Please find attached the .service I am using on Debian 11.
You don't need all of this crap, I guess.
* The msmtp stuff is only needed if you have a git post-commit hook that
makes git send an email.
* The nginx stuff is only needed if you want to have >1 web app on the
standard port.
* The tmpfiles stuff (and git config core.sharedRepository)
is only needed if users want to bypass the web UI and edit .pages directly.
It's also a bit broken (adds needless execute permissions) right now.
* The theme stuff is only needed if you hate the default theme.
https://github.com/trentbuck/gitit-bootstrap-theme/
For simple cases, you could probably replace the sysusers file with
DynamicUser=yes,
and just have gitit store all its state in /var/lib/gitit (StateDirectory=%p).
The only issue I've had with this setup so far is gitit claiming static files
disappear, when they don't.
There's no user-visible impact when this happens.
It wasn't happening on the old (2010-era) gitit install I had running under
upstart.
-- Journal begins at Sat 2022-08-06 18:32:36 AEST, ends at Tue 2022-10-04
15:29:20 AEDT. --
Sep 26 12:54:20 heavy systemd[1]: Started gitit.service.
Sep 26 12:55:19 heavy gitit[2522]: HTTP request failed with:
Network.Socket.sendBuf: resource vanished (Broken pipe)
Sep 26 12:55:29 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/bootstrap4/css/bootstrap.min.css:
withFd: resource vanished (Broken pipe)
Sep 26 12:55:29 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/img/logo.svg: withFd:
resource vanished (Broken pipe)
Sep 26 12:55:29 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd:
resource vanished (Broken pipe)
Sep 26 12:55:29 heavy gitit[2522]: HTTP request failed with:
/usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished
(Broken pipe)
Sep 26 12:55:41 heavy gitit[2522]: HTTP request failed with:
Network.Socket.sendBuf: resource vanished (Broken pipe)
Sep 26 12:55:46 heavy gitit[2522]: HTTP request failed with:
Network.Socket.sendBuf: resource vanished (Broken pipe)
Sep 26 16:26:34 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd:
resource vanished (Broken pipe)
Sep 26 18:00:09 heavy gitit[2522]: HTTP request failed with:
Network.Socket.sendBuf: resource vanished (Broken pipe)
Sep 26 23:43:33 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd:
resource vanished (Broken pipe)
Sep 26 23:43:33 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd:
resource vanished (Broken pipe)
Sep 26 23:43:33 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/fonts-fork-awesome/fonts/forkawesome-webfont.woff2:
withFd: resource vanished (Broken pipe)
Sep 26 23:43:33 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd:
resource vanished (Connection reset by peer)
Sep 27 12:53:13 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd:
resource vanished (Broken pipe)
Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with:
/usr/share/gitit/data/static/js/footnotes.js: withFd: resource vanished (Broken
pipe)
Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/img/logo.svg: withFd:
resource vanished (Broken pipe)
Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with:
/usr/share/gitit/data/static/js/jquery.min.js: withFd: resource vanished
(Broken pipe)
Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd:
resource vanished (Broken pipe)
Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with:
/usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished
(Broken pipe)
Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd:
resource vanished (Broken pipe)
Sep 28 19:25:00 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd:
resource vanished (Broken pipe)
Sep 28 19:25:27 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd:
resource vanished (Broken pipe)
Sep 29 10:02:17 heavy gitit[2522]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd:
resource vanished (Broken pipe)
Oct 03 06:44:23 heavy systemd[1]: Stopping gitit.service...
Oct 03 06:44:23 heavy systemd[1]: gitit.service: Succeeded.
Oct 03 06:44:23 heavy systemd[1]: Stopped gitit.service.
Oct 03 06:44:23 heavy systemd[1]: gitit.service: Consumed 8h 33min 81ms CPU
time.
Oct 03 06:44:23 heavy systemd[1]: Started gitit.service.
Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/js/custom.js: withFd:
resource vanished (Broken pipe)
Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/img/logo.svg: withFd:
resource vanished (Broken pipe)
Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with:
/usr/share/gitit/data/static/js/jquery.min.js: withFd: resource vanished
(Broken pipe)
Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with:
/usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished
(Broken pipe)
Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd:
resource vanished (Broken pipe)
Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/js/sidebar.js: withFd:
resource vanished (Broken pipe)
Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with:
/usr/share/gitit/data/static/js/jquery.min.js: withFd: resource vanished
(Broken pipe)
Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/js/custom.js: withFd:
resource vanished (Broken pipe)
Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with:
/usr/share/gitit/data/static/js/footnotes.js: withFd: resource vanished (Broken
pipe)
Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd:
resource vanished (Broken pipe)
Oct 04 13:45:34 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/bootstrap4/css/bootstrap.min.css:
withFd: resource vanished (Broken pipe)
Oct 04 13:45:34 heavy gitit[1990076]: HTTP request failed with:
/usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished
(Broken pipe)
Oct 04 13:45:34 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd:
resource vanished (Broken pipe)
Oct 04 13:48:29 heavy gitit[1990076]: HTTP request failed with:
Network.Socket.sendBuf: resource vanished (Broken pipe)
Oct 04 13:55:23 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/js/custom.js: withFd:
resource vanished (Broken pipe)
Oct 04 14:28:10 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd:
resource vanished (Broken pipe)
Oct 04 14:28:10 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd:
resource vanished (Broken pipe)
Oct 04 14:28:17 heavy gitit[1990076]: HTTP request failed with:
Network.Socket.sendBuf: resource vanished (Broken pipe)
Oct 04 14:29:48 heavy gitit[1990076]: HTTP request failed with:
/usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished
(Broken pipe)
Oct 04 14:38:14 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd:
resource vanished (Broken pipe)
Oct 04 14:38:14 heavy gitit[1990076]: HTTP request failed with:
/usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished
(Broken pipe)
Oct 04 14:38:14 heavy gitit[1990076]: HTTP request failed with:
/usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd:
resource vanished (Broken pipe)
[Service]
ExecStart=gitit --config-file=/etc/gitit.conf
[Install]
WantedBy=multi-user.target
# Hardening
[Service]
User=%p
LogsDirectory=%p
StateDirectory=%p
RuntimeDirectory=%p
WorkingDirectory=/run/%p
CacheDirectory=%p
ConfigurationDirectory=%p
ReadWritePaths=/srv/vcs/kb
# FIXME: gitit cannot listen on gitit.sock or systemd socket-activate yet.
# https://github.com/jgm/gitit/issues/675
# therefore we cannot do
# PrivateNetwork=yes
# RestrictAddressFamilies=~AF_INET
# RestrictAddressFamilies=~AF_INET6
# IPAddressDeny=any
CapabilityBoundingSet=
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
DevicePolicy=closed
IPAddressDeny=any
IPAddressAllow=localhost
NoNewPrivileges=yes
PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RemoveIPC=yes
UMask=0077
ProtectHostname=yes
ProcSubset=pid
NAME DESCRIPTION
EXPOSURE
✗ PrivateNetwork= Service has
access to the host's network 0.5
✓ User=/DynamicUser= Service runs
under a static non-root user identity
✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot
change UID/GID identities/capabilities
✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no
administrator privileges
✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no
ptrace() debugging abilities
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may
allocate Internet sockets 0.3
✓ RestrictNamespaces=~CLONE_NEWUSER Service cannot
create user namespaces
✓ RestrictAddressFamilies=~… Service cannot
allocate exotic sockets
✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot
change file ownership/access mode/capabilities
✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot
override UNIX file/IPC permission checks
✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no
network configuration privileges
✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot
load kernel modules
✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no
raw I/O access
✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes
cannot change the system clock
✗ DeviceAllow= Service has a
device ACL with some special devices 0.1
✗ IPAddressDeny= Service defines
IP address allow list with only localhost entries 0.1
✓ KeyringMode= Service doesn't
share key material with other services
✓ NoNewPrivileges= Service processes
cannot acquire new privileges
✓ NotifyAccess= Service child
processes cannot alter service state
✓ PrivateDevices= Service has no
access to hardware devices
✓ PrivateMounts= Service cannot
install system mounts
✓ PrivateTmp= Service has no
access to other software's temporary files
✓ PrivateUsers= Service does not
have access to other users
✓ ProtectClock= Service cannot
write to the hardware clock or system clock
✓ ProtectControlGroups= Service cannot
modify the control group file system
✓ ProtectHome= Service has no
access to home directories
✓ ProtectKernelLogs= Service cannot
read from or write to the kernel log ring buffer
✓ ProtectKernelModules= Service cannot
load or read kernel modules
✓ ProtectKernelTunables= Service cannot
alter kernel tunables (/proc/sys, …)
✓ ProtectProc= Service has
restricted access to process tree (/proc hidepid=)
✓ ProtectSystem= Service has
strict read-only access to the OS file hierarchy
✓ RestrictAddressFamilies=~AF_PACKET Service cannot
allocate packet sockets
✓ RestrictSUIDSGID= SUID/SGID file
creation by service is restricted
✓ SystemCallArchitectures= Service may
execute system calls only with native ABI
✓ SystemCallFilter=~@clock System call allow
list defined for service, and @clock is not included
✓ SystemCallFilter=~@debug System call allow
list defined for service, and @debug is not included
✓ SystemCallFilter=~@module System call allow
list defined for service, and @module is not included
✓ SystemCallFilter=~@mount System call allow
list defined for service, and @mount is not included
✓ SystemCallFilter=~@raw-io System call allow
list defined for service, and @raw-io is not included
✓ SystemCallFilter=~@reboot System call allow
list defined for service, and @reboot is not included
✓ SystemCallFilter=~@swap System call allow
list defined for service, and @swap is not included
✓ SystemCallFilter=~@privileged System call allow
list defined for service, and @privileged is not included
✓ SystemCallFilter=~@resources System call allow
list defined for service, and @resources is not included
✓ AmbientCapabilities= Service process
does not receive ambient capabilities
✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no
audit subsystem access
✓ CapabilityBoundingSet=~CAP_KILL Service cannot
send UNIX signals to arbitrary processes
✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot
create device nodes
✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no
elevated networking privileges
✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no
access to kernel logging
✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no
privileges to change resource use parameters
✓ RestrictNamespaces=~CLONE_NEWCGROUP Service cannot
create cgroup namespaces
✓ RestrictNamespaces=~CLONE_NEWIPC Service cannot
create IPC namespaces
✓ RestrictNamespaces=~CLONE_NEWNET Service cannot
create network namespaces
✓ RestrictNamespaces=~CLONE_NEWNS Service cannot
create file system namespaces
✓ RestrictNamespaces=~CLONE_NEWPID Service cannot
create process namespaces
✓ RestrictRealtime= Service realtime
scheduling access is restricted
✓ SystemCallFilter=~@cpu-emulation System call allow
list defined for service, and @cpu-emulation is not included
✓ SystemCallFilter=~@obsolete System call allow
list defined for service, and @obsolete is not included
✗ RestrictAddressFamilies=~AF_NETLINK Service may
allocate netlink sockets 0.1
✗ RootDirectory=/RootImage= Service runs
within the host's root directory 0.1
✓ SupplementaryGroups= Service has no
supplementary groups
✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot
adjust SMACK MAC
✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot
issue reboot()
✓ Delegate= Service does not
maintain its own delegated control group subtree
✓ LockPersonality= Service cannot
change ABI personality
✓ MemoryDenyWriteExecute= Service cannot
create writable executable memory mappings
✓ RemoveIPC= Service user
cannot leave SysV IPC objects around
✓ RestrictNamespaces=~CLONE_NEWUTS Service cannot
create hostname namespaces
✓ UMask= Files created by
service are accessible only by service's own user by default
✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot
mark files immutable
✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot
lock memory into RAM
✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot
issue chroot()
✓ ProtectHostname= Service cannot
change system host/domainname
✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot
establish wake locks
✓ CapabilityBoundingSet=~CAP_LEASE Service cannot
create file leases
✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot
use acct()
✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot
issue vhangup()
✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot
program timers that wake up the system
✗ RestrictAddressFamilies=~AF_UNIX Service may
allocate local sockets 0.1
✓ ProcSubset= Service has no
access to non-process /proc files (/proc subset=)
→ Overall exposure level for gitit.service: 1.0 OK 🙂
# Tell systemd to create system user 'gitit'
u gitit - - -
# Tell systemd to create grant user 'gitit' write access to KB repo
# FIXME: this was not working.
# When browsing to gitit, the browser got back this:
# "git: runProcess: runInteractiveProcess: chdir: permission denied
(Permission denied)"
# That was while the files looked like this:
#
# $ ls -la /srv/vcs/kb
# total 32
# drwxrwSr-x+ 3 twb cyber 4 Sep 9 23:10 .
# drwxrwsr-x 3 root cyber 3 Sep 9 23:10 ..
# drwxrwSr-x+ 8 twb cyber 13 Sep 9 23:10 .git
# -rw-rw-r--+ 1 twb cyber 26 Sep 9 23:10 'Knowledge Base.page'
#
# However a simple "sudo chown -Rh gitit:cyber /srv/vcs/kb" worked...
#
# A /srv/vcs/kb - - - - d:user:gitit:rwx,user:gitit:rw-
#
# What if I try being a bit more liberal?
# Seems to be better with this config:
#
#
#
# getfacl: Removing leading '/' from absolute path names
# # file: srv/vcs/kb
# # owner: root
# # group: root
# user::rwx
# user:gitit:rwx
# group::rwx
# group:gitit:rwx
# group:cyber:rwx
# mask::rwx
# other::---
# default:user::rwx
# default:user:gitit:rwx
# default:group::rwx
# default:group:cyber:rwx
# default:mask::rwx
# default:other::---
#
# getfacl: Removing leading '/' from absolute path names
# # file: srv/vcs/kb/.git/config
# # owner: root
# # group: root
# user::rwx
# user:gitit:rwx
# group::rwx
# group:gitit:rwx
# group:cyber:rwx
# mask::rwx
# other::---
#
A /srv/vcs/kb - - - - default:user::rwx,user::rwx
A+ /srv/vcs/kb - - - - default:user:gitit:rwx,user:gitit:rwx
A+ /srv/vcs/kb - - - - default:group::rwx,group:gitit:rwx
A+ /srv/vcs/kb - - - - default:group:cyber:rwx,group:cyber:rwx
A+ /srv/vcs/kb - - - - default:other::---,other::---
# See gitit --print-default-config for documentation.
default-page-type: RST
log-file: /var/log/gitit/gitit.log
# Use this to log every GET request.
# NOTE: if you do this, set up a logrotate rule for gitit!
#log-level: INFO
port: 5001
repository-path: /srv/vcs/kb
static-dir:
/usr/share/javascript/gitit-bootstrap-theme/static
templates-dir:
/usr/share/javascript/gitit-bootstrap-theme/templates
user-file: /var/lib/gitit/gitit-users
wiki-title: Knowledge Base - Cyber IT Solutions
# FIXME: the cache doesn't know about updates made directly via git
# (as opposed to via the web UI). This could be fixed by having git
# delete the cached version of a file when its source is updated.
#use-cache: yes
cache-dir: /var/cache/gitit
# We used to use apache-mod-ldap to authenticate.
# Now we use in-app authentication (like apache).
# Then our theme sets everyone's password to a dummy password.
# This is because it is behind the VPN, and
# we do not give a shit about employees spoofing one another in the KB.
# They could always do it via "git commit --author=" anyway.
# authentication-method: form
# Long ago the cyber IRC bot would cross-announce RSS changes.
# Nobody cared about this, and the new limnoria bot did not keep this.
# Therefore, turn off the server side of it.
# use-feed: yes
#pandoc-user-data: /usr/share/pandoc/data/
#pdf-export: no
front-page: Knowledge Base
no-delete:
no-edit:
# Default upload size from the web UI is 100kB;
# uploads from git are of course unrestricted.
# Since Ron is too lazy to learn git, I am obliged to add this line.
# UPDATE: Ron knows git these days.
#max-upload-size: 1M
# Disable mathjax -- IMO we do not need to hotlink to cdnjs.cloudflare.com.
math: no
# A security thing. Probably on by default, but does not hurt to be explicit.
xss-sanitize: yes
# This is necessary so a hardened daemon (e.g. gitit.service) can
# send mail. The normal /usr/sbin/sendmail is setgid maildrop.
# If the systemd unit is hardened, NoNewPrivileges= prevents setgid.
# So, instead, be an SMTP client to localhost.
# postfix trusts localhost, so then postfix can take over from there.
account default
host localhost
auto_from on
maildomain cyber.com.au
# Unlike "dpkg-reconfigure msmtp", we want syslog to be on for easier debugging.
syslog on
# Don't use /etc/aliases, because postfix will/does use it, and
# postfix has substantially more complicated flows than msmtprc.
# UPDATE: actually don't use this at all, for now. -- twb, Sep 2022
#aliases /etc/msmtprc-aliases
# We don't really care about this one, but it does not hurt.
tls_trust_file /etc/ssl/certs/ca-certificates.crt
default: sysadmin-he...@cyber.com.au
server {
listen 80;
listen [::]:80;
server_name kb.cyber.com.au;
# Serve ACME http-01 challenges directly.
location /.well-known/ {
root /var/www/html/;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name kb.cyber.com.au;
ssl_certificate /etc/letsencrypt-uacme/kb.cyber.com.au/cert.pem;
ssl_certificate_key /etc/letsencrypt-uacme/private/kb.cyber.com.au/key.pem;
# Serve ACME http-01 challenges directly.
location /.well-known/ {
root /var/www/html/;
}
# Everything else serve directly.
# BUT ONLY TO PEOPLE IN THE OFFICE OR ON THE VPN!!!
location / {
proxy_pass http://localhost:5001/;
allow 203.7.155.0/24;
allow 10.194.71.0/24; # wireguard users
allow 127.0.0.0/8;
deny all;
}
}
