From ec6e2e5851e066bc6994d29e94478d4463c932a2 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Fri, 2 Mar 2018 22:20:49 +0000
Subject: [PATCH] Tidying

---
 src/freedombone-utils-passwords  |   2 +-
 src/freedombone-utils-postgresql |  63 +--
 src/freedombone-utils-repos      |  66 +--
 src/freedombone-utils-rng        |  16 +-
 src/freedombone-utils-selector   | 171 +++----
 src/freedombone-utils-setup      |  84 ++--
 src/freedombone-utils-tracker    |  67 +--
 src/freedombone-utils-turn       | 165 +++----
 src/freedombone-utils-upgrade    |  54 +--
 src/freedombone-utils-watchdog   |  34 +-
 src/freedombone-utils-web        | 802 +++++++++++++++----------------
 src/freedombone-utils-zram       |   4 +-
 12 files changed, 767 insertions(+), 761 deletions(-)

diff --git a/src/freedombone-utils-passwords b/src/freedombone-utils-passwords
index a4d420ea..c289dfb4 100755
--- a/src/freedombone-utils-passwords
+++ b/src/freedombone-utils-passwords
@@ -51,7 +51,7 @@ function enforce_good_passwords {
 }
 
 function create_password {
-    openssl rand -base64 32 | tr -dc A-Za-z0-9 | head -c ${1} ; echo -n ''
+    openssl rand -base64 32 | tr -dc A-Za-z0-9 | head -c "${1}" ; echo -n ''
 }
 
 # NOTE: deliberately no exit 0
diff --git a/src/freedombone-utils-postgresql b/src/freedombone-utils-postgresql
index 4aa271b8..5f0267e0 100755
--- a/src/freedombone-utils-postgresql
+++ b/src/freedombone-utils-postgresql
@@ -35,14 +35,14 @@ POSTGRESQL_PACKAGES='postgresql-9.6 postgresql-contrib-9.6 postgresql-client'
 function store_original_postgresql_password {
     if [ ! -f /root/.postgresqloriginal ]; then
         echo $'Storing original postgresql password'
-        ORIGINAL_POSTGRESQL_PASSWORD=$(${PROJECT_NAME}-pass -u root -a postgresql)
+        ORIGINAL_POSTGRESQL_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a postgresql)
         # We can store this in plaintext because it will soon be of historical interest only
         echo -n "$ORIGINAL_POSTGRESQL_PASSWORD" > /root/.postgresqloriginal
     fi
 }
 
 function get_postgresql_password {
-    POSTGRESQL_PASSWORD=$(${PROJECT_NAME}-pass -u root -a postgresql)
+    POSTGRESQL_PASSWORD=$("${PROJECT_NAME}-pass" -u root -a postgresql)
     if [[ "$POSTGRESQL_PASSWORD" == *'failed'* ]]; then
         echo $'Could not obtain postgresql password'
         exit 7835272
@@ -50,14 +50,15 @@ function get_postgresql_password {
 }
 
 function mesh_install_postgresql {
-    chroot "$rootdir" apt-get -yq install $POSTGRESQL_PACKAGES
+    # shellcheck disable=SC2154
+    chroot "$rootdir" apt-get -yq install "$POSTGRESQL_PACKAGES"
 
-    if [ ! -d $rootdir/etc/postgresql ]; then
+    if [ ! -d "$rootdir/etc/postgresql" ]; then
         echo $"ERROR: postgresql does not appear to have installed."
         exit 78352
     fi
 
-    if [ ! -f $rootdir/usr/bin/psql ]; then
+    if [ ! -f "$rootdir/usr/bin/psql" ]; then
         echo $"ERROR: psql command does not appear to have installed."
         exit 835290
     fi
@@ -75,16 +76,16 @@ function install_postgresql {
 
     function_check get_postgresql_password
     get_postgresql_password
-    if [ ! $POSTGRESQL_PASSWORD ]; then
-        if [ -f $IMAGE_PASSWORD_FILE ]; then
-            POSTGRESQL_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
+    if [ ! "$POSTGRESQL_PASSWORD" ]; then
+        if [ -f "$IMAGE_PASSWORD_FILE" ]; then
+            POSTGRESQL_PASSWORD="$(printf "%s" "$(cat "$IMAGE_PASSWORD_FILE")")"
         else
-            POSTGRESQL_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
+            POSTGRESQL_PASSWORD="$(create_password "${MINIMUM_PASSWORD_LENGTH}")"
         fi
     fi
-    ${PROJECT_NAME}-pass -u root -a postgresql -p "$POSTGRESQL_PASSWORD"
+    "${PROJECT_NAME}-pass" -u root -a postgresql -p "$POSTGRESQL_PASSWORD"
 
-    apt-get -yq install $POSTGRESQL_PACKAGES
+    apt-get -yq install "$POSTGRESQL_PACKAGES"
     apt-get -yq remove --purge apache2-bin*
     if [ -d /etc/apache2 ]; then
         rm -rf /etc/apache2
@@ -107,7 +108,7 @@ function install_postgresql {
 function add_postgresql_user {
     postgresql_username=$1
     postgresql_password=$2
-    cd /etc/postgresql
+    cd /etc/postgresql || exit 2468246
     if [[ "$3" != 'encrypt'* ]]; then
         sudo -u postgres psql -c "create user $postgresql_username password '$postgresql_password';"
     else
@@ -118,14 +119,14 @@ function add_postgresql_user {
 
 function remove_postgresql_user {
     postgresql_username=$1
-    cd /etc/postgresql
+    cd /etc/postgresql || exit 24624624
     sudo -u postgres psql -c "drop user $postgresql_username"
 }
 
 function drop_database_postgresql {
     database_name="$1"
     database_owner_name="$2"
-    cd /etc/postgresql
+    cd /etc/postgresql || exit 2482468242
     sudo -u postgres psql -c "drop database $database_name"
     if [ ${#database_owner_name} -gt 0 ]; then
         sudo -u postgres psql -c "drop user $database_owner_name"
@@ -134,31 +135,31 @@ function drop_database_postgresql {
 
 function run_system_query_postgresql {
     query=$1
-    cd /etc/postgresql
+    cd /etc/postgresql || exit 24624649846
     sudo -u postgres psql -c "$query"
 }
 
 function run_query_postgresql {
     database_name=$1
     database_query=$2
-    cd /etc/postgresql
-    sudo -u postgres psql -d $database_name -c "$database_query"
+    cd /etc/postgresql || exit 2492464684
+    sudo -u postgres psql -d "$database_name" -c "$database_query"
 }
 
 function run_query_postgresql_with_output {
     database_name=$1
     database_query=$2
-    cd /etc/postgresql
-    output=$(sudo -u postgres psql -d $database_name -c "$database_query")
+    cd /etc/postgresql || exit 2482462846
+    output=$(sudo -u postgres psql -d "$database_name" -c "$database_query")
     echo "$output"
 }
 
 function initialise_database_postgresql {
     database_name=$1
     database_file=$2
-    cd /etc/postgresql
-    sudo -u postgres psql $database_name < $database_file
-    if [ ! "$?" = "0" ]; then
+    cd /etc/postgresql || exit 239246992469
+    # shellcheck disable=SC2024
+    if ! sudo -u postgres psql "$database_name" < "$database_file"; then
         exit 7238525
     fi
 }
@@ -167,10 +168,10 @@ function create_database_postgresql {
     app_name="$1"
     app_admin_password="$2"
     app_admin_username=$3
-    if [ ! -d $INSTALL_DIR ]; then
-        mkdir $INSTALL_DIR
+    if [ ! -d "$INSTALL_DIR" ]; then
+        mkdir "$INSTALL_DIR"
     fi
-    if [ ! $app_admin_username ]; then
+    if [ ! "$app_admin_username" ]; then
         app_admin_username=${app_name}admin
     fi
 
@@ -178,9 +179,11 @@ function create_database_postgresql {
 CREATE USER '$app_admin_username@localhost' IDENTIFIED BY '${app_admin_password}';
 GRANT ALL PRIVILEGES ON ${app_name}.* TO '$app_admin_username@localhost';
 flush privileges;
-quit" > $INSTALL_DIR/batch.sql
-    chmod 600 $INSTALL_DIR/batch.sql
-    cd /etc/postgresql
-    sudo -u postgres psql -d $database_name --file=$INSTALL_DIR/batch.sql
-    shred -zu $INSTALL_DIR/batch.sql
+quit" > "$INSTALL_DIR/batch.sql"
+    chmod 600 "$INSTALL_DIR/batch.sql"
+    cd /etc/postgresql || exit 247284684
+    sudo -u postgres psql -d "$database_name" --file="$INSTALL_DIR/batch.sql"
+    shred -zu "$INSTALL_DIR/batch.sql"
 }
+
+# NOTE: deliberately there is no "exit 0"
diff --git a/src/freedombone-utils-repos b/src/freedombone-utils-repos
index 2dc70abe..d2fc59f7 100755
--- a/src/freedombone-utils-repos
+++ b/src/freedombone-utils-repos
@@ -38,17 +38,17 @@ function create_repo_sources {
     rm -rf /var/lib/apt/lists/*
     apt-get clean
 
-    echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION} main" > /etc/apt/sources.list
-    echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION} main" >> /etc/apt/sources.list
-    echo '' >> /etc/apt/sources.list
-    echo "deb http://security.debian.org/ ${DEBIAN_VERSION}/updates main" >> /etc/apt/sources.list
-    echo "deb-src http://security.debian.org/ ${DEBIAN_VERSION}/updates main" >> /etc/apt/sources.list
-    echo '' >> /etc/apt/sources.list
-    echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-updates main" >> /etc/apt/sources.list
-    echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-updates main" >> /etc/apt/sources.list
-    echo '' >> /etc/apt/sources.list
-    echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-backports main" >> /etc/apt/sources.list
-    echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-backports main" >> /etc/apt/sources.list
+    { echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION} main";
+      echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION} main";
+      echo '';
+      echo "deb http://security.debian.org/ ${DEBIAN_VERSION}/updates main";
+      echo "deb-src http://security.debian.org/ ${DEBIAN_VERSION}/updates main";
+      echo '';
+      echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-updates main";
+      echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-updates main";
+      echo '';
+      echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-backports main";
+      echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-backports main"; } > /etc/apt/sources.list
 
     apt-get update
     apt-get -yq install apt-transport-https
@@ -63,28 +63,28 @@ function create_git_project {
     fi
     apt-get -yq install git
 
-    echo '#!/bin/bash' > /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo 'GIT_PROJECT_NAME=$1' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo 'if [ ! $GIT_PROJECT_NAME ]; then' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo '  echo "Please specify a project name, without any spaces"' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo '  exit 1' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo 'fi' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo 'if [ ! -d /home/$USER/projects/$GIT_PROJECT_NAME ]; then' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo '  mkdir -p /home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo 'fi' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo 'cd /home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo 'git init --bare' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo -n 'echo "Your project has been created, ' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo 'use the following command to clone the repository"' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo -n "  git clone ssh://$MY_USERNAME@$DEFAULT_DOMAIN_NAME:$SSH_PORT" >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo '/home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    echo 'exit 0' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND
-    chmod +x /usr/bin/$CREATE_GIT_PROJECT_COMMAND
+    { echo '#!/bin/bash';
+      echo '';
+      echo "GIT_PROJECT_NAME=\$1";
+      echo "if [ ! \$GIT_PROJECT_NAME ]; then";
+      echo '  echo "Please specify a project name, without any spaces"';
+      echo '  exit 1';
+      echo 'fi';
+      echo '';
+      echo "if [ ! -d /home/\$USER/projects/\$GIT_PROJECT_NAME ]; then";
+      echo "  mkdir -p /home/\$USER/projects/\$GIT_PROJECT_NAME";
+      echo 'fi';
+      echo '';
+      echo "cd /home/\$USER/projects/\$GIT_PROJECT_NAME";
+      echo 'git init --bare';
+      echo '';
+      echo -n 'echo "Your project has been created, ';
+      echo 'use the following command to clone the repository"';
+      echo -n "  git clone ssh://$MY_USERNAME@$DEFAULT_DOMAIN_NAME:$SSH_PORT";
+      echo "/home/\$USER/projects/\$GIT_PROJECT_NAME";
+      echo '';
+      echo 'exit 0'; } > "/usr/bin/$CREATE_GIT_PROJECT_COMMAND"
+    chmod +x "/usr/bin/$CREATE_GIT_PROJECT_COMMAND"
 
     mark_completed "${FUNCNAME[0]}"
 }
diff --git a/src/freedombone-utils-rng b/src/freedombone-utils-rng
index cb61fb4f..0c31378a 100755
--- a/src/freedombone-utils-rng
+++ b/src/freedombone-utils-rng
@@ -66,11 +66,11 @@ function check_onerng_verification {
         return
     fi
     echo $'Checking OneRNG firmware verification'
-    last_onerng_validation=$(cat /var/log/syslog.1 | grep "OneRNG: firmware verification" | awk '/./{line=$0} END{print line}')
+    last_onerng_validation=$(grep "OneRNG: firmware verification" /var/log/syslog.1 | awk '/./{line=$0} END{print line}')
     if [[ $last_onerng_validation != *"passed OK"* ]]; then
-        last_onerng_validation=$(cat /var/log/syslog | grep "OneRNG: firmware verification" | awk '/./{line=$0} END{print line}')
+        last_onerng_validation=$(grep "OneRNG: firmware verification" /var/log/syslog | awk '/./{line=$0} END{print line}')
         if [[ $last_onerng_validation != *"passed OK"* ]]; then
-            echo $last_onerng_validation
+            echo "$last_onerng_validation"
             echo $'OneRNG firmware verification failed'
             exit 735026
         fi
@@ -85,14 +85,14 @@ function install_onerng {
     apt-get -yq install rng-tools at python-gnupg
 
     # Move to the installation directory
-    if [ ! -d $INSTALL_DIR ]; then
-        mkdir $INSTALL_DIR
+    if [ ! -d "$INSTALL_DIR" ]; then
+        mkdir "$INSTALL_DIR"
     fi
-    cd $INSTALL_DIR
+    cd "$INSTALL_DIR" || exit 24762464
 
     # Download the package
     if [ ! -f $ONERNG_PACKAGE ]; then
-        wget $ONERNG_PACKAGE_DOWNLOAD
+        wget "$ONERNG_PACKAGE_DOWNLOAD"
         mv "$ONERNG_PACKAGE?raw=true" $ONERNG_PACKAGE
     fi
     if [ ! -f $ONERNG_PACKAGE ]; then
@@ -102,7 +102,7 @@ function install_onerng {
 
     # Check the hash
     hash=$(sha256sum $ONERNG_PACKAGE | awk -F ' ' '{print $1}')
-    if [[ $hash != $ONERNG_PACKAGE_HASH ]]; then
+    if [[ "$hash" != "$ONERNG_PACKAGE_HASH" ]]; then
         echo $"OneRNG package: $ONERNG_PACKAGE"
         echo $"Hash does not match. This could indicate that the package has been tampered with."
         echo $"OneRNG expected package hash: $ONERNG_PACKAGE_HASH"
diff --git a/src/freedombone-utils-selector b/src/freedombone-utils-selector
index 431767a5..8eea0926 100755
--- a/src/freedombone-utils-selector
+++ b/src/freedombone-utils-selector
@@ -49,8 +49,8 @@ INSTALLED_APPS_LIST=/usr/share/${PROJECT_NAME}/installed.txt
 # so that when a new app is added existing users can be added
 APP_USERS_FILE=$HOME/app_users.txt
 
-if [ ! $COMPLETION_FILE ]; then
-    COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
+if [ ! "$COMPLETION_FILE" ]; then
+    COMPLETION_FILE="$HOME/${PROJECT_NAME}-completed.txt"
 fi
 
 # Loads variables defined at the beginning of an app script
@@ -58,16 +58,20 @@ function app_load_variables {
     app_name=$1
 
     config_var_name=${app_name}_variables
+    # shellcheck disable=SC2086
     if [ ! ${!config_var_name} ]; then
         echo $"${app_name}_variables was not found"
         return
     fi
 
+    #shellcheck disable=SC1087,SC2125,SC2178
     configvarname=$config_var_name[@]
+
+    #shellcheck disable=SC2206
     configvarname=( ${!configvarname} )
     for v in "${configvarname[@]}"
     do
-        read_config_param $v
+        read_config_param "$v"
     done
 }
 
@@ -76,22 +80,26 @@ function app_save_variables {
     app_name=$1
 
     config_var_name=${app_name}_variables
+    #shellcheck disable=SC2086
     if [ ! ${!config_var_name} ]; then
         return
     fi
 
+    #shellcheck disable=SC1087,SC2125,SC2178
     configvarname=$config_var_name[@]
+
+    #shellcheck disable=SC2206
     configvarname=( ${!configvarname} )
     for v in "${configvarname[@]}"
     do
-        write_config_param $v "${!v}"
+        write_config_param "$v" "${!v}"
     done
 }
 
 # gets the variants list from an app script
 function app_variants {
     filename=$1
-    variants_line=$(cat ${filename} | grep 'VARIANTS=')
+    variants_line=$(grep 'VARIANTS=' "${filename}")
     if [[ "$variants_line" == *"'"* ]]; then
         variants_list=$(echo "$variants_line" | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
     else
@@ -112,21 +120,22 @@ function item_in_array {
 function available_system_variants {
     function_check item_in_array
 
-    FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
+    FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*"
 
     new_available_variants_list=()
     for filename in $FILES
     do
-        system_variants_list=$(app_variants $filename)
+        system_variants_list=$(app_variants "$filename")
+        # shellcheck disable=SC2206
         variants_array=($system_variants_list)
         for variant_str in "${variants_array[@]}"
         do
-            item_in_array "${variant_str}" "${new_available_variants_list[@]}"
-            if [[ $? != 0 ]]; then
+            if ! item_in_array "${variant_str}" "${new_available_variants_list[@]}"; then
                 new_available_variants_list+=("$variant_str")
             fi
         done
     done
+    # shellcheck disable=SC2207
     available_variants_list=($(sort <<<"${new_available_variants_list[*]}"))
 }
 
@@ -167,11 +176,11 @@ function remove_app {
     if ! grep -Fxq "_${app_name}_" $REMOVED_APPS_FILE; then
         echo "_${app_name}_" >> $REMOVED_APPS_FILE
     fi
-    if grep -Fxq "install_${app_name}" $COMPLETION_FILE; then
-        sed -i "/install_${app_name}/d" $COMPLETION_FILE
+    if grep -Fxq "install_${app_name}" "$COMPLETION_FILE"; then
+        sed -i "/install_${app_name}/d" "$COMPLETION_FILE"
     fi
-    if grep -Fxq "install_${app_name}" $INSTALLED_APPS_LIST; then
-        sed -i "/install_${app_name}/d" $INSTALLED_APPS_LIST
+    if grep -Fxq "install_${app_name}" "$INSTALLED_APPS_LIST"; then
+        sed -i "/install_${app_name}/d" "$INSTALLED_APPS_LIST"
     fi
 }
 
@@ -196,7 +205,7 @@ function reinstall_app {
     if [ ! -f $REMOVED_APPS_FILE ]; then
         return
     fi
-    if [[ $(app_is_removed $app_name) == "1" ]]; then
+    if [[ $(app_is_removed "$app_name") == "1" ]]; then
         sed -i "/_${app_name}_/d" $REMOVED_APPS_FILE
     fi
 }
@@ -207,8 +216,8 @@ function app_is_installed {
 
     # Why does this secondary file exist, apart from COMPLETION_FILE ?
     # It's so that it is visible to unprivileged users from the user control panel
-    if [ -f $INSTALLED_APPS_LIST ]; then
-        if ! grep -Fxq "install_${app_name}" $INSTALLED_APPS_LIST; then
+    if [ -f "$INSTALLED_APPS_LIST" ]; then
+        if ! grep -Fxq "install_${app_name}" "$INSTALLED_APPS_LIST"; then
             echo "0"
         else
             echo "1"
@@ -217,12 +226,12 @@ function app_is_installed {
     fi
 
     # check the completion file to see if it was installed
-    if [ ! -f $COMPLETION_FILE ]; then
+    if [ ! -f "$COMPLETION_FILE" ]; then
         echo "0"
         return
     fi
 
-    if ! grep -Fxq "install_${app_name}" $COMPLETION_FILE; then
+    if ! grep -Fxq "install_${app_name}" "$COMPLETION_FILE"; then
         echo "0"
     else
         echo "1"
@@ -231,11 +240,11 @@ function app_is_installed {
 
 # called at the end of the install section of an app script
 function install_completed {
-    if [ ! ${1} ]; then
+    if [ ! "${1}" ]; then
         exit 673935
     fi
-    if ! grep -Fxq "install_${1}" $COMPLETION_FILE; then
-        echo "install_${1}" >> $COMPLETION_FILE
+    if ! grep -Fxq "install_${1}" "$COMPLETION_FILE"; then
+        echo "install_${1}" >> "$COMPLETION_FILE"
     fi
 }
 
@@ -243,7 +252,7 @@ function install_completed {
 function get_apps_installed {
     for a in "${APPS_AVAILABLE[@]}"
     do
-        APPS_INSTALLED+=("$(app_is_installed $a)")
+        APPS_INSTALLED+=("$(app_is_installed "$a")")
     done
 }
 
@@ -252,7 +261,7 @@ function get_apps_installed_names {
     APPS_INSTALLED_NAMES=()
     for a in "${APPS_AVAILABLE[@]}"
     do
-        if [[ $(app_is_installed $a) == "1" ]]; then
+        if [[ $(app_is_installed "$a") == "1" ]]; then
             APPS_INSTALLED_NAMES+=("$a")
         fi
     done
@@ -260,7 +269,7 @@ function get_apps_installed_names {
 
 # detects what apps are available
 function detect_apps {
-    FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
+    FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*"
 
     function_check item_in_array
 
@@ -272,8 +281,7 @@ function detect_apps {
     do
         app_name=$(echo "${filename}" | awk -F '-app-' '{print $2}')
 
-        item_in_array "${app_name}" "${APPS_AVAILABLE[@]}"
-        if [[ $? != 0 ]]; then
+        if ! item_in_array "${app_name}" "${APPS_AVAILABLE[@]}"; then
             APPS_AVAILABLE+=("${app_name}")
             APPS_CHOSEN+=("0")
         fi
@@ -288,7 +296,7 @@ function detect_apps {
 # If the variants list within an app script is an empty string then
 # it is considered to be too experimental to be installable
 function detect_installable_apps {
-    FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
+    FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*"
 
     APPS_AVAILABLE=()
     APPS_CHOSEN=()
@@ -304,15 +312,14 @@ function detect_installable_apps {
     do
         app_name=$(echo "${filename}" | awk -F '-app-' '{print $2}')
 
-        item_in_array "${app_name}" "${APPS_AVAILABLE[@]}"
-        if [[ $? != 0 ]]; then
-            variants_list=$(app_variants $filename)
+        if ! item_in_array "${app_name}" "${APPS_AVAILABLE[@]}"; then
+            variants_list=$(app_variants "$filename")
             # check for empty string
             if [ ${#variants_list} -gt 0 ]; then
                 APPS_AVAILABLE+=("${app_name}")
                 APPS_CHOSEN+=("0")
-                APPS_INSTALLED+=("$(app_is_installed $app_name)")
-                if [[ $(app_is_installed $app_name) == "1" ]]; then
+                APPS_INSTALLED+=("$(app_is_installed "$app_name")")
+                if [[ $(app_is_installed "$app_name") == "1" ]]; then
                     APPS_INSTALLED_NAMES+=("$app_name")
                 fi
             fi
@@ -321,7 +328,7 @@ function detect_installable_apps {
 }
 
 function detect_installed_apps {
-    FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
+    FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*"
 
     APPS_AVAILABLE=()
     APPS_INSTALLED=()
@@ -336,10 +343,9 @@ function detect_installed_apps {
     do
         app_name=$(echo "${filename}" | awk -F '-app-' '{print $2}')
 
-        if [[ $(app_is_installed $app_name) == "1" ]]; then
-            item_in_array "${app_name}" "${APPS_AVAILABLE[@]}"
-            if [[ $? != 0 ]]; then
-                variants_list=$(app_variants $filename)
+        if [[ $(app_is_installed "$app_name") == "1" ]]; then
+            if ! item_in_array "${app_name}" "${APPS_AVAILABLE[@]}"; then
+                variants_list=$(app_variants "$filename")
                 if [ ${#variants_list} -gt 0 ]; then
                     APPS_AVAILABLE+=("${app_name}")
                     APPS_INSTALLED_NAMES+=("$app_name")
@@ -363,7 +369,7 @@ function choose_apps_for_variant {
         exit 237567
     fi
 
-    FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
+    FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*"
 
     APPS_CHOSEN=()
 
@@ -372,16 +378,15 @@ function choose_apps_for_variant {
     do
         app_name=$(echo "${filename}" | awk -F '-app-' '{print $2}')
 
-        item_in_array "${app_name}" "${APPS_AVAILABLE[@]}"
-        if [[ $? == 0 ]]; then
-            if grep -q "VARIANTS=" ${filename}; then
-                variants_list=$(app_variants $filename)
+        if item_in_array "${app_name}" "${APPS_AVAILABLE[@]}"; then
+            if grep -q "VARIANTS=" "${filename}"; then
+                variants_list=$(app_variants "$filename")
                 if [[ "${variants_list}" == 'all'* || \
                       "${variants_list}" == "$variant_name" || \
                       "${variants_list}" == "$variant_name "* || \
                       "${variants_list}" == *" $variant_name "* || \
                       "${variants_list}" == *" $variant_name" ]]; then
-                    if [[ $(app_is_removed ${a}) == "0" ]]; then
+                    if [[ $(app_is_removed "${a}") == "0" ]]; then
                         #echo $"${app_name} chosen"
                         APPS_CHOSEN+=("1")
                     else
@@ -408,7 +413,7 @@ function list_chosen_apps {
         if [[ ${APPS_CHOSEN[$app_index]} == "1" ]]; then
             echo $"${a}"
         fi
-        app_index=$[app_index+1]
+        app_index=$((app_index+1))
     done
 }
 
@@ -421,23 +426,23 @@ function remove_apps {
                 echo $"Removing users for application: ${a}"
 
                 function_check remove_users_for_app
-                remove_users_for_app ${a}
+                remove_users_for_app "${a}"
 
                 echo $"Removing application: ${a}"
 
                 function_check app_load_variables
-                app_load_variables ${a}
+                app_load_variables "${a}"
 
                 function_check remove_app
-                remove_app ${a}
+                remove_app "${a}"
 
-                function_check remove_${a}
-                remove_${a}
+                function_check "remove_${a}"
+                "remove_${a}"
 
                 echo $"${a} was removed"
             fi
         fi
-        app_index=$[app_index+1]
+        app_index=$((app_index+1))
     done
     update_installed_apps_list
 }
@@ -450,13 +455,13 @@ function install_apps_interactive {
         if [[ ${APPS_INSTALLED[$app_index]} == "0" ]]; then
             if [[ ${APPS_CHOSEN[$app_index]} == "1" ]]; then
                 # interactively obtain settings for this app
-                if [[ $(function_exists install_interactive_${a}) == "1" ]]; then
-                    install_interactive_${a}
+                if [[ $(function_exists "install_interactive_${a}") == "1" ]]; then
+                    "install_interactive_${a}"
                 fi
             fi
         fi
 
-        app_index=$[app_index+1]
+        app_index=$((app_index+1))
     done
     echo $"Interactive settings complete"
 }
@@ -466,8 +471,8 @@ function user_added_to_app {
     app_name="$2"
 
     if [[ $(is_valid_user "$user_name") == "1" ]]; then
-        if [[ $(function_exists add_user_${app_name}) == "1" ]]; then
-            if grep -Fxq "${app_name}_${user_name}" $APP_USERS_FILE; then
+        if [[ $(function_exists "add_user_${app_name}") == "1" ]]; then
+            if grep -Fxq "${app_name}_${user_name}" "$APP_USERS_FILE"; then
                 echo "1"
                 return
             fi
@@ -482,7 +487,7 @@ function add_users_after_install {
     read_config_param MY_USERNAME
 
     # ensure a minimum password length
-    if [ ! $MINIMUM_PASSWORD_LENGTH ]; then
+    if [ ! "$MINIMUM_PASSWORD_LENGTH" ]; then
         MINIMUM_PASSWORD_LENGTH=20
     fi
     if [ ${#MINIMUM_PASSWORD_LENGTH} -lt 20 ]; then
@@ -490,7 +495,7 @@ function add_users_after_install {
     fi
 
     ADMIN_USERNAME=$(get_completion_param "Admin user")
-    if [ ! $ADMIN_USERNAME ]; then
+    if [ ! "$ADMIN_USERNAME" ]; then
         ADMIN_USERNAME=$MY_USERNAME
     fi
 
@@ -501,8 +506,8 @@ function add_users_after_install {
                 if [[ $(user_added_to_app "${USERNAME}" "${app_name}") == "0" ]]; then
                     valstr=$"Login for user ${USERNAME}="
                     app_password="$(create_password ${MINIMUM_PASSWORD_LENGTH})"
-                    add_user_${app_name} "${USERNAME}" "${app_password}"
-                    echo "${app_name}_${USERNAME}" >> $APP_USERS_FILE
+                    "add_user_${app_name}" "${USERNAME}" "${app_password}"
+                    echo "${app_name}_${USERNAME}" >> "$APP_USERS_FILE"
                 fi
             fi
         fi
@@ -519,10 +524,10 @@ function remove_users_for_app {
         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
             if [[ "$USERNAME" != "$MY_USERNAME" ]]; then
                 if [[ $(user_added_to_app "${USERNAME}" "${app_name}") == "1" ]]; then
-                    if [[ $(function_exists remove_user_${app_name}) == "1" ]]; then
-                        remove_user_${app_name} "${USERNAME}"
+                    if [[ $(function_exists "remove_user_${app_name}") == "1" ]]; then
+                        "remove_user_${app_name}" "${USERNAME}"
                     fi
-                    sed -i "/${app_name}_${USERNAME}/d" $APP_USERS_FILE
+                    sed -i "/${app_name}_${USERNAME}/d" "$APP_USERS_FILE"
                 fi
             fi
         fi
@@ -535,7 +540,7 @@ function install_apps {
     APP_INSTALLED_SUCCESS=1
 
     # interactive install configuration for each app
-    if [ ${is_interactive} ]; then
+    if [ "${is_interactive}" ]; then
         install_apps_interactive
     fi
 
@@ -549,69 +554,69 @@ function install_apps {
                 # remove any temp files
                 rm -rf /tmp/*
 
-                if [ ${is_interactive} ]; then
+                if [ "${is_interactive}" ]; then
                     # clears any removal indicator
                     function_check reinstall_app
-                    reinstall_app ${a}
+                    reinstall_app "${a}"
 
                     function_check app_load_variables
-                    app_load_variables ${a}
+                    app_load_variables "${a}"
 
-                    if [[ $(app_is_installed ${a}) == "1" ]]; then
+                    if [[ $(app_is_installed "${a}") == "1" ]]; then
                         echo $"Upgrading application from interactive: ${a}"
-                        upgrade_${a}
+                        "upgrade_${a}"
                         echo $"${a} was upgraded from interactive"
                     else
                         echo $"Installing application from interactive: ${a}"
                         APP_INSTALLED=
-                        install_${a}
+                        "install_${a}"
                         if [ $APP_INSTALLED ]; then
                             function_check app_save_variables
-                            app_save_variables ${a}
+                            app_save_variables "${a}"
 
                             function_check add_users_after_install
-                            add_users_after_install ${a}
+                            add_users_after_install "${a}"
 
                             function_check lockdown_permissions
                             lockdown_permissions
 
                             function_check install_completed
-                            install_completed ${a}
+                            install_completed "${a}"
                             echo $"${a} was installed from interactive"
                         else
-                            echo "Failed to install: ${a}" >> /var/log/${PROJECT_NAME}.log
+                            echo "Failed to install: ${a}" >> "/var/log/${PROJECT_NAME}.log"
                             APP_INSTALLED_SUCCESS=
                             echo $"${a} was not installed from interactive"
                         fi
                     fi
                 else
                     # check if the app was removed
-                    if [[ $(app_is_removed ${a}) == "0" ]]; then
+                    if [[ $(app_is_removed "${a}") == "0" ]]; then
                         function_check app_load_variables
-                        app_load_variables ${a}
-                        if [[ $(app_is_installed ${a}) == "1" ]]; then
+                        app_load_variables "${a}"
+                        if [[ $(app_is_installed "${a}") == "1" ]]; then
                             echo $"Upgrading application: ${a}"
-                            upgrade_${a}
+                            "upgrade_${a}"
                             echo $"${a} was upgraded"
                         else
                             echo $"Installing application: ${a}"
                             APP_INSTALLED=
-                            install_${a}
+                            "install_${a}"
                             if [ $APP_INSTALLED ]; then
                                 function_check app_save_variables
-                                app_save_variables ${a}
+                                app_save_variables "${a}"
 
                                 function_check add_users_after_install
-                                add_users_after_install ${a}
+                                add_users_after_install "${a}"
 
                                 function_check lockdown_permissions
                                 lockdown_permissions
 
                                 function_check install_completed
-                                install_completed ${a}
+                                install_completed "${a}"
                                 echo $"${a} was installed"
                             else
-                                echo "Failed to install: ${a}" >> /var/log/${PROJECT_NAME}.log
+                                echo "Failed to install: ${a}" >> "/var/log/${PROJECT_NAME}.log"
                                 APP_INSTALLED_SUCCESS=
                                 echo $"${a} was not installed"
                             fi
@@ -622,7 +627,7 @@ function install_apps {
                 fi
             fi
         fi
-        app_index=$[app_index+1]
+        app_index=$((app_index+1))
     done
 
     function_check update_installed_apps_list
diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup
index 77522207..2c45362e 100755
--- a/src/freedombone-utils-setup
+++ b/src/freedombone-utils-setup
@@ -63,7 +63,7 @@ BACKUP_MAX_DAYS=30
 # file containing a list of remote locations to backup to
 # Format: [username@friendsdomain//home/username] [ssh_password]
 # With the only space character being between the server and the password
-FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list
+FRIENDS_SERVERS_LIST="/home/$MY_USERNAME/backup.list"
 
 export DEBIAN_FRONTEND=noninteractive
 
@@ -103,9 +103,9 @@ function detect_usb_drive {
     # which is likely to be the last drive connected
     read_config_param USB_DRIVE
     partition_number='1'
-    if [[ "$1" == "nopath" ]]; then
-        partition_number=''
-    fi
+    #if [[ "$1" == "nopath" ]]; then
+    #    partition_number=''
+    #fi
     if [ -b /dev/sda${partition_number} ]; then
         USB_DRIVE=/dev/sda${partition_number}
     fi
@@ -139,7 +139,7 @@ function separate_tmp_filesystem {
         mkdir -p /tmp
     fi
     if ! grep -q '/tmp' /etc/fstab; then
-        mount -t tmpfs -o size=${tmp_filesystem_size_mb}m tmpfs /tmp
+        mount -t tmpfs -o size="${tmp_filesystem_size_mb}m" tmpfs /tmp
         echo "tmpfs       /tmp tmpfs   nodev,nosuid,noexec,nodiratime,size=${tmp_filesystem_size_mb}M   0 0" >> /etc/fstab
     fi
 }
@@ -183,7 +183,7 @@ function remove_bluetooth {
         bluetooth_changed=1
     fi
     if [ $bluetooth_changed ]; then
-        update-initramfs -u -k `uname -r` -v
+        update-initramfs -u -k "$(uname -r)" -v
         update-rc.d bluetooth remove
     fi
 }
@@ -199,7 +199,7 @@ function running_as_root {
 function reset_usb_devices {
     for xhci in /sys/bus/pci/drivers/?hci-pci ; do
 
-        if ! cd $xhci ; then
+        if ! cd "$xhci" ; then
             return
         fi
 
@@ -219,7 +219,7 @@ function install_backports_kernel {
 
     if [[ "$architecture_type" == *"amd64"* ]]; then
         package_installed=$(dpkg-query -W -f='${Package}\n' linux-image-amd64 2>/dev/null)
-        if [ ! $package_installed ]; then
+        if [ ! "$package_installed" ]; then
             apt-get -yq install linux-image-amd64
         fi
     fi
@@ -279,8 +279,8 @@ function initial_setup {
         apt-get -yq install grub2 lvm2
     fi
 
-    if [ ! -d $INSTALL_DIR ]; then
-        mkdir -p $INSTALL_DIR
+    if [ ! -d "$INSTALL_DIR" ]; then
+        mkdir -p "$INSTALL_DIR"
     fi
 
     mark_completed "${FUNCNAME[0]}"
@@ -308,8 +308,9 @@ function setup_grub {
 }
 
 function admin_user_sudo {
-    if ! grep -q "$MY_USERNAME  ALL=(ALL) ALL" $rootdir/etc/sudoers; then
-        echo "$MY_USERNAME  ALL=(ALL) ALL" >> $rootdir/etc/sudoers
+    # shellcheck disable=SC2154
+    if ! grep -q "$MY_USERNAME  ALL=(ALL) ALL" "$rootdir/etc/sudoers"; then
+        echo "$MY_USERNAME  ALL=(ALL) ALL" >> "$rootdir/etc/sudoers"
     fi
 }
 
@@ -338,11 +339,11 @@ function search_for_attached_usb_drive {
 
         if [ -f $USB_MOUNT/private_key.gpg ]; then
             echo $'GPG private key found on USB drive'
-            MY_GPG_PRIVATE_KEY=$USB_MOUNT/private_key.gpg
+            MY_GPG_PRIVATE_KEY="$USB_MOUNT/private_key.gpg"
         fi
         if [ -f $USB_MOUNT/public_key.gpg ]; then
             echo $'GPG public key found on USB drive'
-            MY_GPG_PUBLIC_KEY=$USB_MOUNT/public_key.gpg
+            MY_GPG_PUBLIC_KEY="$USB_MOUNT/public_key.gpg"
         fi
 
         if [ -f $USB_MOUNT/letsencrypt ]; then
@@ -431,8 +432,8 @@ function remove_default_user {
 }
 
 function create_completion_file {
-    if [ ! -f $COMPLETION_FILE ]; then
-        touch $COMPLETION_FILE
+    if [ ! -f "$COMPLETION_FILE" ]; then
+        touch "$COMPLETION_FILE"
     fi
 }
 
@@ -467,7 +468,7 @@ function remove_management_engine_interface {
 }
 
 function set_login_umask {
-    logindefs_umask=$(cat /etc/login.defs | grep UMASK | grep -v '#')
+    logindefs_umask=$(grep UMASK /etc/login.defs | grep -v '#')
     if [[ "$logindefs_umask" != *'077' ]]; then
         sed -i 's|UMASK\t.*|UMASK\t\t077|g' /etc/login.defs
     fi
@@ -489,7 +490,7 @@ function set_max_login_tries {
     max_tries=$1
 
     if ! grep -q ' deny=' /etc/pam.d/common-auth; then
-        sed -i "/pam_deny.so/a auth    required\t\t\tpam_tally.so    onerr=fail no_lock_time per_user deny=$max_tries" /etc/pam.d/common-auth
+        sed -i "/pam_deny.so/a auth    required\\t\\t\\tpam_tally.so    onerr=fail no_lock_time per_user deny=$max_tries" /etc/pam.d/common-auth
     else
         if ! grep -q " deny=$max_tries" /etc/pam.d/common-auth; then
             sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-auth
@@ -503,19 +504,19 @@ function set_max_login_tries {
 
 function limit_user_logins {
     # overall max logins
-    if ! grep -q '* hard maxsyslogins' /etc/security/limits.conf; then
+    if ! grep -q '\* hard maxsyslogins' /etc/security/limits.conf; then
         echo '* hard maxsyslogins 10' >> /etc/security/limits.conf
     else
-        if ! grep -q '* hard maxsyslogins 10' /etc/security/limits.conf; then
+        if ! grep -q '\* hard maxsyslogins 10' /etc/security/limits.conf; then
             sed -i 's|hard maxsyslogins.*|hard maxsyslogins 10|g' /etc/security/limits.conf
         fi
     fi
 
     # Max logins for each user
-    if ! grep -q '* hard maxlogins' /etc/security/limits.conf; then
+    if ! grep -q '\* hard maxlogins' /etc/security/limits.conf; then
         echo '* hard maxlogins 2' >> /etc/security/limits.conf
     else
-        if ! grep -q '* hard maxlogins 2' /etc/security/limits.conf; then
+        if ! grep -q '\* hard maxlogins 2' /etc/security/limits.conf; then
             sed -i 's|hard maxlogins.*|hard maxlogins 2|g' /etc/security/limits.conf
         fi
     fi
@@ -532,7 +533,7 @@ function set_sticky_bits {
     world_writable=$(find / -xdev -type d -perm -002 \! -perm -1000)
     for w in $world_writable; do
         echo "Setting sticky bit on $w"
-        chmod +t $w
+        chmod +t "$w"
     done
 }
 
@@ -655,10 +656,10 @@ function lockdown_permissions {
 }
 
 function disable_core_dumps {
-    if ! grep -q '* hard core' /etc/security/limits.conf; then
+    if ! grep -q '\* hard core' /etc/security/limits.conf; then
         echo '* hard core 0' >> /etc/security/limits.conf
     else
-        if ! grep -q '* hard core 0' /etc/security/limits.conf; then
+        if ! grep -q '\* hard core 0' /etc/security/limits.conf; then
             sed -i 's|hard core.*|hard core 0|g' /etc/security/limits.conf
         fi
     fi
@@ -1097,24 +1098,23 @@ function upgrade_apps {
     create_completion_file
 
     APPS_COMPLETED=()
-    FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
+    FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*"
 
     # for all the app scripts
     for filename in $FILES
     do
         app_name=$(echo "${filename}" | awk -F '-app-' '{print $2}')
 
-        item_in_array "${app_name}" "${APPS_COMPLETED[@]}"
-        if [[ $? != 0 ]]; then
+        if ! item_in_array "${app_name}" "${APPS_COMPLETED[@]}"; then
             function_check app_is_installed
-            if [[ "$(app_is_installed $app_name)" == "1" ]]; then
+            if [[ "$(app_is_installed "$app_name")" == "1" ]]; then
                 echo ''
                 echo ''
                 echo $"Upgrading $app_name"
-                app_load_variables ${app_name}
+                app_load_variables "${app_name}"
                 APPS_COMPLETED+=("${app_name}")
-                function_check upgrade_${app_name}
-                upgrade_${app_name}
+                function_check "upgrade_${app_name}"
+                "upgrade_${app_name}"
             fi
         fi
     done
@@ -1145,7 +1145,7 @@ function setup_apps {
     if [[ $is_interactive == "noninteractive" || $is_interactive == "headless" ]]; then
         function_check install_apps
         install_apps
-        if [ ! $APP_INSTALLED_SUCCESS ]; then
+        if [ ! "$APP_INSTALLED_SUCCESS" ]; then
             echo $'One or more apps failed to install'
         fi
     fi
@@ -1155,28 +1155,28 @@ function combine_all_scripts {
     combined_filename=$1
 
     # initial variables
-    cp $PROJECT_INSTALL_DIR/${PROJECT_NAME}-vars $combined_filename
+    cp "$PROJECT_INSTALL_DIR/${PROJECT_NAME}-vars" "$combined_filename"
 
     # utilities
-    UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
+    UTILS_FILES="/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*"
     for f in $UTILS_FILES
     do
         # this removes the first line, which is #!/bin/bash
-        tail -n +2 "$f" >> $combined_filename
+        tail -n +2 "$f" >> "$combined_filename"
     done
 
     # base system
-    BASE_SYSTEM_FILES=/usr/share/${PROJECT_NAME}/base/${PROJECT_NAME}-base-*
+    BASE_SYSTEM_FILES="/usr/share/${PROJECT_NAME}/base/${PROJECT_NAME}-base-*"
     for f in $BASE_SYSTEM_FILES
     do
-        tail -n +2 "$f" >> $combined_filename
+        tail -n +2 "$f" >> "$combined_filename"
     done
 
     # apps
-    APP_FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
+    APP_FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*"
     for f in $APP_FILES
     do
-        tail -n +2 "$f" >> $combined_filename
+        tail -n +2 "$f" >> "$combined_filename"
     done
 }
 
@@ -1185,8 +1185,8 @@ function check_ram_availability {
     minimum_ram_bytes=$((minimum_ram_MB * 1024))
 
     ram_available=$(grep MemTotal /proc/meminfo | awk '{print $2}')
-    if [ $ram_available -lt $minimum_ram_bytes ]; then
-        echo $"Need at least ${minimum_ram_gb}MB RAM to install this app"
+    if [ "$ram_available" -lt "$minimum_ram_bytes" ]; then
+        echo $"Need at least ${minimum_ram_MB}MB RAM to install this app"
         exit 783524
     fi
 }
diff --git a/src/freedombone-utils-tracker b/src/freedombone-utils-tracker
index 15fcf758..449948b4 100755
--- a/src/freedombone-utils-tracker
+++ b/src/freedombone-utils-tracker
@@ -31,28 +31,29 @@
 TRACKER_PORT=6969
 
 function mesh_install_tracker {
+    # shellcheck disable=SC2154
     chroot "$rootdir" apt-get -yq install bittornado nginx
 
     TRACKER_DAEMON=$rootdir/etc/systemd/system/tracker.service
-    echo '[Unit]' > $TRACKER_DAEMON
-    echo 'Description=Torrent Tracker' >> $TRACKER_DAEMON
-    echo 'After=syslog.target' >> $TRACKER_DAEMON
-    echo 'After=network.target' >> $TRACKER_DAEMON
-    echo '[Service]' >> $TRACKER_DAEMON
-    echo 'Type=simple' >> $TRACKER_DAEMON
-    echo 'User=tracker' >> $TRACKER_DAEMON
-    echo 'Group=tracker' >> $TRACKER_DAEMON
-    echo "WorkingDirectory=/var/lib/tracker" >> $TRACKER_DAEMON
-    echo "ExecStart=/usr/bin/bttrack --port $TRACKER_PORT --dfile /var/lib/tracker/dstate --logfile /var/lib/tracker/tracker.log --nat_check 0 --scrape_allowed full --ipv6_enabled 0" >> $TRACKER_DAEMON
-    echo '' >> $TRACKER_DAEMON
-    echo 'TimeoutSec=300' >> $TRACKER_DAEMON
-    echo '' >> $TRACKER_DAEMON
-    echo '[Install]' >> $TRACKER_DAEMON
-    echo 'WantedBy=multi-user.target' >> $TRACKER_DAEMON
+    { echo '[Unit]'
+      echo 'Description=Torrent Tracker';
+      echo 'After=syslog.target';
+      echo 'After=network.target';
+      echo '[Service]';
+      echo 'Type=simple';
+      echo 'User=tracker';
+      echo 'Group=tracker';
+      echo "WorkingDirectory=/var/lib/tracker";
+      echo "ExecStart=/usr/bin/bttrack --port $TRACKER_PORT --dfile /var/lib/tracker/dstate --logfile /var/lib/tracker/tracker.log --nat_check 0 --scrape_allowed full --ipv6_enabled 0";
+      echo '';
+      echo 'TimeoutSec=300';
+      echo '';
+      echo '[Install]';
+      echo 'WantedBy=multi-user.target'; } > "$TRACKER_DAEMON"
 
     chroot "$rootdir" useradd -d /var/lib/tracker/ -s /bin/false tracker
-    if [ ! -d $rootdir/var/lib/tracker ]; then
-        mkdir $rootdir/var/lib/tracker
+    if [ ! -d "$rootdir/var/lib/tracker" ]; then
+        mkdir "$rootdir/var/lib/tracker"
     fi
     chroot "$rootdir" chown -R tracker:tracker /var/lib/tracker
 
@@ -60,7 +61,7 @@ function mesh_install_tracker {
 }
 
 function install_tracker {
-    if [ $INSTALLING_MESH ]; then
+    if [ "$INSTALLING_MESH" ]; then
         mesh_install_tracker
         return
     fi
@@ -72,21 +73,21 @@ function install_tracker {
     apt-get -yq install bittornado nginx
 
     TRACKER_DAEMON=/etc/systemd/system/tracker.service
-    echo '[Unit]' > $TRACKER_DAEMON
-    echo 'Description=Torrent Tracker' >> $TRACKER_DAEMON
-    echo 'After=syslog.target' >> $TRACKER_DAEMON
-    echo 'After=network.target' >> $TRACKER_DAEMON
-    echo '[Service]' >> $TRACKER_DAEMON
-    echo 'Type=simple' >> $TRACKER_DAEMON
-    echo 'User=tracker' >> $TRACKER_DAEMON
-    echo 'Group=tracker' >> $TRACKER_DAEMON
-    echo "WorkingDirectory=/var/lib/tracker" >> $TRACKER_DAEMON
-    echo "ExecStart=/usr/bin/bttrack --port $TRACKER_PORT --dfile /var/lib/tracker/dstate --logfile /var/lib/tracker/tracker.log --nat_check 0 --scrape_allowed full --ipv6_enabled 0" >> $TRACKER_DAEMON
-    echo '' >> $TRACKER_DAEMON
-    echo 'TimeoutSec=300' >> $TRACKER_DAEMON
-    echo '' >> $TRACKER_DAEMON
-    echo '[Install]' >> $TRACKER_DAEMON
-    echo 'WantedBy=multi-user.target' >> $TRACKER_DAEMON
+    { echo '[Unit]';
+      echo 'Description=Torrent Tracker';
+      echo 'After=syslog.target';
+      echo 'After=network.target';
+      echo '[Service]';
+      echo 'Type=simple';
+      echo 'User=tracker';
+      echo 'Group=tracker';
+      echo "WorkingDirectory=/var/lib/tracker";
+      echo "ExecStart=/usr/bin/bttrack --port $TRACKER_PORT --dfile /var/lib/tracker/dstate --logfile /var/lib/tracker/tracker.log --nat_check 0 --scrape_allowed full --ipv6_enabled 0";
+      echo '';
+      echo 'TimeoutSec=300';
+      echo '';
+      echo '[Install]';
+      echo 'WantedBy=multi-user.target'; } > "$TRACKER_DAEMON"
 
     useradd -d /var/lib/tracker/ -s /bin/false tracker
     if [ ! -d /var/lib/tracker ]; then
diff --git a/src/freedombone-utils-turn b/src/freedombone-utils-turn
index 74de0dd1..d85b79f7 100755
--- a/src/freedombone-utils-turn
+++ b/src/freedombone-utils-turn
@@ -36,10 +36,10 @@ function generate_turn_key {
     local turnkey="${1}"
     local filepath="${2}"
 
-    echo "lt-cred-mech" > "${filepath}"
-    echo "use-auth-secret" >> "${filepath}"
-    echo "static-auth-secret=${turnkey}" >> "${filepath}"
-    echo "realm=turn.${DEFAULT_DOMAIN_NAME}" >> "${filepath}"
+    { echo "lt-cred-mech";
+      echo "use-auth-secret";
+      echo "static-auth-secret=${turnkey}";
+      echo "realm=turn.${DEFAULT_DOMAIN_NAME}"; } > "${filepath}"
     if [[ $ONION_ONLY == 'no' ]]; then
         echo "cert=$MATRIX_DATA_DIR/${DEFAULT_DOMAIN_NAME}.tls.crt" >> "${filepath}"
         echo "pkey=$MATRIX_DATA_DIR/${DEFAULT_DOMAIN_NAME}.tls.key" >> "${filepath}"
@@ -58,7 +58,7 @@ function remove_turn {
 
     apt-get -y remove coturn
     rm -rf /var/lib/turn
-    sed -i "/# TURN Server/,/# End of TURN Server/d" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
+    sed -i "/# TURN Server/,/# End of TURN Server/d" "/etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}"
     remove_onion_service turn ${TURN_ONION_PORT}
     rm /etc/avahi/services/turn.service
     systemctl restart nginx
@@ -69,62 +69,62 @@ function install_turn {
 
     # append the matrix server to the web site config
     turn_nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME
-    if ! grep -q '# End of TURN Server' $turn_nginx_site; then
-        if [[ $ONION_ONLY == "no" ]]; then
-            echo '# TURN Server' >> $turn_nginx_site
-            echo 'server {' >> $turn_nginx_site
-            echo "  listen ${TURN_HTTP_PORT} ssl;" >> $turn_nginx_site
-            echo "  listen [::]:${TURN_HTTP_PORT} ssl;" >> $turn_nginx_site
-            echo "  server_name ${DEFAULT_DOMAIN_NAME};" >> $turn_nginx_site
-            echo '' >> $turn_nginx_site
-            echo '  # Security' >> $turn_nginx_site
+    if ! grep -q '# End of TURN Server' "$turn_nginx_site"; then
+        if [[ "$ONION_ONLY" == "no" ]]; then
+            { echo '# TURN Server';
+              echo 'server {';
+              echo "  listen ${TURN_HTTP_PORT} ssl;";
+              echo "  listen [::]:${TURN_HTTP_PORT} ssl;";
+              echo "  server_name ${DEFAULT_DOMAIN_NAME};";
+              echo '';
+              echo '  # Security'; } >> "$turn_nginx_site"
             function_check nginx_ssl
-            nginx_ssl ${DEFAULT_DOMAIN_NAME}
+            nginx_ssl "${DEFAULT_DOMAIN_NAME}"
 
             function_check nginx_disable_sniffing
-            nginx_disable_sniffing ${DEFAULT_DOMAIN_NAME}
+            nginx_disable_sniffing "${DEFAULT_DOMAIN_NAME}"
 
-            echo '  add_header Strict-Transport-Security max-age=15768000;' >> $turn_nginx_site
-            echo '' >> $turn_nginx_site
-            echo '  # Logs' >> $turn_nginx_site
-            echo '  access_log /dev/null;' >> $turn_nginx_site
-            echo '  error_log /dev/null;' >> $turn_nginx_site
-            echo '' >> $turn_nginx_site
-            echo '  # Index' >> $turn_nginx_site
-            echo '  index index.html;' >> $turn_nginx_site
-            echo '' >> $turn_nginx_site
-            echo '  # Location' >> $turn_nginx_site
-            echo '  location / {' >> $turn_nginx_site
+            { echo '  add_header Strict-Transport-Security max-age=15768000;';
+              echo '';
+              echo '  # Logs';
+              echo '  access_log /dev/null;';
+              echo '  error_log /dev/null;';
+              echo '';
+              echo '  # Index';
+              echo '  index index.html;';
+              echo '';
+              echo '  # Location';
+              echo '  location / {'; } >> "$turn_nginx_site"
             function_check nginx_limits
-            nginx_limits ${DEFAULT_DOMAIN_NAME} '15m'
-            echo "      proxy_pass http://localhost:${TURN_PORT};" >> $turn_nginx_site
-            echo '      proxy_set_header X-Forwarded-For $remote_addr;' >> $turn_nginx_site
-            echo '  }' >> $turn_nginx_site
-            echo '}' >> $turn_nginx_site
-            echo '' >> $turn_nginx_site
+            nginx_limits "${DEFAULT_DOMAIN_NAME}" '15m'
+            { echo "      proxy_pass http://localhost:${TURN_PORT};";
+              echo "      proxy_set_header X-Forwarded-For \$remote_addr;";
+              echo '  }';
+              echo '}';
+              echo ''; } >> "$turn_nginx_site"
         else
-            echo '# TURN Server' >> $turn_nginx_site
+            echo '# TURN Server' >> "$turn_nginx_site"
         fi
-        echo 'server {' >> $turn_nginx_site
-        echo "    listen 127.0.0.1:$TURN_ONION_PORT default_server;" >> $turn_nginx_site
-        echo "    server_name $DEFAULT_DOMAIN_NAME;" >> $turn_nginx_site
-        echo '' >> $turn_nginx_site
+        { echo 'server {';
+          echo "    listen 127.0.0.1:$TURN_ONION_PORT default_server;";
+          echo "    server_name $DEFAULT_DOMAIN_NAME;";
+          echo ''; } >> "$turn_nginx_site"
         function_check nginx_disable_sniffing
-        nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
-        echo '' >> $turn_nginx_site
-        echo '  # Logs' >> $turn_nginx_site
-        echo '  access_log /dev/null;' >> $turn_nginx_site
-        echo '  error_log /dev/null;' >> $turn_nginx_site
-        echo '' >> $turn_nginx_site
-        echo '  # Location' >> $turn_nginx_site
-        echo '  location / {' >> $turn_nginx_site
+        nginx_disable_sniffing "$DEFAULT_DOMAIN_NAME"
+        { echo '';
+          echo '  # Logs';
+          echo '  access_log /dev/null;';
+          echo '  error_log /dev/null;';
+          echo '';
+          echo '  # Location';
+          echo '  location / {'; } >> "$turn_nginx_site"
         function_check nginx_limits
-        nginx_limits $DEFAULT_DOMAIN_NAME '15m'
-        echo "      proxy_pass http://localhost:${TURN_PORT};" >> $turn_nginx_site
-        echo '      proxy_set_header X-Forwarded-For $remote_addr;' >> $turn_nginx_site
-        echo '  }' >> $turn_nginx_site
-        echo '}' >> $turn_nginx_site
-        echo '# End of TURN Server' >> $turn_nginx_site
+        nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'
+        { echo "      proxy_pass http://localhost:${TURN_PORT};";
+          echo "      proxy_set_header X-Forwarded-For \$remote_addr;";
+          echo '  }';
+          echo '}';
+          echo '# End of TURN Server'; } >> "$turn_nginx_site"
     fi
 
     export DEBIAN_FRONTEND=noninteractive
@@ -151,26 +151,26 @@ function install_turn {
     fi
 
     turnkey="$(create_password 30)"
-    generate_turn_key $turnkey /var/lib/turn/turnserver.conf
+    generate_turn_key "$turnkey" /var/lib/turn/turnserver.conf
 
     chmod -R 700 /var/lib/turn/turnserver.conf
     chown -R matrix:matrix /var/lib/turn
 
-    echo '[Unit]' > /etc/systemd/system/turn.service
-    echo 'Description=TURN server' >> /etc/systemd/system/turn.service
-    echo 'After=network.target nginx.target' >> /etc/systemd/system/turn.service
-    echo '' >> /etc/systemd/system/turn.service
-    echo '[Service]' >> /etc/systemd/system/turn.service
-    echo 'Type=simple' >> /etc/systemd/system/turn.service
-    echo 'User=matrix' >> /etc/systemd/system/turn.service
-    echo "WorkingDirectory=/var/lib/turn" >> /etc/systemd/system/turn.service
-    echo "ExecStart=/usr/bin/turnserver -c /var/lib/turn/turnserver.conf --pidfile /var/lib/matrix/homeserver.pid" >> /etc/systemd/system/turn.service
-    echo "Environment=REPORT_STATS=\"no\"" >> /etc/systemd/system/turn.service
-    echo 'Restart=always' >> /etc/systemd/system/turn.service
-    echo 'RestartSec=10' >> /etc/systemd/system/turn.service
-    echo '' >> /etc/systemd/system/turn.service
-    echo '[Install]' >> /etc/systemd/system/turn.service
-    echo 'WantedBy=multi-user.target' >> /etc/systemd/system/turn.service
+    { echo '[Unit]';
+      echo 'Description=TURN server';
+      echo 'After=network.target nginx.target';
+      echo '';
+      echo '[Service]';
+      echo 'Type=simple';
+      echo 'User=matrix';
+      echo "WorkingDirectory=/var/lib/turn";
+      echo "ExecStart=/usr/bin/turnserver -c /var/lib/turn/turnserver.conf --pidfile /var/lib/matrix/homeserver.pid";
+      echo "Environment=REPORT_STATS=\"no\"";
+      echo 'Restart=always';
+      echo 'RestartSec=10';
+      echo '';
+      echo '[Install]';
+      echo 'WantedBy=multi-user.target'; } > /etc/systemd/system/turn.service
     systemctl enable turn
     systemctl daemon-reload
     systemctl start turn
@@ -178,21 +178,22 @@ function install_turn {
     firewall_add turn ${TURN_PORT}
     firewall_add turn-http ${TURN_HTTP_PORT}
 
-    TURN_ONION_HOSTNAME=$(add_onion_service turn ${TURN_PORT} ${TURN_ONION_PORT})
+    #TURN_ONION_HOSTNAME=$(add_onion_service turn ${TURN_PORT} ${TURN_ONION_PORT})
+    add_onion_service turn ${TURN_PORT} ${TURN_ONION_PORT}
 
-    echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->' > /etc/avahi/services/turn.service
-    echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">' >> /etc/avahi/services/turn.service
-    echo '<service-group>' >> /etc/avahi/services/turn.service
-    echo '  <name replace-wildcards="yes">%h TURN</name>' >> /etc/avahi/services/turn.service
-    echo '  <service>' >> /etc/avahi/services/turn.service
-    echo '    <type>_turn._tcp</type>' >> /etc/avahi/services/turn.service
-    echo "    <port>$TURN_PORT</port>" >> /etc/avahi/services/turn.service
-    echo '  </service>' >> /etc/avahi/services/turn.service
-    echo '  <service>' >> /etc/avahi/services/turn.service
-    echo '    <type>_turn._udp</type>' >> /etc/avahi/services/turn.service
-    echo "    <port>$TURN_PORT</port>" >> /etc/avahi/services/turn.service
-    echo '  </service>' >> /etc/avahi/services/turn.service
-    echo '</service-group>' >> /etc/avahi/services/turn.service
+    { echo '<?xml version="1.0" standalone="no"?><!--*-nxml-*-->';
+      echo '<!DOCTYPE service-group SYSTEM "avahi-service.dtd">';
+      echo '<service-group>';
+      echo '  <name replace-wildcards="yes">%h TURN</name>';
+      echo '  <service>';
+      echo '    <type>_turn._tcp</type>';
+      echo "    <port>$TURN_PORT</port>";
+      echo '  </service>';
+      echo '  <service>';
+      echo '    <type>_turn._udp</type>';
+      echo "    <port>$TURN_PORT</port>";
+      echo '  </service>';
+      echo '</service-group>'; } > /etc/avahi/services/turn.service
 
     systemctl restart avahi-daemon
     systemctl restart nginx
diff --git a/src/freedombone-utils-upgrade b/src/freedombone-utils-upgrade
index e8e5eb4e..114815a6 100755
--- a/src/freedombone-utils-upgrade
+++ b/src/freedombone-utils-upgrade
@@ -32,14 +32,14 @@
 UPGRADE_SCRIPT_NAME="${PROJECT_NAME}-upgrade"
 
 function create_upgrade_script {
-    upgrade_command_file=$(which ${PROJECT_NAME}-upgrade)
-    if [ ! -f /etc/cron.weekly/$UPGRADE_SCRIPT_NAME ]; then
-        cp $upgrade_command_file /etc/cron.weekly/$UPGRADE_SCRIPT_NAME
+    upgrade_command_file=$(which "${PROJECT_NAME}-upgrade")
+    if [ ! -f "/etc/cron.weekly/$UPGRADE_SCRIPT_NAME" ]; then
+        cp "$upgrade_command_file" "/etc/cron.weekly/$UPGRADE_SCRIPT_NAME"
     else
-        HASH1=$(sha256sum $upgrade_command_file | awk -F ' ' '{print $1}')
-        HASH2=$(sha256sum /etc/cron.weekly/$UPGRADE_SCRIPT_NAME | awk -F ' ' '{print $1}')
+        HASH1=$(sha256sum "$upgrade_command_file" | awk -F ' ' '{print $1}')
+        HASH2=$(sha256sum "/etc/cron.weekly/$UPGRADE_SCRIPT_NAME" | awk -F ' ' '{print $1}')
         if [[ "$HASH1" != "$HASH2" ]]; then
-            cp $upgrade_command_file /etc/cron.weekly/$UPGRADE_SCRIPT_NAME
+            cp "$upgrade_command_file" "/etc/cron.weekly/$UPGRADE_SCRIPT_NAME"
         fi
     fi
 
@@ -53,7 +53,7 @@ function create_upgrade_script {
 }
 
 function upgrade_installation_from_previous_versions {
-    if [ ! -f $COMPLETION_FILE ]; then
+    if [ ! -f "$COMPLETION_FILE" ]; then
         return
     fi
     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
@@ -61,27 +61,27 @@ function upgrade_installation_from_previous_versions {
     fi
 
     # upgrade from previous versions
-    sed -i 's|configure_email|install_email|g' $COMPLETION_FILE
-    sed -i 's|install_dlna_server|install_dlna|g' $COMPLETION_FILE
-    sed -i 's|install_gnu_social_theme|install_gnusocial_theme|g' $COMPLETION_FILE
-    sed -i 's|install_gnu_social|install_gnusocial|g' $COMPLETION_FILE
-    sed -i 's|install_irc_server|install_irc|g' $COMPLETION_FILE
-    sed -i 's|voip_turn|turn|g' $COMPLETION_FILE
-    sed -i 's|install_voip|install_mumble|g' $COMPLETION_FILE
-    sed -i 's|install_rss_reader|install_rss|g' $COMPLETION_FILE
-    sed -i 's|install_tox_node|install_tox|g' $COMPLETION_FILE
-    sed -i 's|intrusion_detection|install_tripwire|g' $COMPLETION_FILE
+    sed -i 's|configure_email|install_email|g' "$COMPLETION_FILE"
+    sed -i 's|install_dlna_server|install_dlna|g' "$COMPLETION_FILE"
+    sed -i 's|install_gnu_social_theme|install_gnusocial_theme|g' "$COMPLETION_FILE"
+    sed -i 's|install_gnu_social|install_gnusocial|g' "$COMPLETION_FILE"
+    sed -i 's|install_irc_server|install_irc|g' "$COMPLETION_FILE"
+    sed -i 's|voip_turn|turn|g' "$COMPLETION_FILE"
+    sed -i 's|install_voip|install_mumble|g' "$COMPLETION_FILE"
+    sed -i 's|install_rss_reader|install_rss|g' "$COMPLETION_FILE"
+    sed -i 's|install_tox_node|install_tox|g' "$COMPLETION_FILE"
+    sed -i 's|intrusion_detection|install_tripwire|g' "$COMPLETION_FILE"
 
-    sed -i 's|GNU Social|gnusocial|g' $COMPLETION_FILE
-    sed -i 's|XMPP|xmpp|g' $COMPLETION_FILE
-    sed -i 's|voip|mumble|g' $COMPLETION_FILE
-    sed -i 's|VoIP|mumble|g' $COMPLETION_FILE
-    sed -i 's|Blog|htmly|g' $COMPLETION_FILE
-    sed -i 's|Hubzilla|hubzilla|g' $COMPLETION_FILE
-    sed -i 's|Gogs|gogs|g' $COMPLETION_FILE
-    sed -i 's|Wiki|dokuwiki|g' $COMPLETION_FILE
-    sed -i 's|RSS|rss|g' $COMPLETION_FILE
-    sed -i 's|Zeronet|zeronet|g' $COMPLETION_FILE
+    sed -i 's|GNU Social|gnusocial|g' "$COMPLETION_FILE"
+    sed -i 's|XMPP|xmpp|g' "$COMPLETION_FILE"
+    sed -i 's|voip|mumble|g' "$COMPLETION_FILE"
+    sed -i 's|VoIP|mumble|g' "$COMPLETION_FILE"
+    sed -i 's|Blog|htmly|g' "$COMPLETION_FILE"
+    sed -i 's|Hubzilla|hubzilla|g' "$COMPLETION_FILE"
+    sed -i 's|Gogs|gogs|g' "$COMPLETION_FILE"
+    sed -i 's|Wiki|dokuwiki|g' "$COMPLETION_FILE"
+    sed -i 's|RSS|rss|g' "$COMPLETION_FILE"
+    sed -i 's|Zeronet|zeronet|g' "$COMPLETION_FILE"
 
     if [ -f /usr/local/bin/zeronetavahi ]; then
         rm /usr/local/bin/zeronetavahi
diff --git a/src/freedombone-utils-watchdog b/src/freedombone-utils-watchdog
index 8b05cf35..f0965639 100755
--- a/src/freedombone-utils-watchdog
+++ b/src/freedombone-utils-watchdog
@@ -37,9 +37,9 @@ function install_watchdog_script {
     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
         return
     fi
-    echo '#!/bin/bash' > /usr/bin/$WATCHDOG_SCRIPT_NAME
-    echo 'LOGFILE=/var/log/keepon.log' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
-    echo 'CURRENT_DATE=$(date)' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
+    { echo '#!/bin/bash';
+      echo 'LOGFILE=/var/log/keepon.log';
+      echo "CURRENT_DATE=\$(date)"; } > "/usr/bin/$WATCHDOG_SCRIPT_NAME"
     # application specific stuff is added later
     chmod +x /usr/bin/$WATCHDOG_SCRIPT_NAME
 
@@ -50,28 +50,28 @@ function install_watchdog_script {
 }
 
 function daemon_is_running {
-    daemon_name=$1
-    systemctl is-active ${daemon_name} >/dev/null 2>&1 && echo Running
+    daemon_name="$1"
+    systemctl is-active "${daemon_name}" >/dev/null 2>&1 && echo Running
 }
 
 function add_watchdog_daemon {
-    daemon_name=$1
+    daemon_name="$1"
 
-    echo '' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
-    echo "# keep ${daemon_name} daemon running" >> /usr/bin/$WATCHDOG_SCRIPT_NAME
-    echo "RUNNING=\$(systemctl is-active ${daemon_name} >/dev/null 2>&1 && echo Running)" >> /usr/bin/$WATCHDOG_SCRIPT_NAME
-    echo 'if [ ! $RUNNING ]; then' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
-    echo "  systemctl start ${daemon_name}" >> /usr/bin/$WATCHDOG_SCRIPT_NAME
-    echo '  echo -n $CURRENT_DATE >> $LOGFILE' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
-    echo "  echo \"${daemon_name} daemon restarted\" >> \$LOGFILE" >> /usr/bin/$WATCHDOG_SCRIPT_NAME
-    echo 'fi' >> /usr/bin/$WATCHDOG_SCRIPT_NAME
-    echo "# End of ${daemon_name}" >> /usr/bin/$WATCHDOG_SCRIPT_NAME
+    { echo '';
+      echo "# keep ${daemon_name} daemon running";
+      echo "RUNNING=\$(systemctl is-active ${daemon_name} >/dev/null 2>&1 && echo Running)";
+      echo "if [ ! \$RUNNING ]; then";
+      echo "  systemctl start ${daemon_name}";
+      echo "  echo -n \$CURRENT_DATE >> \$LOGFILE";
+      echo "  echo \"${daemon_name} daemon restarted\" >> \$LOGFILE";
+      echo 'fi';
+      echo "# End of ${daemon_name}"; } >> "/usr/bin/$WATCHDOG_SCRIPT_NAME"
 }
 
 function remove_watchdog_daemon {
-    daemon_name=$1
+    daemon_name="$1"
 
-    sed -i "/# keep ${daemon_name} daemon running/,/# End of ${daemon_name}/d" /usr/bin/$WATCHDOG_SCRIPT_NAME
+    sed -i "/# keep ${daemon_name} daemon running/,/# End of ${daemon_name}/d" "/usr/bin/$WATCHDOG_SCRIPT_NAME"
 }
 
 # NOTE: deliberately no exit 0
diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web
index 3cb0d34d..04925d12 100755
--- a/src/freedombone-utils-web
+++ b/src/freedombone-utils-web
@@ -63,10 +63,10 @@ function validate_domain_name {
     # count the number of dots in the domain name
     dots=${TEST_DOMAIN_NAME//[^.]}
     no_of_dots=${#dots}
-    if (( $no_of_dots > 3 )); then
+    if (( no_of_dots > 3 )); then
         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"
     fi
-    if (( $no_of_dots == 0 )); then
+    if (( no_of_dots == 0 )); then
         TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"
     fi
 }
@@ -74,64 +74,64 @@ function validate_domain_name {
 function nginx_disable_sniffing {
     domain_name=$1
     filename=/etc/nginx/sites-available/$domain_name
-    echo '    add_header X-Frame-Options DENY;' >> $filename
-    echo '    add_header X-Content-Type-Options nosniff;' >> $filename
-    echo '' >> $filename
+    { echo '    add_header X-Frame-Options DENY;';
+      echo '    add_header X-Content-Type-Options nosniff;';
+      echo ''; } >> "$filename"
 }
 
 function nginx_limits {
     domain_name=$1
     max_body='20m'
-    if [ $2 ]; then
+    if [ "$2" ]; then
         max_body=$2
     fi
     filename=/etc/nginx/sites-available/$domain_name
-    echo "    client_max_body_size ${max_body};" >> $filename
-    echo '    client_body_buffer_size 128k;' >> $filename
-    echo '' >> $filename
-    echo '    limit_conn conn_limit_per_ip 10;' >> $filename
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> $filename
-    echo '' >> $filename
+    { echo "    client_max_body_size ${max_body};";
+      echo '    client_body_buffer_size 128k;';
+      echo '';
+      echo '    limit_conn conn_limit_per_ip 10;';
+      echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;';
+      echo ''; } >> "$filename"
 }
 
 function nginx_stapling {
-    domain_name=$1
+    domain_name="$1"
     filename=/etc/nginx/sites-available/$domain_name
-    echo "    ssl_stapling on;" >> $filename
-    echo '    ssl_stapling_verify on;' >> $filename
-    echo '    ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;' >> $filename
-    echo '' >> $filename
+    { echo "    ssl_stapling on;";
+      echo '    ssl_stapling_verify on;';
+      echo "    ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;";
+      echo ''; } >> "$filename"
 }
 
 function nginx_http_redirect {
     # redirect port 80 to https
     domain_name=$1
     filename=/etc/nginx/sites-available/$domain_name
-    echo 'server {' > $filename
-    echo '    listen 80;' >> $filename
-    echo '    listen [::]:80;' >> $filename
-    echo "    server_name ${domain_name};" >> $filename
-    echo "    root /var/www/${domain_name}/htdocs;" >> $filename
-    echo '    access_log /dev/null;' >> $filename
-    echo "    error_log /dev/null;" >> $filename
+    { echo 'server {';
+      echo '    listen 80;';
+      echo '    listen [::]:80;';
+      echo "    server_name ${domain_name};";
+      echo "    root /var/www/${domain_name}/htdocs;";
+      echo '    access_log /dev/null;';
+      echo "    error_log /dev/null;"; } > "$filename"
     function_check nginx_limits
-    nginx_limits $domain_name
+    nginx_limits "$domain_name"
     if [ ${#2} -gt 0 ]; then
-        echo "    $2;" >> $filename
+        echo "    $2;" >> "$filename"
     fi
-    echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> $filename
-    echo '}' >> $filename
-    echo '' >> $filename
+    { echo "    rewrite ^ https://\$server_name\$request_uri? permanent;";
+      echo '}';
+      echo ''; } >> "$filename"
 }
 
 function nginx_compress {
     domain_name=$1
     filename=/etc/nginx/sites-available/$domain_name
 
-    echo '    gzip            on;' >> $filename
-    echo '    gzip_min_length 1000;' >> $filename
-    echo '    gzip_proxied    expired no-cache no-store private auth;' >> $filename
-    echo '    gzip_types      text/plain application/xml;' >> $filename
+    { echo '    gzip            on;';
+      echo '    gzip_min_length 1000;';
+      echo '    gzip_proxied    expired no-cache no-store private auth;';
+      echo '    gzip_types      text/plain application/xml;'; } >> "$filename"
 }
 
 function nginx_ssl {
@@ -140,40 +140,40 @@ function nginx_ssl {
     mobile_ciphers=$2
     filename=/etc/nginx/sites-available/$domain_name
 
-    echo '    ssl_stapling off;' >> $filename
-    echo '    ssl_stapling_verify off;' >> $filename
-    echo '    ssl on;' >> $filename
-    echo "    ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;" >> $filename
-    echo "    ssl_certificate_key /etc/letsencrypt/live/${domain_name}/privkey.pem;" >> $filename
-    echo "    ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename
-    echo '' >> $filename
-    echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;' >> $filename
-    echo '    ssl_session_timeout 60m;' >> $filename
-    echo '    ssl_prefer_server_ciphers on;' >> $filename
-    echo "    ssl_protocols $SSL_PROTOCOLS;" >> $filename
-    if [ $mobile_ciphers ]; then
-        echo "    # Mobile compatible ciphers" >> $filename
-        echo "    ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> $filename
+    { echo '    ssl_stapling off;';
+      echo '    ssl_stapling_verify off;';
+      echo '    ssl on;';
+      echo "    ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;";
+      echo "    ssl_certificate_key /etc/letsencrypt/live/${domain_name}/privkey.pem;";
+      echo "    ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;";
+      echo '';
+      echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;';
+      echo '    ssl_session_timeout 60m;';
+      echo '    ssl_prefer_server_ciphers on;';
+      echo "    ssl_protocols $SSL_PROTOCOLS;"; } >> "$filename"
+    if [ "$mobile_ciphers" ]; then
+        echo "    # Mobile compatible ciphers" >> "$filename"
+        echo "    ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> "$filename"
     else
-        echo "    ssl_ciphers '$SSL_CIPHERS';" >> $filename
+        echo "    ssl_ciphers '$SSL_CIPHERS';" >> "$filename"
     fi
-    echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> $filename
-    echo '    add_header X-XSS-Protection "1; mode=block";' >> $filename
-    echo '    add_header X-Robots-Tag none;' >> $filename
-    echo '    add_header X-Download-Options noopen;' >> $filename
-    echo '    add_header X-Permitted-Cross-Domain-Policies none;' >> $filename
+    { echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";";
+      echo '    add_header X-XSS-Protection "1; mode=block";';
+      echo '    add_header X-Robots-Tag none;';
+      echo '    add_header X-Download-Options noopen;';
+      echo '    add_header X-Permitted-Cross-Domain-Policies none;'; } >> "$filename"
 
     #nginx_stapling $1
 }
 
 # check an individual domain name
 function test_domain_name {
-    if [ $1 ]; then
+    if [ "$1" ]; then
         TEST_DOMAIN_NAME=$1
         if [[ $TEST_DOMAIN_NAME != 'ttrss' ]]; then
             function_check validate_domain_name
             validate_domain_name
-            if [[ $TEST_DOMAIN_NAME != $1 ]]; then
+            if [[ "$TEST_DOMAIN_NAME" != "$1" ]]; then
                 echo $"Invalid domain name $TEST_DOMAIN_NAME"
                 exit 8528
             fi
@@ -183,40 +183,40 @@ function test_domain_name {
 
 # Checks whether certificates were generated for the given hostname
 function check_certificates {
-    if [ ! $1 ]; then
+    if [ ! "$1" ]; then
         return
     fi
     USE_LETSENCRYPT='no'
-    if [ $2 ]; then
-        USE_LETSENCRYPT=$2
+    if [ "$2" ]; then
+        USE_LETSENCRYPT="$2"
     fi
     if [[ $USE_LETSENCRYPT == 'no' ]]; then
-        if [ ! -f /etc/ssl/private/${1}.key ]; then
+        if [ ! -f "/etc/ssl/private/${1}.key" ]; then
             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"
             exit 63959
         fi
-        if [ ! -f /etc/ssl/certs/${1}.crt ]; then
+        if [ ! -f "/etc/ssl/certs/${1}.crt" ]; then
             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"
             exit 7679
         fi
 
-        if grep -q "${1}.pem" /etc/nginx/sites-available/${1}; then
-            sed -i "s|${1}.pem|${1}.crt|g" /etc/nginx/sites-available/${1}
+        if grep -q "${1}.pem" "/etc/nginx/sites-available/${1}"; then
+            sed -i "s|${1}.pem|${1}.crt|g" "/etc/nginx/sites-available/${1}"
         fi
     else
-        if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then
+        if [ ! -f "/etc/letsencrypt/live/${1}/privkey.pem" ]; then
             echo $"Private certificate for ${CHECK_HOSTNAME} was not created"
             exit 6282
         fi
-        if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then
+        if [ ! -f "/etc/letsencrypt/live/${1}/fullchain.pem" ]; then
             echo $"Public certificate for ${CHECK_HOSTNAME} was not created"
             exit 5328
         fi
-        if grep -q "${1}.crt" /etc/nginx/sites-available/${1}; then
-            sed -i "s|${1}.crt|${1}.pem|g" /etc/nginx/sites-available/${1}
+        if grep -q "${1}.crt" "/etc/nginx/sites-available/${1}"; then
+            sed -i "s|${1}.crt|${1}.pem|g" "/etc/nginx/sites-available/${1}"
         fi
     fi
-    if [ ! -f /etc/ssl/certs/${1}.dhparam ]; then
+    if [ ! -f "/etc/ssl/certs/${1}.dhparam" ]; then
         echo $"Diffie–Hellman parameters for ${CHECK_HOSTNAME} were not created"
         exit 5989
     fi
@@ -224,13 +224,13 @@ function check_certificates {
 
 function cert_exists {
     cert_type='dhparam'
-    if [ $2 ]; then
+    if [ "$2" ]; then
         cert_type="$2"
     fi
-    if [ -f /etc/ssl/certs/${1}.${cert_type} ]; then
+    if [ -f "/etc/ssl/certs/${1}.${cert_type}" ]; then
         echo "1"
     else
-        if [ -f /etc/letsencrypt/live/${1}/fullchain.${cert_type} ]; then
+        if [ -f "/etc/letsencrypt/live/${1}/fullchain.${cert_type}" ]; then
             echo "1"
         else
             echo "0"
@@ -239,23 +239,22 @@ function cert_exists {
 }
 
 function create_self_signed_cert {
-    ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH}
+    "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"
     function_check check_certificates
-    check_certificates ${SITE_DOMAIN_NAME}
+    check_certificates "${SITE_DOMAIN_NAME}"
 }
 
 function create_letsencrypt_cert {
-    ${PROJECT_NAME}-addcert -e ${SITE_DOMAIN_NAME} -s ${LETSENCRYPT_SERVER} --dhkey ${DH_KEYLENGTH} --email ${MY_EMAIL_ADDRESS}
-    if [ ! "$?" = "0" ]; then
+    if ! "${PROJECT_NAME}-addcert" -e "${SITE_DOMAIN_NAME}" -s "${LETSENCRYPT_SERVER}" --dhkey "${DH_KEYLENGTH}" --email "${MY_EMAIL_ADDRESS}"; then
         if [[ ${NO_SELF_SIGNED} == 'no' ]]; then
             echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"
-            ${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH}
+            "${PROJECT_NAME}-addcert" -h "${SITE_DOMAIN_NAME}" --dhkey "${DH_KEYLENGTH}"
             function_check check_certificates
-            check_certificates ${SITE_DOMAIN_NAME}
+            check_certificates "${SITE_DOMAIN_NAME}"
         else
             echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"
-            if [ -f /etc/nginx/sites-available/$SITE_DOMAIN_NAME ]; then
-                nginx_dissite $SITE_DOMAIN_NAME
+            if [ -f "/etc/nginx/sites-available/$SITE_DOMAIN_NAME" ]; then
+                nginx_dissite "$SITE_DOMAIN_NAME"
                 systemctl restart nginx
             fi
             exit 682529
@@ -264,7 +263,7 @@ function create_letsencrypt_cert {
     fi
 
     function_check check_certificates
-    check_certificates ${SITE_DOMAIN_NAME} 'yes'
+    check_certificates "${SITE_DOMAIN_NAME}" 'yes'
 }
 
 function create_site_certificate {
@@ -272,12 +271,12 @@ function create_site_certificate {
 
     # if yes then only "valid" certs are allowed, not self-signed
     NO_SELF_SIGNED='no'
-    if [ $2 ]; then
+    if [ "$2" ]; then
         NO_SELF_SIGNED="$2"
     fi
 
     if [[ $ONION_ONLY == "no" ]]; then
-        if [[ "$(cert_exists ${SITE_DOMAIN_NAME})" == "0" ]]; then
+        if [[ "$(cert_exists "${SITE_DOMAIN_NAME}")" == "0" ]]; then
             if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
                 create_self_signed_cert
             else
@@ -285,7 +284,7 @@ function create_site_certificate {
             fi
         else
             if [[ $LETSENCRYPT_ENABLED == "yes" ]]; then
-                if [[ "$(cert_exists ${SITE_DOMAIN_NAME} pem)" == "0" ]]; then
+                if [[ "$(cert_exists "${SITE_DOMAIN_NAME}" pem)" == "0" ]]; then
                     create_letsencrypt_cert
                 fi
             fi
@@ -305,42 +304,42 @@ function letsencrypt_renewals {
     renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'
 
     # the main script tries to renew once per month
-    echo '#!/bin/bash' > $renewals_script
-    echo '' >> $renewals_script
-    echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_script
-    echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_script
-    echo '' >> $renewals_script
-    echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_script
-    echo '    if [ -f ~/letsencrypt_failed ]; then' >> $renewals_script
-    echo '        rm ~/letsencrypt_failed' >> $renewals_script
-    echo '    fi' >> $renewals_script
-    echo -n '    ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_script
-    echo -n "awk -F ':' '{print " >> $renewals_script
-    echo -n '$2' >> $renewals_script
-    echo "}')" >> $renewals_script
-    echo '    ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_script
-    echo '    for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_script
-    echo -n '        LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_script
-    echo -n "awk -F '/' '{print " >> $renewals_script
-    echo -n '$5' >> $renewals_script
-    echo "}')" >> $renewals_script
-    echo '        if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_script
-    echo '            ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_script
-    echo '            if [ ! "$?" = "0" ]; then' >> $renewals_script
-    echo "                echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_script
-    echo '                echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_script
-    echo '                ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_script
-    echo -n "                cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_script
-    echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_script
-    echo '                rm ~/temp_renewletsencrypt.txt' >> $renewals_script
-    echo '                if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_script
-    echo '                    touch ~/letsencrypt_failed' >> $renewals_script
-    echo '                fi' >> $renewals_script
-    echo '            fi' >> $renewals_script
-    echo '        fi' >> $renewals_script
-    echo '    done' >> $renewals_script
-    echo 'fi' >> $renewals_script
-    chmod +x $renewals_script
+    { echo '#!/bin/bash';
+      echo '';
+      echo "PROJECT_NAME='${PROJECT_NAME}'";
+      echo "COMPLETION_FILE=\$HOME/\${PROJECT_NAME}-completed.txt";
+      echo '';
+      echo 'if [ -d /etc/letsencrypt ]; then';
+      echo '    if [ -f ~/letsencrypt_failed ]; then';
+      echo '        rm ~/letsencrypt_failed';
+      echo '    fi';
+      echo -n "    ADMIN_USERNAME=\$(cat \$COMPLETION_FILE | grep \"Admin user\" | ";
+      echo -n "awk -F ':' '{print ";
+      echo -n "\$2";
+      echo "}')";
+      echo "    ADMIN_EMAIL_ADDRESS=\$ADMIN_USERNAME@\$HOSTNAME";
+      echo '    for d in /etc/letsencrypt/live/*/ ; do';
+      echo -n "        LETSENCRYPT_DOMAIN=\$(echo \"\$d\" | ";
+      echo -n "awk -F '/' '{print ";
+      echo -n "\$5";
+      echo "}')";
+      echo "        if [ -f /etc/nginx/sites-available/\$LETSENCRYPT_DOMAIN ]; then";
+      echo "            \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt";
+      echo '            if [ ! "$?" = "0" ]; then';
+      echo "                echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt";
+      echo '                echo "" >> ~/temp_renewletsencrypt.txt';
+      echo "                \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt";
+      echo -n "                cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" ";
+      echo "\$ADMIN_EMAIL_ADDRESS";
+      echo '                rm ~/temp_renewletsencrypt.txt';
+      echo '                if [ ! -f ~/letsencrypt_failed ]; then';
+      echo '                    touch ~/letsencrypt_failed';
+      echo '                fi';
+      echo '            fi';
+      echo '        fi';
+      echo '    done';
+      echo 'fi'; } > "$renewals_script"
+    chmod +x "$renewals_script"
 
     if [ ! -f /etc/cron.monthly/letsencrypt ]; then
         cp $renewals_script /etc/cron.monthly/letsencrypt
@@ -354,42 +353,42 @@ function letsencrypt_renewals {
     rm $renewals_script
 
     # a secondary script keeps trying to renew after a failure
-    echo '#!/bin/bash' > $renewals_retry_script
-    echo '' >> $renewals_retry_script
-    echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_retry_script
-    echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_retry_script
-    echo '' >> $renewals_retry_script
-    echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_retry_script
-    echo '    if [ -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script
-    echo '        rm ~/letsencrypt_failed' >> $renewals_retry_script
-    echo -n '        ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_retry_script
-    echo -n "awk -F ':' '{print " >> $renewals_retry_script
-    echo -n '$2' >> $renewals_retry_script
-    echo "}')" >> $renewals_retry_script
-    echo '        ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_retry_script
-    echo '        for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_retry_script
-    echo -n '            LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_retry_script
-    echo -n "awk -F '/' '{print " >> $renewals_retry_script
-    echo -n '$5' >> $renewals_retry_script
-    echo "}')" >> $renewals_retry_script
-    echo '            if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_retry_script
-    echo '                ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_retry_script
-    echo '                if [ ! "$?" = "0" ]; then' >> $renewals_retry_script
-    echo "                    echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_retry_script
-    echo '                    echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
-    echo '                    ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
-    echo -n "                    cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_retry_script
-    echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_retry_script
-    echo '                    rm ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
-    echo '                    if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script
-    echo '                        touch ~/letsencrypt_failed' >> $renewals_retry_script
-    echo '                    fi' >> $renewals_retry_script
-    echo '                fi' >> $renewals_retry_script
-    echo '            fi' >> $renewals_retry_script
-    echo '        done' >> $renewals_retry_script
-    echo '    fi' >> $renewals_retry_script
-    echo 'fi' >> $renewals_retry_script
-    chmod +x $renewals_retry_script
+    { echo '#!/bin/bash';
+      echo '';
+      echo "PROJECT_NAME='${PROJECT_NAME}'";
+      echo "COMPLETION_FILE=\$HOME/\${PROJECT_NAME}-completed.txt";
+      echo '';
+      echo 'if [ -d /etc/letsencrypt ]; then';
+      echo '    if [ -f ~/letsencrypt_failed ]; then';
+      echo '        rm ~/letsencrypt_failed';
+      echo -n "        ADMIN_USERNAME=\$(cat \$COMPLETION_FILE | grep \"Admin user\" | ";
+      echo -n "awk -F ':' '{print ";
+      echo -n "\$2";
+      echo "}')";
+      echo "        ADMIN_EMAIL_ADDRESS=\$ADMIN_USERNAME@\$HOSTNAME";
+      echo '        for d in /etc/letsencrypt/live/*/ ; do';
+      echo -n "            LETSENCRYPT_DOMAIN=\$(echo \"\$d\" | ";
+      echo -n "awk -F '/' '{print ";
+      echo -n "\$5";
+      echo "}')";
+      echo "            if [ -f /etc/nginx/sites-available/\$LETSENCRYPT_DOMAIN ]; then";
+      echo "                \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt";
+      echo '                if [ ! "$?" = "0" ]; then';
+      echo "                    echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt";
+      echo '                    echo "" >> ~/temp_renewletsencrypt.txt';
+      echo "                    \${PROJECT_NAME}-renew-cert -h \$LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt";
+      echo -n "                    cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" ";
+      echo "\$ADMIN_EMAIL_ADDRESS";
+      echo '                    rm ~/temp_renewletsencrypt.txt';
+      echo '                    if [ ! -f ~/letsencrypt_failed ]; then';
+      echo '                        touch ~/letsencrypt_failed';
+      echo '                    fi';
+      echo '                fi';
+      echo '            fi';
+      echo '        done';
+      echo '    fi';
+      echo 'fi'; } > "$renewals_retry_script"
+    chmod +x "$renewals_retry_script"
 
     if [ ! -f /etc/cron.daily/letsencrypt ]; then
         cp $renewals_retry_script /etc/cron.daily/letsencrypt
@@ -413,10 +412,10 @@ function configure_php {
 
 function install_web_server_access_control {
     if [ ! -f /etc/pam.d/nginx ]; then
-        echo '#%PAM-1.0' > /etc/pam.d/nginx
-        echo '@include common-auth' >> /etc/pam.d/nginx
-        echo '@include common-account' >> /etc/pam.d/nginx
-        echo '@include common-session' >> /etc/pam.d/nginx
+        { echo '#%PAM-1.0';
+          echo '@include common-auth';
+          echo '@include common-account';
+          echo '@include common-session'; } > /etc/pam.d/nginx
     fi
 }
 
@@ -435,7 +434,7 @@ function install_dynamicdns {
 
     # update to the next commit
     function_check set_repo_commit
-    set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO
+    set_repo_commit "$INSTALL_DIR/inadyn" "inadyn commit" "$INADYN_COMMIT" "$INADYN_REPO"
 
     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
         return
@@ -448,36 +447,33 @@ function install_dynamicdns {
     # https version 1.99.8
 
     apt-get -yq install build-essential curl libgnutls28-dev automake1.11
-    if [ ! -d $INSTALL_DIR/inadyn ]; then
+    if [ ! -d "$INSTALL_DIR/inadyn" ]; then
         if [ -d /repos/inadyn ]; then
-            mkdir $INSTALL_DIR/inadyn
-            cp -r -p /repos/inadyn/. $INSTALL_DIR/inadyn
-            cd $INSTALL_DIR/inadyn
+            mkdir "$INSTALL_DIR/inadyn"
+            cp -r -p /repos/inadyn/. "$INSTALL_DIR/inadyn"
+            cd "$INSTALL_DIR/inadyn" || exit 2462874684
             git pull
         else
-            git_clone $INADYN_REPO $INSTALL_DIR/inadyn
+            git_clone "$INADYN_REPO" "$INSTALL_DIR/inadyn"
         fi
     fi
-    if [ ! -d $INSTALL_DIR/inadyn ]; then
+    if [ ! -d "$INSTALL_DIR/inadyn" ]; then
         echo 'inadyn repo not cloned'
         echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs
         exit 6785
     fi
-    cd $INSTALL_DIR/inadyn
-    git checkout $INADYN_COMMIT -b $INADYN_COMMIT
+    cd "$INSTALL_DIR/inadyn" || exit 246824684
+    git checkout "$INADYN_COMMIT" -b "$INADYN_COMMIT"
     set_completion_param "inadyn commit" "$INADYN_COMMIT"
 
     #./autogen.sh
-    ./configure
-    if [ ! "$?" = "0" ]; then
+    if ! ./configure; then
         exit 74890
     fi
-    USE_OPENSSL=1 make
-    if [ ! "$?" = "0" ]; then
+    if ! USE_OPENSSL=1 make; then
         exit 74858
     fi
-    make install
-    if [ ! "$?" = "0" ]; then
+    if ! make install; then
         exit 3785
     fi
 
@@ -489,25 +485,25 @@ function install_dynamicdns {
     #chmod 0000 /etc/gshadow
 
     # create a configuration file
-    echo 'background' > /etc/inadyn.conf
-    echo 'verbose        1' >> /etc/inadyn.conf
-    echo 'period         300' >> /etc/inadyn.conf
-    echo 'startup-delay  60' >> /etc/inadyn.conf
-    echo 'cache-dir      /run/inadyn' >> /etc/inadyn.conf
-    echo 'logfile        /dev/null' >> /etc/inadyn.conf
+    { echo 'background';
+      echo 'verbose        1';
+      echo 'period         300';
+      echo 'startup-delay  60';
+      echo 'cache-dir      /run/inadyn';
+      echo 'logfile        /dev/null'; } > /etc/inadyn.conf
     chmod 600 /etc/inadyn.conf
 
-    echo '[Unit]' > /etc/systemd/system/inadyn.service
-    echo 'Description=inadyn (DynDNS updater)' >> /etc/systemd/system/inadyn.service
-    echo 'After=network.target' >> /etc/systemd/system/inadyn.service
-    echo '' >> /etc/systemd/system/inadyn.service
-    echo '[Service]' >> /etc/systemd/system/inadyn.service
-    echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf' >> /etc/systemd/system/inadyn.service
-    echo 'Restart=always' >> /etc/systemd/system/inadyn.service
-    echo 'Type=forking' >> /etc/systemd/system/inadyn.service
-    echo '' >> /etc/systemd/system/inadyn.service
-    echo '[Install]' >> /etc/systemd/system/inadyn.service
-    echo 'WantedBy=multi-user.target' >> /etc/systemd/system/inadyn.service
+    { echo '[Unit]';
+      echo 'Description=inadyn (DynDNS updater)';
+      echo 'After=network.target';
+      echo '';
+      echo '[Service]';
+      echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf';
+      echo 'Restart=always';
+      echo 'Type=forking';
+      echo '';
+      echo '[Install]';
+      echo 'WantedBy=multi-user.target'; } > /etc/systemd/system/inadyn.service
     systemctl enable inadyn
     systemctl start inadyn
     systemctl daemon-reload
@@ -519,18 +515,18 @@ function update_default_search_engine {
     for d in /home/*/ ; do
         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
         if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
-            if ! grep -q "WWW_HOME" /home/$USERNAME/.bashrc; then
-                if ! grep -q 'controluser' /home/$USERNAME/.bashrc; then
-                    if ! grep -q 'export WWW_HOME=' /home/$USERNAME/.bashrc; then
-                        echo "export WWW_HOME=$DEFAULT_SEARCH" >> /home/$USERNAME/.bashrc
+            if ! grep -q "WWW_HOME" "/home/$USERNAME/.bashrc"; then
+                if ! grep -q 'controluser' "/home/$USERNAME/.bashrc"; then
+                    if ! grep -q 'export WWW_HOME=' "/home/$USERNAME/.bashrc"; then
+                        echo "export WWW_HOME=$DEFAULT_SEARCH" >> "/home/$USERNAME/.bashrc"
                     else
-                        sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" /home/$USERNAME/.bashrc
+                        sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" "/home/$USERNAME/.bashrc"
                     fi
                 else
-                    if ! grep -q 'export WWW_HOME=' /home/$USERNAME/.bashrc; then
-                        sed -i "/controluser/i export WWW_HOME=$DEFAULT_SEARCH" /home/$USERNAME/.bashrc
+                    if ! grep -q 'export WWW_HOME=' "/home/$USERNAME/.bashrc"; then
+                        sed -i "/controluser/i export WWW_HOME=$DEFAULT_SEARCH" "/home/$USERNAME/.bashrc"
                     else
-                        sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" /home/$USERNAME/.bashrc
+                        sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" "/home/$USERNAME/.bashrc"
                     fi
                 fi
             fi
@@ -550,27 +546,28 @@ function install_command_line_browser {
 
 function mesh_web_server {
     if [ -d /etc/apache2 ]; then
+        # shellcheck disable=SC2154
         chroot "$rootdir" apt-get -yq remove --purge apache2
         chroot "$rootdir" rm -rf /etc/apache2
     fi
 
     chroot "$rootdir" apt-get -yq install nginx
 
-    if [ ! -d $rootdir/etc/nginx ]; then
+    if [ ! -d "$rootdir/etc/nginx" ]; then
         echo $'Unable to install web server'
         exit 346825
     fi
 }
 
 function install_web_server {
-    if [ $INSTALLING_MESH ]; then
+    if [ "$INSTALLING_MESH" ]; then
         mesh_web_server
         return
     fi
 
     # update to the next commit
     function_check set_repo_commit
-    set_repo_commit $INSTALL_DIR/nginx_ensite "nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO
+    set_repo_commit "$INSTALL_DIR/nginx_ensite" "nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO
 
     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
         return
@@ -600,12 +597,12 @@ function install_web_server {
     sed -i 's|process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf
 
     if ! grep -q "pm.max_children" /etc/php/7.0/fpm/php-fpm.conf; then
-        echo 'pm = static' >> /etc/php/7.0/fpm/php-fpm.conf
-        echo 'pm.max_children = 10' >> /etc/php/7.0/fpm/php-fpm.conf
-        echo 'pm.start_servers = 2' >> /etc/php/7.0/fpm/php-fpm.conf
-        echo 'pm.min_spare_servers = 2' >> /etc/php/7.0/fpm/php-fpm.conf
-        echo 'pm.max_spare_servers = 5' >> /etc/php/7.0/fpm/php-fpm.conf
-        echo 'pm.max_requests = 10' >> /etc/php/7.0/fpm/php-fpm.conf
+        { echo 'pm = static';
+          echo 'pm.max_children = 10';
+          echo 'pm.start_servers = 2';
+          echo 'pm.min_spare_servers = 2';
+          echo 'pm.max_spare_servers = 5';
+          echo 'pm.max_requests = 10'; } >> /etc/php/7.0/fpm/php-fpm.conf
     fi
     if ! grep -q "request_terminate_timeout" /etc/php/7.0/fpm/php-fpm.conf; then
         echo 'request_terminate_timeout = 30' >> /etc/php/7.0/fpm/php-fpm.conf
@@ -620,91 +617,91 @@ function install_web_server {
     fi
 
     # Nginx settings
-    echo 'user www-data;' > /etc/nginx/nginx.conf
-    #echo "worker_processes; $CPU_CORES" >> /etc/nginx/nginx.conf
-    echo 'pid /run/nginx.pid;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo 'events {' >> /etc/nginx/nginx.conf
-    echo '        worker_connections 50;' >> /etc/nginx/nginx.conf
-    echo '        # multi_accept on;' >> /etc/nginx/nginx.conf
-    echo '}' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo 'http {' >> /etc/nginx/nginx.conf
-    echo '        # limit the number of connections per single IP' >> /etc/nginx/nginx.conf
-    echo '        limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        # limit the number of requests for a given session' >> /etc/nginx/nginx.conf
-    echo '        limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file' >> /etc/nginx/nginx.conf
-    echo '        client_body_buffer_size  128k;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        # headerbuffer size for the request header from client, its set for testing purpose' >> /etc/nginx/nginx.conf
-    echo '        client_header_buffer_size 3m;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        # maximum number and size of buffers for large headers to read from client request' >> /etc/nginx/nginx.conf
-    echo '        large_client_header_buffers 4 256k;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        # read timeout for the request body from client, its set for testing purpose' >> /etc/nginx/nginx.conf
-    echo '        client_body_timeout   3m;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        # how long to wait for the client to send a request header, its set for testing purpose' >> /etc/nginx/nginx.conf
-    echo '        client_header_timeout 3m;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        ##' >> /etc/nginx/nginx.conf
-    echo '        # Basic Settings' >> /etc/nginx/nginx.conf
-    echo '        ##' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        sendfile on;' >> /etc/nginx/nginx.conf
-    echo '        tcp_nopush on;' >> /etc/nginx/nginx.conf
-    echo '        tcp_nodelay on;' >> /etc/nginx/nginx.conf
-    echo '        keepalive_timeout 65;' >> /etc/nginx/nginx.conf
-    echo '        types_hash_max_size 2048;' >> /etc/nginx/nginx.conf
-    echo '        server_tokens off;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        # server_names_hash_bucket_size 64;' >> /etc/nginx/nginx.conf
-    echo '        # server_name_in_redirect off;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf
-    echo '        default_type application/octet-stream;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        ##' >> /etc/nginx/nginx.conf
-    echo '        # Logging Settings' >> /etc/nginx/nginx.conf
-    echo '        ##' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        access_log /dev/null;' >> /etc/nginx/nginx.conf
-    echo '        error_log /dev/null;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        ###' >> /etc/nginx/nginx.conf
-    echo '        # Gzip Settings' >> /etc/nginx/nginx.conf
-    echo '        ##' >> /etc/nginx/nginx.conf
-    echo '        gzip on;' >> /etc/nginx/nginx.conf
-    echo '        gzip_disable "msie6";' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        # gzip_vary on;' >> /etc/nginx/nginx.conf
-    echo '        # gzip_proxied any;' >> /etc/nginx/nginx.conf
-    echo '        # gzip_comp_level 6;' >> /etc/nginx/nginx.conf
-    echo '        # gzip_buffers 16 8k;' >> /etc/nginx/nginx.conf
-    echo '        # gzip_http_version 1.1;' >> /etc/nginx/nginx.conf
-    echo '        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        ##' >> /etc/nginx/nginx.conf
-    echo '        # Virtual Host Configs' >> /etc/nginx/nginx.conf
-    echo '        ##' >> /etc/nginx/nginx.conf
-    echo '' >> /etc/nginx/nginx.conf
-    echo '        include /etc/nginx/conf.d/*.conf;' >> /etc/nginx/nginx.conf
-    echo '        include /etc/nginx/sites-enabled/*;' >> /etc/nginx/nginx.conf
-    echo '}' >> /etc/nginx/nginx.conf
+    { echo 'user www-data;';
+      #echo "worker_processes; $CPU_CORES";
+      echo 'pid /run/nginx.pid;';
+      echo '';
+      echo 'events {';
+      echo '        worker_connections 50;';
+      echo '        # multi_accept on;';
+      echo '}';
+      echo '';
+      echo 'http {';
+      echo '        # limit the number of connections per single IP';
+      echo "        limit_conn_zone \$binary_remote_addr zone=conn_limit_per_ip:10m;";
+      echo '';
+      echo '        # limit the number of requests for a given session';
+      echo "        limit_req_zone \$binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;";
+      echo '';
+      echo '        # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file';
+      echo '        client_body_buffer_size  128k;';
+      echo '';
+      echo '        # headerbuffer size for the request header from client, its set for testing purpose';
+      echo '        client_header_buffer_size 3m;';
+      echo '';
+      echo '        # maximum number and size of buffers for large headers to read from client request';
+      echo '        large_client_header_buffers 4 256k;';
+      echo '';
+      echo '        # read timeout for the request body from client, its set for testing purpose';
+      echo '        client_body_timeout   3m;';
+      echo '';
+      echo '        # how long to wait for the client to send a request header, its set for testing purpose';
+      echo '        client_header_timeout 3m;';
+      echo '';
+      echo '        ##';
+      echo '        # Basic Settings';
+      echo '        ##';
+      echo '';
+      echo '        sendfile on;';
+      echo '        tcp_nopush on;';
+      echo '        tcp_nodelay on;';
+      echo '        keepalive_timeout 65;';
+      echo '        types_hash_max_size 2048;';
+      echo '        server_tokens off;';
+      echo '';
+      echo '        # server_names_hash_bucket_size 64;';
+      echo '        # server_name_in_redirect off;';
+      echo '';
+      echo '        include /etc/nginx/mime.types;';
+      echo '        default_type application/octet-stream;';
+      echo '';
+      echo '        ##';
+      echo '        # Logging Settings';
+      echo '        ##';
+      echo '';
+      echo '        access_log /dev/null;';
+      echo '        error_log /dev/null;';
+      echo '';
+      echo '        ###';
+      echo '        # Gzip Settings';
+      echo '        ##';
+      echo '        gzip on;';
+      echo '        gzip_disable "msie6";';
+      echo '';
+      echo '        # gzip_vary on;';
+      echo '        # gzip_proxied any;';
+      echo '        # gzip_comp_level 6;';
+      echo '        # gzip_buffers 16 8k;';
+      echo '        # gzip_http_version 1.1;';
+      echo '        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;';
+      echo '';
+      echo '        ##';
+      echo '        # Virtual Host Configs';
+      echo '        ##';
+      echo '';
+      echo '        include /etc/nginx/conf.d/*.conf;';
+      echo '        include /etc/nginx/sites-enabled/*;';
+      echo '}'; } > /etc/nginx/nginx.conf
 
     # install a script to easily enable and disable nginx virtual hosts
-    if [ ! -d $INSTALL_DIR ]; then
-        mkdir $INSTALL_DIR
+    if [ ! -d "$INSTALL_DIR" ]; then
+        mkdir "$INSTALL_DIR"
     fi
-    cd $INSTALL_DIR
+    cd "$INSTALL_DIR" || exit 2798462846827
     function_check git_clone
-    git_clone $NGINX_ENSITE_REPO $INSTALL_DIR/nginx_ensite
-    cd $INSTALL_DIR/nginx_ensite
-    git checkout $NGINX_ENSITE_COMMIT -b $NGINX_ENSITE_COMMIT
+    git_clone "$NGINX_ENSITE_REPO" "$INSTALL_DIR/nginx_ensite"
+    cd "$INSTALL_DIR/nginx_ensite" || exit 2468748223
+    git checkout "$NGINX_ENSITE_COMMIT" -b "$NGINX_ENSITE_COMMIT"
 
     set_completion_param "nginx-ensite commit" "$NGINX_ENSITE_COMMIT"
 
@@ -720,24 +717,24 @@ function install_web_server {
 function remove_certs {
     domain_name=$1
 
-    if [ ! $domain_name ]; then
+    if [ ! "$domain_name" ]; then
         return
     fi
 
-    if [ -f /etc/ssl/certs/${domain_name}.dhparam ]; then
-        rm /etc/ssl/certs/${domain_name}.dhparam
+    if [ -f "/etc/ssl/certs/${domain_name}.dhparam" ]; then
+        rm "/etc/ssl/certs/${domain_name}.dhparam"
     fi
 
-    if [ -f /etc/ssl/certs/${domain_name}.pem ]; then
-        rm /etc/ssl/certs/${domain_name}.pem
+    if [ -f "/etc/ssl/certs/${domain_name}.pem" ]; then
+        rm "/etc/ssl/certs/${domain_name}.pem"
     fi
 
-    if [ -f /etc/ssl/certs/${domain_name}.crt ]; then
-        rm /etc/ssl/certs/${domain_name}.crt
+    if [ -f "/etc/ssl/certs/${domain_name}.crt" ]; then
+        rm "/etc/ssl/certs/${domain_name}.crt"
     fi
 
-    if [ -f /etc/ssl/private/${domain_name}.key ]; then
-        rm /etc/ssl/private/${domain_name}.key
+    if [ -f "/etc/ssl/private/${domain_name}.key" ]; then
+        rm "/etc/ssl/private/${domain_name}.key"
     fi
 }
 
@@ -761,7 +758,7 @@ function update_default_domain {
     echo $'Updating default domain'
     if [[ $ONION_ONLY == 'no' ]]; then
         if [ -f /etc/mumble-server.ini ]; then
-            if [ ! -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then
+            if [ ! -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then
                 if ! grep -q "mumble.pem" /etc/mumble-server.ini; then
                     sed -i 's|sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini
                     sed -i 's|sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini
@@ -783,7 +780,7 @@ function update_default_domain {
             fi
             cp /etc/ssl/private/xmpp* /etc/prosody/certs
             cp /etc/ssl/certs/xmpp* /etc/prosody/certs
-            if [ -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then
+            if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then
                 usermod -a -G ssl-cert prosody
                 if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then
                     sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua
@@ -819,9 +816,9 @@ function update_default_domain {
             chown -R prosody:default /etc/prosody
             chmod -R 700 /etc/prosody/certs/*
             chmod 600 /etc/prosody/prosody.cfg.lua
-            if [ -d $INSTALL_DIR/prosody-modules ]; then
-                cp -r $INSTALL_DIR/prosody-modules/* /var/lib/prosody/prosody-modules/
-                cp -r $INSTALL_DIR/prosody-modules/* /usr/lib/prosody/modules/
+            if [ -d "$INSTALL_DIR/prosody-modules" ]; then
+                cp -r "$INSTALL_DIR/prosody-modules/*" /var/lib/prosody/prosody-modules/
+                cp -r "$INSTALL_DIR/prosody-modules/*" /usr/lib/prosody/modules/
             fi
             chown -R prosody:prosody /var/lib/prosody/prosody-modules
             chown -R prosody:prosody /usr/lib/prosody/modules
@@ -830,9 +827,9 @@ function update_default_domain {
 
         if [ -d /home/znc/.znc ]; then
             echo $'znc found'
-            if [ -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then
+            if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then
                 pkill znc
-                cat /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key > /home/znc/.znc/znc.pem
+                cat "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" > /home/znc/.znc/znc.pem
                 chown znc:znc /home/znc/.znc/znc.pem
                 chmod 700 /home/znc/.znc/znc.pem
 
@@ -847,7 +844,7 @@ function update_default_domain {
         fi
 
         if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then
-            if [ -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then
+            if [ -f "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" ]; then
                 if [ -d /etc/dovecot ]; then
                     if ! grep -q "ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/dovecot/conf.d/10-ssl.conf; then
                         sed -i "s|#ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf
@@ -858,7 +855,7 @@ function update_default_domain {
 
                 if [ -d /etc/exim4 ]; then
                     # Unfortunately there doesn't appear to be any other way than copying certs here
-                    cp /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/{fullchain,privkey}.pem /etc/exim4/
+                    cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/{fullchain,privkey}.pem" /etc/exim4/
                     chown root:Debian-exim /etc/exim4/*.pem
                     chmod 640 /etc/exim4/*.pem
 
@@ -875,17 +872,17 @@ function update_default_domain {
 }
 
 function create_default_web_site {
-    if [ ! -f /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} ]; then
+    if [ ! -f "/etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}" ]; then
         # create a web site for the default domain
-        if [ ! -d /var/www/${DEFAULT_DOMAIN_NAME}/htdocs ]; then
-            mkdir -p /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
-            if [ -d /root/${PROJECT_NAME} ]; then
-                cd /root/${PROJECT_NAME}/website
-                ./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
+        if [ ! -d "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs" ]; then
+            mkdir -p "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"
+            if [ -d "/root/${PROJECT_NAME}" ]; then
+                cd "/root/${PROJECT_NAME}/website" || exit 24687246468
+                ./deploy.sh EN "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"
             else
-                if [ -d /home/${MY_USERNAME}/${PROJECT_NAME} ]; then
-                    cd /home/${MY_USERNAME}/${PROJECT_NAME}
-                    ./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
+                if [ -d "/home/${MY_USERNAME}/${PROJECT_NAME}" ]; then
+                    cd "/home/${MY_USERNAME}/${PROJECT_NAME}" || exit 2462874624
+                    ./deploy.sh EN "/var/www/${DEFAULT_DOMAIN_NAME}/htdocs"
                 fi
             fi
         fi
@@ -894,94 +891,93 @@ function create_default_web_site {
         nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME
         if [[ $ONION_ONLY == "no" ]]; then
             function_check nginx_http_redirect
-            nginx_http_redirect $DEFAULT_DOMAIN_NAME
-            echo 'server {' >> $nginx_site
-            echo '  listen 443 ssl;' >> $nginx_site
-            echo '  #listen [::]:443 ssl;' >> $nginx_site
-            echo "  server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site
-            echo '' >> $nginx_site
-            echo '  # Security' >> $nginx_site
+            nginx_http_redirect "$DEFAULT_DOMAIN_NAME"
+            { echo 'server {';
+              echo '  listen 443 ssl;';
+              echo '  #listen [::]:443 ssl;';
+              echo "  server_name $DEFAULT_DOMAIN_NAME;";
+              echo '';
+              echo '  # Security'; } >> "$nginx_site"
             function_check nginx_ssl
-            nginx_ssl $DEFAULT_DOMAIN_NAME mobile
+            nginx_ssl "$DEFAULT_DOMAIN_NAME" mobile
 
             function_check nginx_disable_sniffing
-            nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
+            nginx_disable_sniffing "$DEFAULT_DOMAIN_NAME"
 
-            echo '  add_header Strict-Transport-Security max-age=15768000;' >> $nginx_site
-            echo '' >> $nginx_site
-            echo '  # Logs' >> $nginx_site
-            echo '  access_log /dev/null;' >> $nginx_site
-            echo '  error_log /dev/null;' >> $nginx_site
-            echo '' >> $nginx_site
-            echo '  # Root' >> $nginx_site
-            echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site
-            echo '' >> $nginx_site
-            echo '  # Index' >> $nginx_site
-            echo '  index index.html;' >> $nginx_site
-            echo '' >> $nginx_site
-            echo '  # Location' >> $nginx_site
-            echo '  location / {' >> $nginx_site
+            { echo '  add_header Strict-Transport-Security max-age=15768000;';
+              echo '';
+              echo '  # Logs';
+              echo '  access_log /dev/null;';
+              echo '  error_log /dev/null;';
+              echo '';
+              echo '  # Root';
+              echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;";
+              echo '';
+              echo '  # Index';
+              echo '  index index.html;';
+              echo '';
+              echo '  # Location';
+              echo '  location / {'; } >> "$nginx_site"
             function_check nginx_limits
-            nginx_limits $DEFAULT_DOMAIN_NAME '15m'
-            echo '  }' >> $nginx_site
-            echo '' >> $nginx_site
-            echo '  # Restrict access that is unnecessary anyway' >> $nginx_site
-            echo '  location ~ /\.(ht|git) {' >> $nginx_site
-            echo '    deny all;' >> $nginx_site
-            echo '  }' >> $nginx_site
-            echo '}' >> $nginx_site
+            nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'
+            { echo '  }';
+              echo '';
+              echo '  # Restrict access that is unnecessary anyway';
+              echo '  location ~ /\.(ht|git) {';
+              echo '    deny all;';
+              echo '  }';
+              echo '}'; } >> "$nginx_site"
         else
-            echo -n '' > $nginx_site
+            echo -n '' > "$nginx_site"
         fi
-        echo 'server {' >> $nginx_site
-        echo "    listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;" >> $nginx_site
-        echo "    server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site
-        echo '' >> $nginx_site
+        { echo 'server {';
+          echo "    listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;";
+          echo "    server_name $DEFAULT_DOMAIN_NAME;";
+          echo ''; } >> "$nginx_site"
         function_check nginx_disable_sniffing
-        nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
-        echo '' >> $nginx_site
-        echo '  # Logs' >> $nginx_site
-        echo '  access_log /dev/null;' >> $nginx_site
-        echo '  error_log /dev/null;' >> $nginx_site
-        echo '' >> $nginx_site
-        echo '  # Root' >> $nginx_site
-        echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site
-        echo '' >> $nginx_site
-        echo '  # Location' >> $nginx_site
-        echo '  location / {' >> $nginx_site
+        nginx_disable_sniffing "$DEFAULT_DOMAIN_NAME"
+        { echo '';
+          echo '  # Logs';
+          echo '  access_log /dev/null;';
+          echo '  error_log /dev/null;';
+          echo '';
+          echo '  # Root';
+          echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;";
+          echo '';
+          echo '  # Location';
+          echo '  location / {'; } >> "$nginx_site"
         function_check nginx_limits
-        nginx_limits $DEFAULT_DOMAIN_NAME '15m'
-        echo '  }' >> $nginx_site
-        echo '' >> $nginx_site
-        echo '  # Restrict access that is unnecessary anyway' >> $nginx_site
-        echo '  location ~ /\.(ht|git) {' >> $nginx_site
-        echo '    deny all;' >> $nginx_site
-        echo '  }' >> $nginx_site
-        echo '}' >> $nginx_site
+        nginx_limits "$DEFAULT_DOMAIN_NAME" '15m'
+        { echo '  }';
+          echo '';
+          echo '  # Restrict access that is unnecessary anyway';
+          echo '  location ~ /\.(ht|git) {';
+          echo '    deny all;';
+          echo '  }';
+          echo '}'; } >> "$nginx_site"
 
-        if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
+        if [ ! -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then
             function_check create_site_certificate
-            create_site_certificate $DEFAULT_DOMAIN_NAME 'yes'
+            create_site_certificate "$DEFAULT_DOMAIN_NAME" 'yes'
         fi
 
-        nginx_ensite $DEFAULT_DOMAIN_NAME
+        nginx_ensite "$DEFAULT_DOMAIN_NAME"
     fi
 }
 
 function install_composer {
     # curl -sS https://getcomposer.org/installer | php
-    if [ -f ~/${PROJECT_NAME}/image_build/composer_install ]; then
-        cat ~/${PROJECT_NAME}/image_build/composer_install | php
+    if [ -f "${HOME}/${PROJECT_NAME}/image_build/composer_install" ]; then
+        php < "${HOME}/${PROJECT_NAME}/image_build/composer_install"
     else
-        if [ -f /home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install ]; then
-            cat /home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install | php
+        if [ -f "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install" ]; then
+            php < "/home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install"
         fi
     fi
     if [ -f composer.phar ]; then
         cp composer.phar composer
     fi
-    php composer.phar install
-    if [ ! "$?" = "0" ]; then
+    if ! php composer.phar install; then
         echo $'Unable to run composer install'
         exit 7252198
     fi
@@ -1007,7 +1003,7 @@ function email_install_tls {
         tls_auth_config_file=$tls_config_file
     fi
     if [ ! -f /etc/ssl/certs/exim.dhparam ]; then
-        ${PROJECT_NAME}-addcert -h exim --dhkey $DH_KEYLENGTH
+        "${PROJECT_NAME}-addcert" -h exim --dhkey "$DH_KEYLENGTH"
         check_certificates exim
         cp /etc/ssl/certs/exim.dhparam /etc/exim4
         chown root:Debian-exim /etc/exim4/exim.dhparam
@@ -1015,7 +1011,7 @@ function email_install_tls {
         email_config_changed=1
     fi
     if ! grep -q 'MAIN_TLS_ENABLE = true' $tls_config_file; then
-        sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME =\nMAIN_TLS_ENABLE = true" $tls_config_file
+        sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\\MAIN_HARDCODE_PRIMARY_HOSTNAME =\\nMAIN_TLS_ENABLE = true" "$tls_config_file"
         email_config_changed=1
     fi
     if ! grep -q "tls_on_connect_ports=465" $tls_config_file; then
@@ -1026,23 +1022,23 @@ function email_install_tls {
         sed -i '/login_saslauthd_server/,/.endif/ s/# *//' $tls_auth_config_file
         email_config_changed=1
     fi
-    if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
-        cp /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem /etc/exim4/
+    if [ -f "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" ]; then
+        cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/exim4/
         chown root:Debian-exim /etc/exim4/*.pem
         chmod 640 /etc/exim4/*.pem
 
         if ! grep -q "MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file; then
-            sed -i "/.ifdef MAIN_TLS_CERTKEY/i\MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file
+            sed -i "/.ifdef MAIN_TLS_CERTKEY/i\\MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file
             email_config_changed=1
         fi
     fi
-    if [ -f /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key ]; then
-        cp /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem /etc/exim4/
+    if [ -f "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" ]; then
+        cp "/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/exim4/
         chown root:Debian-exim /etc/exim4/*.pem
         chmod 640 /etc/exim4/*.pem
 
         if ! grep -q "MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file; then
-            sed -i "/.ifndef MAIN_TLS_PRIVATEKEY/i\MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file
+            sed -i "/.ifndef MAIN_TLS_PRIVATEKEY/i\\MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file
             email_config_changed=1
         fi
     fi
@@ -1060,25 +1056,25 @@ function install_web_local_user_interface {
     # TODO
     # This is intended as a placeholder for a potential local web user interface
     # similar to Plinth or the yunohost admin interface
-    local_hostname=$(cat /etc/avahi/avahi-daemon.conf | grep 'host-name' | awk -F '=' '{print $2}').local
+    local_hostname=$(grep 'host-name' /etc/avahi/avahi-daemon.conf | awk -F '=' '{print $2}').local
 
-    mkdir -p /var/www/${local_hostname}/htdocs
-    echo '<html>' > /var/www/${local_hostname}/htdocs/index.html
-    echo '  <body>' >> /var/www/${local_hostname}/htdocs/index.html
-    echo "  This is a test on $local_hostname" >> /var/www/${local_hostname}/htdocs/index.html
-    echo '  </body>' >> /var/www/${local_hostname}/htdocs/index.html
-    echo '</html>' >> /var/www/${local_hostname}/htdocs/index.html
-    chown -R www-data:www-data /var/www/${local_hostname}/htdocs
+    mkdir -p "/var/www/${local_hostname}/htdocs"
+    { echo '<html>';
+      echo '  <body>';
+      echo "  This is a test on $local_hostname";
+      echo '  </body>';
+      echo '</html>'; } > "/var/www/${local_hostname}/htdocs/index.html"
+    chown -R www-data:www-data "/var/www/${local_hostname}/htdocs"
 
     nginx_file=/etc/nginx/sites-available/$local_hostname
-    echo 'server {' > $nginx_file
-    echo '  listen 80;' >> $nginx_file
-    echo '  listen [::]:80;' >> $nginx_file
-    echo "  server_name ${local_hostname};" >> $nginx_file
-    echo "  root /var/www/${local_hostname}/htdocs;" >> $nginx_file
-    echo '  index index.html;' >> $nginx_file
-    echo '}' >> $nginx_file
-    nginx_ensite $local_hostname
+    { echo 'server {';
+      echo '  listen 80;';
+      echo '  listen [::]:80;';
+      echo "  server_name ${local_hostname};";
+      echo "  root /var/www/${local_hostname}/htdocs;";
+      echo '  index index.html;';
+      echo '}'; } > "$nginx_file"
+    nginx_ensite "$local_hostname"
 }
 
 # NOTE: deliberately no exit 0
diff --git a/src/freedombone-utils-zram b/src/freedombone-utils-zram
index 1c225804..4c15d100 100755
--- a/src/freedombone-utils-zram
+++ b/src/freedombone-utils-zram
@@ -34,11 +34,11 @@ function enable_zram {
     fi
 
     if [[ $INSTALLED_WITHIN_DOCKER == "yes" || $INSTALLING_ON_BBB != "yes" ]]; then
-        ${PROJECT_NAME}-zram off
+        "${PROJECT_NAME}-zram" off
         return
     fi
 
-    ${PROJECT_NAME}-zram on
+    "${PROJECT_NAME}-zram" on
 
     mark_completed "${FUNCNAME[0]}"
 }