{ required "A valid .Values.externalRedis.port is required" .Values.externalRedis.port }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set redis password
+*/}}
+{{- define "matrix-synapse.redis.password" -}}
+{{- if .Values.redis.enabled -}}
+{{ .Values.redis.password }}
+{{- else -}}
+{{ .Values.externalRedis.password }}
+{{- end -}}
+{{- end -}}
diff --git a/charts-wip/matrix-synapse/templates/configuration.yaml b/charts-wip/matrix-synapse/templates/configuration.yaml
new file mode 100644
index 0000000..4806f33
--- /dev/null
+++ b/charts-wip/matrix-synapse/templates/configuration.yaml
@@ -0,0 +1,228 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "matrix-synapse.fullname" . }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+data:
+  log.yaml: |
+    version: 1
+    formatters:
+      precise:
+       format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
+    filters:
+      context:
+        (): synapse.util.logcontext.LoggingContextFilter
+        request: ""
+    handlers:
+      console:
+        class: logging.StreamHandler
+        formatter: precise
+        filters: [context]
+        level: {{ .Values.config.logLevel }}
+    loggers:
+        synapse:
+            level: {{ .Values.config.logLevel }}
+    root:
+        level: {{ .Values.config.logLevel }}
+        handlers: [console]
+  homeserver.yaml: |
+    # NOTE:
+    # Secrets are stored in separate configs to better fit K8s concepts
+
+    ## Server ##
+
+    server_name: {{ .Values.config.serverName | quote }}
+    pid_file: /homeserver.pid
+    web_client: False
+    soft_file_limit: 0
+    log_config: "/synapse/config/log.yaml"
+
+    trusted_third_party_id_servers:
+{{ .Values.config.thirdPartyIDServers | toYaml | indent 6 }}
+
+    ## Ports ##
+
+    listeners:
+      - port: 8008
+        tls: false
+        bind_addresses: ['::']
+        type: http
+        x_forwarded: true
+
+        resources:
+          - names: [client,federation]
+            compress: false
+
+      - port: 9090
+        tls: false
+        bind_addresses: ['::']
+        type: http
+        resources:
+          - names: [metrics]
+            compress: false
+
+      - port: 9093
+        tls: false
+        bind_addresses: ['::']
+        type: http
+        resources:
+          - names: [replication]
+            compress: false
+
+    ## Performance ##
+
+    event_cache_size: {{ .Values.config.eventCacheSize | default "10K" | quote }}
+
+    ## Ratelimiting ##
+
+    rc_messages_per_second: 0.2
+    rc_message_burst_count: 10.0
+    federation_rc_window_size: 1000
+    federation_rc_sleep_limit: 10
+    federation_rc_sleep_delay: 500
+    federation_rc_reject_limit: 50
+    federation_rc_concurrent: 3
+
+    ## Files ##
+
+    media_store_path: "/synapse/data/media"
+    uploads_path: "/synapse/data/uploads"
+    max_upload_size: {{ .Values.config.maxUploadSize | default "10M" | quote }}
+    max_image_pixels: "32M"
+    dynamic_thumbnails: false
+
+    # List of thumbnail to precalculate when an image is uploaded.
+    thumbnail_sizes:
+    - width: 32
+      height: 32
+      method: crop
+    - width: 96
+      height: 96
+      method: crop
+    - width: 320
+      height: 240
+      method: scale
+    - width: 640
+      height: 480
+      method: scale
+    - width: 800
+      height: 600
+      method: scale
+
+    url_preview_enabled: false
+    max_spider_size: "10M"
+
+    {{- if .Values.config.recaptcha }}
+    ## Captcha ##
+
+    recaptcha_public_key: {{ .Values.config.recaptcha.publicKey | quote }}
+    enable_registration_captcha: True
+    recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
+    {{- end }}
+
+    {{- if .Values.config.turnUris }}
+    ## Turn ##
+
+    turn_uris:
+      {{ toYaml .Values.config.turnUris | nindent 6 }}
+    turn_user_lifetime: "1h"
+    turn_allow_guests: True
+    {{- end }}
+
+    ## Registration ##
+
+    enable_registration: {{ .Values.config.enableRegistration | default false }}
+    bcrypt_rounds: 12
+    allow_guest_access: {{ .Values.config.allowGuests | default false }}
+    enable_group_creation: true
+
+    ## Metrics ###
+
+    enable_metrics: True
+    report_stats: {{ .Values.config.reportStats | default false }}
+
+    ## API Configuration ##
+
+    room_invite_state_types:
+      - "m.room.join_rules"
+      - "m.room.canonical_alias"
+      - "m.room.avatar"
+      - "m.room.name"
+
+    expire_access_token: False
+
+    ## Signing Keys ##
+
+    signing_key_path: "/synapse/keys/signing.key"
+    old_signing_keys: {}
+    key_refresh_interval: "1d" # 1 Day.
+
+    # The trusted servers to download signing keys from.
+    perspectives:
+      servers:
+{{ .Values.config.perspectiveServers | toYaml | indent 8 }}
+
+    ## Workers ##
+{{- $default := .Values.workers.default -}}
+{{- range $worker, $config := .Values.workers -}}
+{{- if $config.enabled -}}
+{{- if eq $worker "pusher" }}
+    start_pushers: false
+{{- else if eq $worker "appservice" }}
+    notify_appservices: false
+{{- else if eq $worker "federation_sender" }}
+    send_federation: false
+{{- else if eq $worker "media_repository" }}
+    enable_media_repo: false
+{{- else if eq $worker "user_dir" }}
+    update_user_directory: false
+{{- end }}
+{{- end }}
+{{- end }}
+
+    {{- with .Values.extraConfig }}
+    ## Extra config ##
+
+    {{ . | toYaml }}
+    {{- end }}
+
+{{- $default := .Values.workers.default -}}
+{{- range $worker, $config := .Values.workers -}}
+{{- if $config.enabled -}}
+{{- $name := $worker | replace "_" "-" }}
+
+  {{ $name }}.worker: |
+    worker_app: "synapse.app.{{ $worker }}"
+
+    # The replication listener on the synapse to talk to.
+    worker_main_http_uri: http://{{ include "matrix-synapse.fullname" $ }}:8008
+    worker_replication_host: {{ include "matrix-synapse.replicationname" $ | quote }}
+    worker_replication_http_port: 9093
+
+    {{- if or $config.listeners ($config.metrics | default $default.metrics) }}
+    worker_listeners:
+    {{- if $config.listeners }}
+      - type: http
+        tls: false
+        port: 8083
+        resources:
+          - names:
+              {{ toYaml $config.listeners | nindent 14 }}
+            compress: false
+    {{- end }}
+    {{- if $config.metrics | default $default.metrics }}
+      - type: http
+        bind_addresses: ['0.0.0.0']
+        tls: false
+        port: 9090
+        resources:
+          - names: [metrics]
+            compress: false
+    {{- end }}
+    {{- end }}
+
+    worker_log_config: /synapse/config/log.yaml
+{{- end }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/templates/deployment.yaml b/charts-wip/matrix-synapse/templates/deployment.yaml
new file mode 100644
index 0000000..a6429fe
--- /dev/null
+++ b/charts-wip/matrix-synapse/templates/deployment.yaml
@@ -0,0 +1,246 @@
+{{- if not .Values.config.serverName -}}
+{{- fail "A valid .Values.config.serverName is required" -}}
+{{- end -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "matrix-synapse.fullname" . }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+    component: synapse
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
+      component: synapse
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") . | sha256sum }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+      labels:
+        {{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
+        component: synapse
+    spec:
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          command:
+            - sh
+            - -c
+            - |
+              cat /synapse/secrets/*.yaml | \
+                sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
+                    -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
+                       > /synapse/config/conf.d/secrets.yaml
+
+              /matrix-synapse $@
+          args:
+            - synapse.app.homeserver
+          env:
+          {{- if .Values.postgresql.enabled }}
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "matrix-synapse.postgresql.fullname" . }}
+                  key: postgresql-password
+          {{- end }}
+          {{- if and .Values.redis.enabled (default .Values.redis.usePassword true) }}
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "matrix-synapse.redis.fullname" . }}
+                  key: redis-password
+          {{- end }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8008
+              protocol: TCP
+            - name: replication
+              containerPort: 9093
+              protocol: TCP
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /_matrix/client/versions
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /_matrix/client/versions
+              port: http
+          volumeMounts:
+            - name: config
+              mountPath: /synapse/config
+            - name: tmpconf
+              mountPath: /synapse/config/conf.d
+            - name: secrets
+              mountPath: /synapse/secrets
+            - name: signingkey
+              mountPath: /synapse/keys
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ include "matrix-synapse.fullname" . }}
+        - name: secrets
+          secret:
+            secretName: {{ include "matrix-synapse.fullname" . }}
+        - name: signingkey
+          secret:
+            secretName: {{ default .Values.signingkey.existingSecret (include "matrix-synapse.workername" (dict "global" . "worker" "signingkey")) | quote }}
+            items:
+              - key: {{ default .Values.signingkey.existingSecretKey "signing.key" | quote }}
+                path: signing.key
+        - name: tmpconf
+          emptyDir: {}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+
+{{- $default := .Values.workers.default }}
+{{- range $worker, $config := .Values.workers }}
+{{- if $config.enabled }}
+{{- $name := $worker | replace "_" "-" }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
+  labels:
+    {{- include "matrix-synapse.labels" $ | nindent 4 }}
+    component: worker
+    worker: {{ $name }}
+spec:
+  replicas: {{ $config.replicaCount | default $default.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "matrix-synapse.selectorLabels" $ | nindent 6 }}
+      component: worker
+      worker: {{ $name }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configuration.yaml") $ | sha256sum }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") $ | sha256sum }}
+      labels:
+        {{- include "matrix-synapse.selectorLabels" $ | nindent 8 }}
+        component: worker
+        worker: {{ $name }}
+    spec:
+    {{- with $.Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      securityContext:
+        {{- $config.podSecurityContext | default $default.podSecurityContext | toYaml | nindent 8 }}
+      containers:
+        - name: {{ $name }}
+          command:
+            - sh
+            - -c
+            - |
+              cat /synapse/secrets/*.yaml | \
+                sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
+                    -e "s/@@REDIS_PASSWORD@@/${REDIS_PASSWORD:-}/" \
+                       > /synapse/config/conf.d/secrets.yaml
+
+              /matrix-synapse synapse.app.{{ $worker }} -c /synapse/config/{{ $name }}.worker
+          securityContext:
+            {{- $config.securityContext | default $default.securityContext | toYaml | nindent 12 }}
+          image: "{{ $.Values.image.repository }}:{{ $.Chart.AppVersion }}"
+          imagePullPolicy: {{ $.Values.image.pullPolicy }}
+          ports:
+          {{- if $config.metrics | default $default.metrics }}
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
+          {{- end }}
+          {{- if $config.listeners }}
+            - name: listener
+              containerPort: 8083
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: listener
+          readinessProbe:
+            tcpSocket:
+              port: listener
+          {{- end }}
+          resources:
+            {{- $config.resources | default $default.resources | toYaml | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: /synapse/config
+            - name: tmpconf
+              mountPath: /synapse/config/conf.d
+            - name: secrets
+              mountPath: /synapse/secrets
+            - name: signingkey
+              mountPath: /synapse/keys
+          {{- if eq $name "media-repository" }}
+            - name: media
+              mountPath: /synapse/data
+          {{- end }}
+          {{- with $config.volumeMounts | default $default.volumeMounts }}
+            {{ . | toYaml | nindent 12 }}
+          {{- end }}
+      {{- with $config.nodeSelector | default $default.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with $config.affinity | default $default.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with $config.tolerations | default $default.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ include "matrix-synapse.fullname" $ }}
+        - name: secrets
+          secret:
+            secretName: {{ include "matrix-synapse.fullname" $ }}
+        - name: signingkey
+          secret:
+            secretName: {{ default $.Values.signingkey.existingSecret (include "matrix-synapse.workername" (dict "global" $ "worker" "signingkey")) | quote }}
+            items:
+              - key: {{ default $.Values.signingkey.existingSecretKey "signing.key" | quote }}
+                path: signing.key
+        - name: tmpconf
+          emptyDir: {}
+      {{- if eq $name "media-repository" }}
+        - name: media
+          persistentVolumeClaim:
+            claimName: 
+      {{- end }}
+      {{- with $config.volumes }}
+        {{ . | toYaml | nindent 8 }}
+      {{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/templates/ingress.yaml b/charts-wip/matrix-synapse/templates/ingress.yaml
new file mode 100644
index 0000000..5f418d7
--- /dev/null
+++ b/charts-wip/matrix-synapse/templates/ingress.yaml
@@ -0,0 +1,77 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "matrix-synapse.fullname" . -}}
+{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "wellknown-lighttpd") -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+{{- if .Values.ingress.tls }}
+  tls:
+  {{- range .Values.ingress.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+  {{- if default .Values.ingress.includeServerName true }}
+    {{- $hosts := concat (list .Values.config.serverName) .Values.ingress.hosts }}
+  {{- else }}
+    {{- $hosts := .Values.ingress.hosts }}
+  {{- end }}
+  {{- range $hosts }}
+    - host: {{ . | quote }}
+      http:
+        paths:
+        {{- $default := $.Values.workers.default }}
+        {{- range $worker, $config := $.Values.workers }}
+          {{- $name := $worker | replace "_" "-" }}
+          {{- if and $config.enabled $config.listeners $config.paths }}
+            {{- $service := include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
+            {{- range $config.paths }}
+              {{- if $.Values.ingress.traefikPaths }}
+          - path: {{ printf "/{path:%s}" (trimPrefix "/" .) | quote }}
+            backend:
+              serviceName: {{ $service }}
+              servicePort: 8083
+              {{- else }}
+          - path: {{ . | quote }}
+            backend:
+              serviceName: {{ $service }}
+              servicePort: 8083
+              {{- end }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+
+          - path: /_matrix
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: 8008
+
+          - path: /.well-known/matrix/client
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: 8008
+
+        {{- if $.Values.wellknown.enabled }}
+          - path: /.well-known/matrix/server
+            backend:
+              serviceName: {{ $wkName }}
+              servicePort: 80
+        {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/templates/secrets.yaml b/charts-wip/matrix-synapse/templates/secrets.yaml
new file mode 100644
index 0000000..3574279
--- /dev/null
+++ b/charts-wip/matrix-synapse/templates/secrets.yaml
@@ -0,0 +1,83 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "matrix-synapse.fullname" . }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+stringData:
+  config.yaml: |
+    {{- if .Values.config.recaptcha }}
+    ## Captcha ##
+
+    recaptcha_private_key: {{ .Values.config.recaptcha.privateKey | quote }}
+    {{- end }}
+
+    {{- if .Values.config.turnSecret }}
+    ## Turn ##
+
+    turn_shared_secret: {{ .Values.config.turnSecret | quote }}
+    {{- end }}
+
+    ## Registration ##
+
+    registration_shared_secret: {{ .Values.config.registrationSharedSecret | quote }}
+
+    ## API Configuration ##
+
+    macaroon_secret_key: {{ required "You must specify a macaroon as config.macaroonSecretKey" .Values.config.macaroonSecretKey | quote }}
+
+{{- $postgresHost := include "matrix-synapse.postgresql.host" . }}
+{{- $postgresDB   := include "matrix-synapse.postgresql.database" . }}
+{{- $postgresUser := include "matrix-synapse.postgresql.username" . }}
+{{- $postgresPort := include "matrix-synapse.postgresql.port" . }}
+{{- $postgresPass := include "matrix-synapse.postgresql.password" . }}
+  database.yaml: |
+    ## Database configuration ##
+
+    database:
+      name: "psycopg2"
+      args:
+        user: {{ $postgresUser | quote }}
+        {{- if $postgresPass }}
+        password: {{ $postgresPass | quote }}
+        {{- else }}
+        password: "@@POSTGRES_PASSWORD@@"
+        {{- end }}
+        database: {{ $postgresDB | quote }}
+        host: {{ $postgresHost | quote }}
+        port: {{ $postgresPort }}
+        cp_min: 5
+        cp_max: 10
+
+{{- $redisHost := include "matrix-synapse.redis.host" . }}
+{{- $redisPort := include "matrix-synapse.redis.port" . }}
+{{- $redisPass := include "matrix-synapse.redis.password" . }}
+{{- if $redisHost }}
+  redis.yaml: |
+    ## Redis configuration ##
+
+    redis:
+      enabled: true
+      host: {{ $redisHost | quote }}
+      {{- if or .Values.redis.password .Values.externalRedis.password }}
+      {{- if $redisPass }}
+      password: {{ $redisPass | quote }}
+      {{- else }}
+      password: "@@REDIS_PASSWORD@@"
+      {{- end }}
+      {{- end }}
+{{- end }}
+{{- if not .Values.signingkey.existingSecret }}
+{{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey") }}
+{{- if not (lookup "v1" "Secret" .Release.Namespace $name) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+    job: {{ $name }}
+{{- end }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/templates/service.yaml b/charts-wip/matrix-synapse/templates/service.yaml
new file mode 100644
index 0000000..ba7595c
--- /dev/null
+++ b/charts-wip/matrix-synapse/templates/service.yaml
@@ -0,0 +1,59 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "matrix-synapse.fullname" . }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8008
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    component: synapse
+    {{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "matrix-synapse.replicationname" . }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 9093
+      targetPort: replication
+      protocol: TCP
+      name: replication
+  selector:
+    {{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
+    component: synapse
+{{- $default := .Values.workers.default }}
+{{- range $worker, $config := .Values.workers }}
+{{- if and $config.enabled $config.listeners }}
+{{- $name := $worker | replace "_" "-" }}
+{{- $release := $.Release.Name }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "matrix-synapse.workername" (dict "global" $ "worker" $name) }}
+  labels:
+    {{- include "matrix-synapse.labels" $ | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8083
+      targetPort: listener
+      protocol: TCP
+      name: listener
+  selector:
+    {{- include "matrix-synapse.selectorLabels" $ | nindent 4 }}
+    component: worker
+    worker: {{ $name }}
+{{- end }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/templates/signing-key-job.yaml b/charts-wip/matrix-synapse/templates/signing-key-job.yaml
new file mode 100644
index 0000000..15ee0a2
--- /dev/null
+++ b/charts-wip/matrix-synapse/templates/signing-key-job.yaml
@@ -0,0 +1,115 @@
+{{- if and .Values.signingkey.job.enabled (not .Values.signingkey.existingSecret) }}
+{{- $name := include "matrix-synapse.workername" (dict "global" . "worker" "signingkey-job") }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - update
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $name }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $name }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+    component: job
+    job: signing-key-generation
+spec:
+  template:
+    metadata:
+      labels:
+        {{- include "matrix-synapse.labels" . | nindent 8 }}
+        component: job
+        job: signing-key-generation
+    spec:
+      containers:
+        - command:
+            - sh
+            - -c
+            - |
+              echo "Copying key upload script..."
+              cp /key-upload /scripts/
+              echo "Generating signing key..."
+              /usr/local/bin/generate_signing_key.py -o /synapse/keys/signing.key
+          image: "{{ .Values.image.repository }}:{{ include "matrix-synapse.imageTag" . }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          name: signing-key-generate
+          resources:
+            requests:
+              memory: 10Mi
+              cpu: 10m
+            limits:
+              memory: 25Mi
+              cpu: 100m
+          volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+            - mountPath: /synapse/keys
+              name: matrix-synapse-keys
+        - command:
+            - sh
+            - -c
+            - |
+              printf "Checking rights to create secret... "
+              kubectl auth can-i create secret/${SECRET_NAME}
+              echo "Waiting for key upload script"
+              while ! [ -f /scripts/key-upload ]; do sleep 1; done
+              /scripts/key-upload
+          env:
+            - name: SECRET_NAME
+              value: {{ $name }}
+          image: bitnami/kubectl
+          name: signing-key-upload
+          resources:
+            requests:
+              memory: 10Mi
+              cpu: 10m
+            limits:
+              memory: 50Mi
+              cpu: 100m
+          volumeMounts:
+            - mountPath: /scripts
+              name: scripts
+              readOnly: true
+            - mountPath: /synapse/keys
+              name: matrix-synapse-keys
+              readOnly: true
+      restartPolicy: Never
+      serviceAccount: {{ $name }}
+      volumes:
+        - name: scripts
+          emptyDir: {}
+        - name: matrix-synapse-keys
+          emptyDir: {}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/templates/tests/test-connection.yaml b/charts-wip/matrix-synapse/templates/tests/test-connection.yaml
new file mode 100644
index 0000000..59b4a7a
--- /dev/null
+++ b/charts-wip/matrix-synapse/templates/tests/test-connection.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "matrix-synapse.fullname" . }}-test-connection"
+  labels:
+{{ include "matrix-synapse.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args:  ['{{ include "matrix-synapse.fullname" . }}:8008/_matrix/client/versions']
+  restartPolicy: Never
diff --git a/charts-wip/matrix-synapse/templates/well-known.yaml b/charts-wip/matrix-synapse/templates/well-known.yaml
new file mode 100644
index 0000000..8fe8ff3
--- /dev/null
+++ b/charts-wip/matrix-synapse/templates/well-known.yaml
@@ -0,0 +1,101 @@
+{{- if .Values.wellknown.enabled }}
+{{- $wkName := include "matrix-synapse.workername" (dict "global" . "worker" "wellknown-lighttpd") -}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $wkName }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+    component: well-known
+data:
+  lighttpd.conf: |
+    var.basedir  = "/var/www/localhost"
+    var.logdir   = "/var/log/lighttpd"
+    var.statedir = "/var/lib/lighttpd"
+    server.modules = (
+      "mod_rewrite",
+      "mod_status",
+      "mod_accesslog"
+    )
+    include "mime-types.conf"
+    server.username      = "lighttpd"
+    server.groupname     = "lighttpd"
+    server.document-root = var.basedir + "/htdocs"
+    server.pid-file      = "/run/lighttpd.pid"
+    server.errorlog      = "/dev/stderr"
+    status.status-url    = "/server-status"
+    url.rewrite-once     = (
+      "^/\.well-known/matrix/server" => "/server.json"
+    )
+    accesslog.filename   = "/dev/stderr"
+
+  server.json: |-
+{{ dict "m.server" (printf "%s:%d" (default .Values.wellknown.host .Values.config.serverName) (default .Values.wellknown.port 443)) | toJson | indent 4 }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $wkName }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+    component: well-known
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "matrix-synapse.selectorLabels" . | nindent 4 }}
+    component: well-known
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ $wkName }}
+  labels:
+    {{- include "matrix-synapse.labels" . | nindent 4 }}
+    component: well-known
+spec:
+  replicas: {{ default .Values.wellknown.replicaCount 1 }}
+  selector:
+    matchLabels:
+      {{- include "matrix-synapse.selectorLabels" . | nindent 6 }}
+      component: well-known
+  template:
+    metadata:
+      annotations:
+        checksum/server-addr: {{ sha256sum (printf "%s:%d" (default .Values.wellknown.host .Values.config.serverName) (default .Values.wellknown.port 443)) }}
+      labels:
+        {{- include "matrix-synapse.selectorLabels" . | nindent 8 }}
+        component: well-known
+    spec:
+      containers:
+        - name: lighttpd
+          image: m4rcu5/lighttpd
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+          readinessProbe:
+            tcpSocket:
+              port: http
+          livenessProbe:
+            httpGet:
+              path: /server-status
+              port: http
+          volumeMounts:
+            - mountPath: /etc/lighttpd/lighttpd.conf
+              name: files
+              subPath: lighttpd.conf
+            - mountPath: /var/www/localhost/htdocs/server.json
+              name: files
+              subPath: server.json
+      volumes:
+        - name: files
+          configMap:
+            name: {{ $wkName }}
+{{- end }}
diff --git a/charts-wip/matrix-synapse/values.yaml b/charts-wip/matrix-synapse/values.yaml
new file mode 100644
index 0000000..c38d9f0
--- /dev/null
+++ b/charts-wip/matrix-synapse/values.yaml
@@ -0,0 +1,312 @@
+---
+# Docker image configuration, used for Synapse and workers
+image:
+  repository: ananace/matrix-synapse
+  # tag: ''
+  pullPolicy: IfNotPresent
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+signingkey:
+  job:
+    enabled: true
+
+  # existingSecret:
+  # existingSecretKey:
+
+config:
+  # serverName: 'example.com'
+  eventCacheSize: 10K
+  maxUploadSize: 10M
+
+  logLevel: INFO
+
+  # recaptcha:
+  #   publicKey:
+  #   privateKey:
+
+  # turnUris: []
+  turnSecret: ''
+
+  enableRegistration: false
+  registrationSharedSecret: ''
+  allowGuests: false
+
+  reportStats: false
+
+  federationBlacklistIPs:
+    - '127.0.0.0/8'
+    - '10.0.0.0/8'
+    - '172.16.0.0/12'
+    - '192.168.0.0/16'
+    - '100.64.0.0/10'
+    - '169.254.0.0/16'
+    - '::1/128'
+    - 'fe80::/64'
+    - 'fc00::/7'
+
+  thirdPartyIDServers:
+    - matrix.org
+    - vector.im
+
+  perspectiveServers:
+    matrix.org:
+      verify_keys:
+        ed25519:auto:
+          key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
+
+# Specify arbitrary synapse configuration;
+extraConfig: {}
+#  use_presence: false
+#  enable_search: false
+#  federation_domain_whitelist:
+#    - lon.example.com
+#    - nyc.example.com
+#    - syd.example.com
+
+wellknown:
+  enabled: false
+  # host: matrix.example.com
+  # port: 443
+
+postgresql:
+  enabled: true
+  nameOverride: synapse-postgresql
+
+  postgresqlUsername: synapse
+  postgresqlDatabase: synapse
+
+  postgresqlInitdbArgs: "--lc-collate=C --lc-ctype=C"
+
+  persistence:
+    size: 16G
+
+externalPostgresql:
+  # host: postgres
+  port: 5432
+  username: synapse
+  # password: synapse
+  database: synapse
+  # sslMode: require
+
+redis:
+  enabled: true
+  nameOverride: synapse-redis
+
+  # usePassword: false
+  # password: synapse
+  cluster:
+    enabled: false
+  master:
+    persistence:
+      enabled: false
+    statefulset:
+      updateStrategy: RollingUpdate
+
+externalRedis:
+  # host: redis
+  port: 6379
+  # password: synapse
+
+# Configuration for handling Synapse workers, which are useful for handling
+# high-load deployments.
+# More information is available at;
+# https://github.com/matrix-org/synapse/blob/master/docs/workers.md
+workers:
+  # Default configuration, this is inherited into all workers
+  default:
+    # The number of worker replicas, note that some workers require special
+    # handling. Refer to the information URL above.
+    replicaCount: 1
+
+    # Should workers provide Prometheus metrics.
+    metrics: false
+
+    # Additional volume mounts to add to the worker.
+    # Useful for the media repo.
+    volumeMounts: {}
+
+    # Additional volumes to add to the worker.
+    # Useful for the media repo.
+    volumes: {}
+
+    podSecurityContext: {}
+    #   fsGroup: 666
+    #   runAsGroup: 666
+    #   runAsUser: 666
+    securityContext: {}
+    #   capabilities:
+    #     drop:
+    #       - ALL
+    #   readOnlyRootFilesystem: true
+    #   runAsNonRoot: true
+    #   runAsUser: 666
+    resources: {}
+    #   limits:
+    #     cpu: 100m
+    #     memory: 128Mi
+    #   requests:
+    #     cpu: 100m
+    #     memory: 128Mi
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
+
+  # The generic worker can be used to handle most endpoints.
+  # Be careful when enabling the sync endpoints as they can eat large amounts of
+  # resources. Refer to the information URL above for more info.
+  # Proper load balancing with the K8s Ingress resource may not be possible.
+  generic_worker:
+    enabled: false
+    listeners: [client, federation]
+    paths:
+    # - "/_matrix/client/(v2_alpha|r0)/sync"
+      - "/_matrix/client/(api/v1|v2_alpha|r0)/events"
+    # - "/_matrix/client/(api/v1|r0)/initialSync"
+    # - "/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync"
+      - "/_matrix/federation/v1/event/"
+      - "/_matrix/federation/v1/state/"
+      - "/_matrix/federation/v1/state_ids/"
+      - "/_matrix/federation/v1/backfill/"
+      - "/_matrix/federation/v1/get_missing_events/"
+      - "/_matrix/federation/v1/publicRooms"
+      - "/_matrix/federation/v1/query/"
+      - "/_matrix/federation/v1/make_join/"
+      - "/_matrix/federation/v1/make_leave/"
+      - "/_matrix/federation/v1/send_join/"
+      - "/_matrix/federation/v2/send_join/"
+      - "/_matrix/federation/v1/send_leave/"
+      - "/_matrix/federation/v2/send_leave/"
+      - "/_matrix/federation/v1/invite/"
+      - "/_matrix/federation/v2/invite/"
+      - "/_matrix/federation/v1/query_auth/"
+      - "/_matrix/federation/v1/event_auth/"
+      - "/_matrix/federation/v1/exchange_third_party_invite/"
+      - "/_matrix/federation/v1/user/devices/"
+      - "/_matrix/federation/v1/get_groups_publicised"
+      - "/_matrix/key/v2/query"
+      - "/_matrix/federation/v1/send/"
+      - "/_matrix/client/(api/v1|r0|unstable)/publicRooms"
+      - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members"
+      - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*"
+      - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members"
+      - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state"
+      - "/_matrix/client/(api/v1|r0|unstable)/account/3pid"
+      - "/_matrix/client/(api/v1|r0|unstable)/keys/query"
+      - "/_matrix/client/(api/v1|r0|unstable)/keys/changes"
+      - "/_matrix/client/versions"
+      - "/_matrix/client/(api/v1|r0|unstable)/voip/turnServer"
+      - "/_matrix/client/(api/v1|r0|unstable)/joined_groups"
+      - "/_matrix/client/(api/v1|r0|unstable)/publicised_groups"
+      - "/_matrix/client/(api/v1|r0|unstable)/publicised_groups/"
+      - "/_matrix/client/(api/v1|r0|unstable)/login"
+      - "/_matrix/client/(r0|unstable)/register"
+      - "/_matrix/client/(r0|unstable)/auth/.*/fallback/web"
+      - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send"
+      - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/"
+      - "/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)"
+      - "/_matrix/client/(api/v1|r0|unstable)/join/"
+      - "/_matrix/client/(api/v1|r0|unstable)/profile/"
+
+  # This worker deals with pushing notifications.
+  # NB; Only one instance of this worker can be run at a time, refer to the
+  # information URL above.
+  pusher:
+    enabled: false
+
+  # This worker handles sending data to registered appservices.
+  # NB; Only one instance of this worker can be run at at time, refer to the
+  # information URL above.
+  appservice:
+    enabled: false
+
+  # This worker handles sending federation traffic to other Synapse servers.
+  federation_sender:
+    enabled: false
+
+  # This worker deals with serving and storing media.
+  # NB; Running multiple instances will conflict with background jobs.
+  media_repository:
+    enabled: false
+    listeners: [media]
+    paths:
+      - "/_matrix/media/"
+      - "/_synapse/admin/v1/purge_media_cache"
+      - "/_synapse/admin/v1/room/.*/media.*"
+      - "/_synapse/admin/v1/user/.*/media.*"
+      - "/_synapse/admin/v1/media/.*"
+      - "/_synapse/admin/v1/quarantine_media/.*"
+
+  # This worker deals with user directory searches.
+  user_dir:
+    enabled: false
+    listeners: [client]
+    paths:
+      - "/_matrix/client/(api/v1|r0|unstable)/user_directory/search"
+
+  # This worker handles key uploads, and may also stub out presence if that is
+  # disabled. If you set extraConfig.use_presence=false then you may want to
+  # uncomment the second path.
+  frontend_proxy:
+    enabled: false
+    listeners: [client]
+    paths:
+      - "/_matrix/client/(api/v1|r0|unstable)/keys/upload"
+    # - "/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status"
+
+podSecurityContext: {}
+#  fsGroup: 666
+#  runAsGroup: 666
+#  runAsUser: 666
+
+securityContext: {}
+#  capabilities:
+#    drop:
+#    - ALL
+#  readOnlyRootFilesystem: true
+#  runAsNonRoot: true
+#  runAsUser: 666
+
+ingress:
+  enabled: true
+
+  # Generate traefik-compatible regex paths instead of nginx-compatible ones
+  traefikPaths: false
+
+  # Annotations to apply to the created ingress resource
+  annotations:
+    nginx.ingress.kubernetes.io/use-regex: "true"
+  #  kubernetes.io/ingress.class: nginx
+  #  kubernetes.io/tls-acme: "true"
+
+  # Additional hosts to add to the ingress configuration
+  # NB; config.serverName is included if includeServerName is set (default)
+  hosts: []
+  #  - matrix.example.com
+
+  # Should config.serverName be included in the list of ingress paths, can be
+  # set to false if the main domain is managed in some external way.
+  # includeServerName: false
+
+  # TLS configuration to include in the ingress configuration
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - example.com
+  #      - matrix.example.com
+
+resources: {}
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}