Merge remote-tracking branch 'upstream/main' into merge-upstream

# Conflicts: # setup/firstuser.sh # setup/functions.sh # setup/mail-users.sh # setup/management.sh # setup/network-checks.sh # setup/nextcloud.sh # setup/questions.sh # setup/ssl.sh # setup/start.sh # setup/system.sh # setup/webmail.sh # tools/archive_conf_files.sh # tools/web_update
2025-04-01 23:57:05 +00:00 · 2024-04-03 12:45:10 -04:00 · 2024-04-03 12:45:10 -04:00 · 11e69f53a0
commit 11e69f53a0
parent 21b01aab6d a332be6a7b
27 changed files with 315 additions and 310 deletions
--- a/management/daily_tasks.sh
+++ b/management/daily_tasks.sh
@ -20,7 +20,7 @@ export LC_TYPE=en_US.UTF-8

 # On Mondays, i.e. once a week, send the administrator a report of total emails
 # sent and received so the admin might notice server abuse.
-if [ `date "+%u"` -eq 1 ]; then
+if [ "$(date "+%u")" -eq 1 ]; then
    management/mail_log.py -t week | management/email_administrator.py "Mail-in-a-Box Usage Report"
 fi

--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@ -79,9 +79,9 @@ if [[ $EUID -ne 0 ]]; then
 fi

 # Clone the Mail-in-a-Box repository if it doesn't exist.
-if [ ! -d $HOME/mailinabox ]; then
+if [ ! -d "$HOME/mailinabox" ]; then
 	if [ ! -f /usr/bin/git ]; then
-		echo Installing git . . .
+		echo "Installing git . . ."
 		apt-get -q -q update
 		DEBIAN_FRONTEND=noninteractive apt-get -q -q install -y git < /dev/null
 		echo
@ -91,25 +91,25 @@ if [ ! -d $HOME/mailinabox ]; then
 		SOURCE=https://github.com/downtownallday/mailinabox-ldap.git
 	fi

-	echo Downloading Mail-in-a-Box $TAG. . .
+	echo "Downloading Mail-in-a-Box $TAG. . ."
 	git clone \
-		-b $TAG --depth 1 \
-		$SOURCE \
-		$HOME/mailinabox \
+		-b "$TAG" --depth 1 \
+		"$SOURCE" \
+		"$HOME/mailinabox" \
 		< /dev/null 2> /dev/null

 	echo
 fi

 # Change directory to it.
-cd $HOME/mailinabox
+cd "$HOME/mailinabox" || exit

 # Update it.
-if [ "$TAG" != $(git describe --always) ]; then
-	echo Updating Mail-in-a-Box to $TAG . . .
-	git fetch --depth 1 --force --prune origin tag $TAG
-	if ! git checkout -q $TAG; then
-		echo "Update failed. Did you modify something in $(pwd)?"
+if [ "$TAG" != "$(git describe --always)" ]; then
+	echo "Updating Mail-in-a-Box to $TAG . . ."
+	git fetch --depth 1 --force --prune origin tag "$TAG"
+	if ! git checkout -q "$TAG"; then
+		echo "Update failed. Did you modify something in $PWD?"
 		exit 1
 	fi
 	echo
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@ -19,12 +19,12 @@ source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars

 # Install DKIM...
-echo Installing OpenDKIM/OpenDMARC...
+echo "Installing OpenDKIM/OpenDMARC..."
 apt_install opendkim opendkim-tools opendmarc

 # Make sure configuration directories exist.
 mkdir -p /etc/opendkim;
-mkdir -p $STORAGE_ROOT/mail/dkim
+mkdir -p "$STORAGE_ROOT/mail/dkim"

 # Used in InternalHosts and ExternalIgnoreList configuration directives.
 # Not quite sure why.
@ -62,12 +62,12 @@ fi
 # such as Google. But they and others use a 2048 bit key, so we'll
 # do the same. Keys beyond 2048 bits may exceed DNS record limits.
 if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
-	opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim
+	opendkim-genkey -b 2048 -r -s mail -D "$STORAGE_ROOT/mail/dkim"
 fi

 # Ensure files are owned by the opendkim user and are private otherwise.
-chown -R opendkim:opendkim $STORAGE_ROOT/mail/dkim
-chmod go-rwx $STORAGE_ROOT/mail/dkim
+chown -R opendkim:opendkim "$STORAGE_ROOT/mail/dkim"
+chmod go-rwx "$STORAGE_ROOT/mail/dkim"

 tools/editconf.py /etc/opendmarc.conf -s \
 	"Syslog=true" \
--- a/setup/dns.sh
+++ b/setup/dns.sh
@ -142,7 +142,7 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then
 	# (This previously used -b 2048 but it's unclear if this setting makes sense
 	# for non-RSA keys, so it's removed. The RSA-based keys are not recommended
 	# anymore anyway.)
-	KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -r /dev/urandom -a $algo -k _domain_);
+	KSK=$(umask 077; cd "$STORAGE_ROOT/dns/dnssec"; ldns-keygen -r /dev/urandom -a $algo -k _domain_);

 	# Now create a Zone-Signing Key (ZSK) which is expected to be
 	# rotated more often than a KSK, although we have no plans to
@ -150,7 +150,7 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then
 	# disturbing DNS availability.) Omit `-k`.
 	# (This previously used -b 1024 but it's unclear if this setting makes sense
 	# for non-RSA keys, so it's removed.)
-	ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -r /dev/urandom -a $algo _domain_);
+	ZSK=$(umask 077; cd "$STORAGE_ROOT/dns/dnssec"; ldns-keygen -r /dev/urandom -a $algo _domain_);

 	# These generate two sets of files like:
 	#
@ -162,7 +162,7 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then
 	# options. So we'll store the names of the files we just generated.
 	# We might have multiple keys down the road. This will identify
 	# what keys are the current keys.
-	cat > $STORAGE_ROOT/dns/dnssec/$algo.conf << EOF;
+	cat > "$STORAGE_ROOT/dns/dnssec/$algo.conf" << EOF;
 KSK=$KSK
 ZSK=$ZSK
 EOF
@ -178,7 +178,7 @@ cat > /etc/cron.daily/mailinabox-dnssec << EOF;
 #!/bin/bash
 # Mail-in-a-Box
 # Re-sign any DNS zones with DNSSEC because the signatures expire periodically.
-$(pwd)/tools/dns_update
+$PWD/tools/dns_update
 EOF
 chmod +x /etc/cron.daily/mailinabox-dnssec

--- a/setup/firstuser.sh
+++ b/setup/firstuser.sh
@ -1,3 +1,4 @@
+#!/bin/bash
 #####
 ##### This file is part of Mail-in-a-Box-LDAP which is released under the
 ##### terms of the GNU Affero General Public License as published by the
@ -19,7 +20,7 @@ if [ -z "$(management/cli.py user)" ]; then
 			input_box "Mail Account" \
 				"Let's create your first mail account.
 				\n\nWhat email address do you want?" \
-				me@$(get_default_hostname) \
+				"me@$(get_default_hostname)" \
 				EMAIL_ADDR

 			if [ -z "$EMAIL_ADDR" ]; then
@ -31,7 +32,7 @@ if [ -z "$(management/cli.py user)" ]; then
 				input_box "Mail Account" \
 					"That's not a valid email address.
 					\n\nWhat email address do you want?" \
-					$EMAIL_ADDR \
+					"$EMAIL_ADDR" \
 					EMAIL_ADDR
 				if [ -z "$EMAIL_ADDR" ]; then
 					# user hit ESC/cancel
@ -56,11 +57,11 @@ if [ -z "$(management/cli.py user)" ]; then
 	fi

 	# Create the user's mail account. This will ask for a password if none was given above.
-	management/cli.py user add $EMAIL_ADDR ${EMAIL_PW:-}
+	management/cli.py user add "$EMAIL_ADDR" "${EMAIL_PW:-}"

 	# Make it an admin.
-	hide_output management/cli.py user make-admin $EMAIL_ADDR
+	hide_output management/cli.py user make-admin "$EMAIL_ADDR"

 	# Create an alias to which we'll direct all automatically-created administrative aliases.
-	management/cli.py alias add administrator@$PRIMARY_HOSTNAME $EMAIL_ADDR > /dev/null
+	management/cli.py alias add "administrator@$PRIMARY_HOSTNAME" "$EMAIL_ADDR" > /dev/null
 fi
--- a/setup/functions.sh
+++ b/setup/functions.sh
@ -1,3 +1,4 @@
+#!/bin/bash
 # -*- indent-tabs-mode: t; tab-width: 4; -*-
 #####
 ##### This file is part of Mail-in-a-Box-LDAP which is released under the
@ -32,7 +33,7 @@ function hide_output {
 	# Execute command, redirecting stderr/stdout to the temporary file. Since we
 	# check the return code ourselves, disable 'set -e' temporarily.
 	set +e
-	"$@" &> $OUTPUT
+	"$@" &> "$OUTPUT"
 	E=$?
 	set -e

@ -40,15 +41,15 @@ function hide_output {
 	if [ $E != 0 ]; then
 		# Something failed.
 		echo
-		echo FAILED: "$@"
+		echo "FAILED: $*"
 		echo -----------------------------------------
-		cat $OUTPUT
+		cat "$OUTPUT"
 		echo -----------------------------------------
 		exit $E
 	fi

 	# Remove temporary file.
-	rm -f $OUTPUT
+	rm -f "$OUTPUT"
 }

 function wait_for_apt_lock {
@ -97,9 +98,9 @@ function get_default_hostname {
 	# Guess the machine's hostname. It should be a fully qualified
 	# domain name suitable for DNS. None of these calls may provide
 	# the right value, but it's the best guess we can make.
-	set -- $(hostname --fqdn      2>/dev/null ||
+	set -- "$(hostname --fqdn      2>/dev/null ||
                 hostname --all-fqdns 2>/dev/null ||
-                 hostname             2>/dev/null)
+                 hostname             2>/dev/null)"
 	printf '%s\n' "$1" # return this value
 }

@ -111,7 +112,7 @@ function get_publicip_from_web_service {
 	#
 	# Pass '4' or '6' as an argument to this function to specify
 	# what type of address to get (IPv4, IPv6).
-	curl -$1 --fail --silent --max-time 15 icanhazip.com 2>/dev/null || /bin/true
+	curl -"$1" --fail --silent --max-time 15 icanhazip.com 2>/dev/null || /bin/true
 }

 function get_default_privateip {
@ -154,19 +155,19 @@ function get_default_privateip {
 	if [ "$1" == "6" ]; then target=2001:4860:4860::8888; fi

 	# Get the route information.
-	route=$(ip -$1 -o route get $target 2>/dev/null | grep -v unreachable)
+	route=$(ip -"$1" -o route get $target 2>/dev/null | grep -v unreachable)

 	# Parse the address out of the route information.
-	address=$(echo $route | sed "s/.* src \([^ ]*\).*/\1/")
+	address=$(echo "$route" | sed "s/.* src \([^ ]*\).*/\1/")

 	if [[ "$1" == "6" && $address == fe80:* ]]; then
 		# For IPv6 link-local addresses, parse the interface out
 		# of the route information and append it with a '%'.
-		interface=$(echo $route | sed "s/.* dev \([^ ]*\).*/\1/")
+		interface=$(echo "$route" | sed "s/.* dev \([^ ]*\).*/\1/")
 		address=$address%$interface
 	fi

-	echo $address
+	echo "$address"
 }

 function ufw_allow {
@ -184,7 +185,7 @@ function ufw_limit {
 }

 function restart_service {
-	hide_output service $1 restart
+	hide_output service "$1" restart
 }

 ## Dialog Functions ##
@ -213,7 +214,7 @@ function input_menu {
 	declare -n result_code=$4_EXITCODE
 	local IFS=^$'\n'
 	set +e
-	result=$(dialog --stdout --title "$1" --menu "$2" 0 0 0 $3)
+	result=$(dialog --stdout --title "$1" --menu "$2" 0 0 0 "$3")
 	result_code=$?
 	set -e
 }
@ -225,17 +226,17 @@ function wget_verify {
 	HASH=$2
 	DEST=$3
 	CHECKSUM="$HASH  $DEST"
-	rm -f $DEST
-	hide_output wget --compression=auto -O $DEST $URL
+	rm -f "$DEST"
+	hide_output wget --compression=auto -O "$DEST" "$URL"
 	if ! echo "$CHECKSUM" | sha1sum --check --strict > /dev/null; then
 		echo "------------------------------------------------------------"
 		echo "Download of $URL did not match expected checksum."
 		echo "Found:"
-		sha1sum $DEST
+		sha1sum "$DEST"
 		echo
 		echo "Expected:"
 		echo "$CHECKSUM"
-		rm -f $DEST
+		rm -f "$DEST"
 		exit 1
 	fi
 }
@ -251,10 +252,10 @@ function git_clone {
 	SUBDIR=$3
 	TARGETPATH=$4
 	TMPPATH=/tmp/git-clone-$$
-	rm -rf $TMPPATH $TARGETPATH
-	git clone -q $REPO $TMPPATH || exit 1
-	(cd $TMPPATH; git checkout -q $TREEISH;) || exit 1
-	mv $TMPPATH/$SUBDIR $TARGETPATH
+	rm -rf $TMPPATH "$TARGETPATH"
+	git clone -q "$REPO" $TMPPATH || exit 1
+	(cd $TMPPATH; git checkout -q "$TREEISH";) || exit 1
+	mv $TMPPATH/"$SUBDIR" "$TARGETPATH"
 	rm -rf $TMPPATH
 }

@ -326,14 +327,14 @@ say() {
 wait_for_management_daemon() {
 	local progress="${1:-progress}" # show progress? "progress"/"no-progress"
 	local max_wait="${2:-60}" # seconds, 0=forever
-	local start=$(date +%s)
+	local start="$(date +%s)"
 	local elapsed=0 now
 	[ "$max_wait" = "forever" ] && max_wait=0
-	
+
 	# Wait for the management daemon to start...
 	until nc -z -w 4 127.0.0.1 10222
 	do
-		now=$(date +%s)
+		now="$(date +%s)"
 		# let returns 1 if the equasion evaluates to zero, which will
 		# cause the script to exit because of set -e. add one.
 		[ $now -eq $start ] && let now+=1
@ -343,7 +344,7 @@ wait_for_management_daemon() {
 			return 1
 		fi
 		if [ "$progress" = "progress" ]; then
-			echo Waiting for the Mail-in-a-Box management daemon to start...
+			echo "Waiting for the Mail-in-a-Box management daemon to start..."
 		fi
 		sleep 2
 	done
@ -383,4 +384,3 @@ remove_hook_handler() {
 		fi
 	fi
 }
-
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@ -54,8 +54,8 @@ apt_install \
 # - https://www.dovecot.org/list/dovecot/2012-August/137569.html
 # - https://www.dovecot.org/list/dovecot/2011-December/132455.html
 tools/editconf.py /etc/dovecot/conf.d/10-master.conf \
-	default_process_limit=$(echo "$(nproc) * 250" | bc) \
-	default_vsz_limit=$(echo "$(free -tm  | tail -1 | awk '{print $2}') / 3" | bc)M \
+	default_process_limit="$(($(nproc) * 250))" \
+	default_vsz_limit="$(($(free -tm  | tail -1 | awk '{print $2}') / 3))M" \
 	log_path=/var/log/mail.log

 # The inotify `max_user_instances` default is 128, which constrains
@ -70,7 +70,7 @@ tools/editconf.py /etc/sysctl.conf \
 # username part of the user's email address. We'll ensure that no bad domains or email addresses
 # are created within the management daemon.
 tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
-	mail_location=maildir:$STORAGE_ROOT/mail/mailboxes/%d/%n \
+	mail_location="maildir:$STORAGE_ROOT/mail/mailboxes/%d/%n" \
 	mail_privileged_group=mail \
 	first_valid_uid=0

@ -161,7 +161,7 @@ EOF
 # Setting a `postmaster_address` is required or LMTP won't start. An alias
 # will be created automatically by our management daemon.
 tools/editconf.py /etc/dovecot/conf.d/15-lda.conf \
-	postmaster_address=postmaster@$PRIMARY_HOSTNAME
+	"postmaster_address=postmaster@$PRIMARY_HOSTNAME"

 # ### Sieve

@ -210,14 +210,14 @@ chown -R mail:dovecot /etc/dovecot
 chmod -R o-rwx /etc/dovecot

 # Ensure mailbox files have a directory that exists and are owned by the mail user.
-mkdir -p $STORAGE_ROOT/mail/mailboxes
-chown -R mail:mail $STORAGE_ROOT/mail/mailboxes
+mkdir -p "$STORAGE_ROOT/mail/mailboxes"
+chown -R mail:mail "$STORAGE_ROOT/mail/mailboxes"

 # Same for the sieve scripts.
-mkdir -p $STORAGE_ROOT/mail/sieve
-mkdir -p $STORAGE_ROOT/mail/sieve/global_before
-mkdir -p $STORAGE_ROOT/mail/sieve/global_after
-chown -R mail:mail $STORAGE_ROOT/mail/sieve
+mkdir -p "$STORAGE_ROOT/mail/sieve"
+mkdir -p "$STORAGE_ROOT/mail/sieve/global_before"
+mkdir -p "$STORAGE_ROOT/mail/sieve/global_after"
+chown -R mail:mail "$STORAGE_ROOT/mail/sieve"

 # Allow the IMAP/POP ports in the firewall.
 ufw_allow imaps
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@ -65,9 +65,9 @@ apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates postfix
 # * Extend the SPF time limit to avoid timeouts chasing SPF records
 tools/editconf.py /etc/postfix/main.cf \
 	inet_interfaces=all \
-	smtp_bind_address=$PRIVATE_IP \
-	smtp_bind_address6=$PRIVATE_IPV6 \
-	myhostname=$PRIMARY_HOSTNAME\
+	smtp_bind_address="$PRIVATE_IP" \
+	smtp_bind_address6="$PRIVATE_IPV6" \
+	myhostname="$PRIMARY_HOSTNAME"\
 	smtpd_banner="\$myhostname ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)" \
 	mydestination=localhost

@ -159,9 +159,9 @@ sed -i "s/PUBLIC_IP/$PUBLIC_IP/" /etc/postfix/outgoing_mail_header_filters
 tools/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_security_level=may\
 	smtpd_tls_auth_only=yes \
-	smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
-	smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
-	smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \
+	smtpd_tls_cert_file="$STORAGE_ROOT/ssl/ssl_certificate.pem" \
+	smtpd_tls_key_file="$STORAGE_ROOT/ssl/ssl_private_key.pem" \
+	smtpd_tls_dh1024_param_file="$STORAGE_ROOT/ssl/dh2048.pem" \
 	smtpd_tls_protocols="!SSLv2,!SSLv3" \
 	smtpd_tls_ciphers=medium \
 	tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \
@ -281,13 +281,13 @@ tools/editconf.py /etc/default/postgrey \


 # If the $STORAGE_ROOT/mail/postgrey is empty, copy the postgrey database over from the old location
-if [ ! -d $STORAGE_ROOT/mail/postgrey/db ]; then
+if [ ! -d "$STORAGE_ROOT/mail/postgrey/db" ]; then
 	# Stop the service
 	service postgrey stop
 	# Ensure the new paths for postgrey db exists
-	mkdir -p $STORAGE_ROOT/mail/postgrey/db
+	mkdir -p "$STORAGE_ROOT/mail/postgrey/db"
 	# Move over database files
-	mv /var/lib/postgrey/* $STORAGE_ROOT/mail/postgrey/db/ || true
+	mv /var/lib/postgrey/* "$STORAGE_ROOT/mail/postgrey/db/" || true
 fi
 # keep the postgrey local client whitelist file in STORAGE_ROOT so it
 # gets backed up
@ -299,8 +299,8 @@ fi
 ln -sf "$STORAGE_ROOT/mail/postgrey/whitelist_clients.local" \
       "/etc/postgrey/whitelist_clients.local"
 # Ensure permissions are set
-chown -R postgrey:postgrey $STORAGE_ROOT/mail/postgrey/
-chmod 700 $STORAGE_ROOT/mail/postgrey/{,db}
+chown -R postgrey:postgrey "$STORAGE_ROOT/mail/postgrey/"
+chmod 700 "$STORAGE_ROOT/mail/postgrey/"{,db}

 # We are going to setup a newer whitelist for postgrey, the version included in the distribution is old
 cat > /etc/cron.daily/mailinabox-postgrey-whitelist << EOF;
--- a/setup/mail-users.sh
+++ b/setup/mail-users.sh
@ -27,10 +27,10 @@ source /etc/mailinabox.conf # load global vars
 source ${STORAGE_ROOT}/ldap/miab_ldap.conf # user-data specific vars

 dovecot_setting() {
-    /usr/bin/doveconf $1 2>/dev/null | awk -F= '{gsub(/^ +/, "", $2); print $2}'
+    /usr/bin/doveconf "$1" 2>/dev/null | awk -F= '{gsub(/^ +/, "", $2); print $2}'
 }
 postfix_setting() {
-    /usr/sbin/postconf $1 2>/dev/null | awk -F= '{gsub(/^ +/, "", $2); print $2}'
+    /usr/sbin/postconf "$1" 2>/dev/null | awk -F= '{gsub(/^ +/, "", $2); print $2}'
 }

 # ### User Authentication
@ -249,7 +249,7 @@ chmod 0640 /etc/postfix/virtual-mailbox-maps.cf
 # This is the ldap version of aliases(5) but for virtual
 # addresses. Postfix queries this recursively to determine delivery
 # addresses. Aliases may be addresses, domains, and catch-alls.
-# 
+#
 cat > /etc/postfix/virtual-alias-maps.cf <<EOF
 server_host = ${LDAP_URL}
 bind = yes
@ -269,4 +269,3 @@ chmod 0640 /etc/postfix/virtual-alias-maps.cf

 restart_service postfix
 restart_service dovecot
-
--- a/setup/management.sh
+++ b/setup/management.sh
@ -61,9 +61,9 @@ hide_output $venv/bin/python3 -m pip install --upgrade \
 # CONFIGURATION

 # Create a backup directory and a random key for encrypting backups.
-mkdir -p $STORAGE_ROOT/backup
-if [ ! -f $STORAGE_ROOT/backup/secret_key.txt ]; then
-	$(umask 077; openssl rand -base64 2048 > $STORAGE_ROOT/backup/secret_key.txt)
+mkdir -p "$STORAGE_ROOT/backup"
+if [ ! -f "$STORAGE_ROOT/backup/secret_key.txt" ]; then
+	umask 077; openssl rand -base64 2048 > "$STORAGE_ROOT/backup/secret_key.txt"
 fi


@ -109,8 +109,8 @@ tr -cd '[:xdigit:]' < /dev/urandom | head -c 32 > /var/lib/mailinabox/api.key
 chmod 640 /var/lib/mailinabox/api.key

 source $venv/bin/activate
-export PYTHONPATH=$(pwd)/management
-exec gunicorn --log-level ${MGMT_LOG_LEVEL:-info} -b localhost:10222 -w 1 --timeout 630 wsgi:app
+export PYTHONPATH=$PWD/management
+exec gunicorn --log-level "${MGMT_LOG_LEVEL:-info}" -b localhost:10222 -w 1 --timeout 630 wsgi:app
 EOF
 chmod +x $inst_dir/start
 cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first
@ -126,7 +126,7 @@ minute=$((RANDOM % 60))  # avoid overloading mailinabox.email
 cat > /etc/cron.d/mailinabox-nightly << EOF;
 # Mail-in-a-Box --- Do not edit / will be overwritten on update.
 # Run nightly tasks: backup, status checks.
-$minute 3 * * *	root	(cd $(pwd) && management/daily_tasks.sh)
+$minute 3 * * *	root	(cd $PWD && management/daily_tasks.sh)
 EOF

 # Start the management server.
--- a/setup/munin.sh
+++ b/setup/munin.sh
@ -50,7 +50,7 @@ chown munin /var/log/munin/munin-cgi-graph.log
 # ensure munin-node knows the name of this machine
 # and reduce logging level to warning
 tools/editconf.py /etc/munin/munin-node.conf -s \
-	host_name=$PRIMARY_HOSTNAME \
+	host_name="$PRIMARY_HOSTNAME" \
 	log_level=1

 # Update the activated plugins through munin's autoconfiguration.
@ -62,9 +62,9 @@ find /etc/munin/plugins/ -lname /usr/share/munin/plugins/ntp_ -print0 | xargs -0

 # Deactivate monitoring of network interfaces that are not up. Otherwise we can get a lot of empty charts.
 for f in $(find /etc/munin/plugins/ \( -lname /usr/share/munin/plugins/if_ -o -lname /usr/share/munin/plugins/if_err_ -o -lname /usr/share/munin/plugins/bonding_err_ \)); do
-	IF=$(echo $f | sed s/.*_//);
-	if ! grep -qFx up /sys/class/net/$IF/operstate 2>/dev/null; then
-		rm $f;
+	IF=$(echo "$f" | sed s/.*_//);
+	if ! grep -qFx up "/sys/class/net/$IF/operstate" 2>/dev/null; then
+		rm "$f";
 	fi;
 done

@ -72,7 +72,7 @@ done
 mkdir -p /var/lib/munin-node/plugin-state/

 # Create a systemd service for munin.
-ln -sf $(pwd)/management/munin_start.sh /usr/local/lib/mailinabox/munin_start.sh
+ln -sf "$PWD/management/munin_start.sh" /usr/local/lib/mailinabox/munin_start.sh
 chmod 0744 /usr/local/lib/mailinabox/munin_start.sh
 cp --remove-destination conf/munin.service /lib/systemd/system/munin.service # target was previously a symlink so remove first
 hide_output systemctl link -f /lib/systemd/system/munin.service
--- a/setup/network-checks.sh
+++ b/setup/network-checks.sh
@ -1,3 +1,4 @@
+#!/bin/bash
 #####
 ##### This file is part of Mail-in-a-Box-LDAP which is released under the
 ##### terms of the GNU Affero General Public License as published by the
@ -15,7 +16,7 @@ apt_get_quiet install bind9-host sed netcat-openbsd
 # The user might have chosen a name that was previously in use by a spammer
 # and will not be able to reliably send mail. Do this after any automatic
 # choices made above.
-if host $PRIMARY_HOSTNAME.dbl.spamhaus.org > /dev/null; then
+if host "$PRIMARY_HOSTNAME.dbl.spamhaus.org" > /dev/null; then
 	echo
 	echo "The hostname you chose '$PRIMARY_HOSTNAME' is listed in the"
 	echo "Spamhaus Domain Block List. See http://www.spamhaus.org/dbl/"
@ -31,8 +32,8 @@ fi
 # The user might have ended up on an IP address that was previously in use
 # by a spammer, or the user may be deploying on a residential network. We
 # will not be able to reliably send mail in these cases.
-REVERSED_IPV4=$(echo $PUBLIC_IP | sed "s/\([0-9]*\).\([0-9]*\).\([0-9]*\).\([0-9]*\)/\4.\3.\2.\1/")
-if host $REVERSED_IPV4.zen.spamhaus.org > /dev/null; then
+REVERSED_IPV4=$(echo "$PUBLIC_IP" | sed "s/\([0-9]*\).\([0-9]*\).\([0-9]*\).\([0-9]*\)/\4.\3.\2.\1/")
+if host "$REVERSED_IPV4.zen.spamhaus.org" > /dev/null; then
 	echo
 	echo "The IP address $PUBLIC_IP is listed in the Spamhaus Block List."
 	echo "See http://www.spamhaus.org/query/ip/$PUBLIC_IP."
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@ -82,13 +82,13 @@ user_external_hash=a494073dcdecbbbc79a9c77f72524ac9994d2eec
 # Clear prior packages and install dependencies from apt.
 apt-get purge -qq -y owncloud* # we used to use the package manager

-apt_install curl php${PHP_VER} php${PHP_VER}-fpm \
-	php${PHP_VER}-cli php${PHP_VER}-sqlite3 php${PHP_VER}-gd php${PHP_VER}-imap php${PHP_VER}-curl \
-	php${PHP_VER}-dev php${PHP_VER}-gd php${PHP_VER}-xml php${PHP_VER}-mbstring php${PHP_VER}-zip php${PHP_VER}-apcu \
-	php${PHP_VER}-intl php${PHP_VER}-imagick php${PHP_VER}-gmp php${PHP_VER}-bcmath
+apt_install curl php"${PHP_VER}" php"${PHP_VER}"-fpm \
+	php"${PHP_VER}"-cli php"${PHP_VER}"-sqlite3 php"${PHP_VER}"-gd php"${PHP_VER}"-imap php"${PHP_VER}"-curl \
+	php"${PHP_VER}"-dev php"${PHP_VER}"-gd php"${PHP_VER}"-xml php"${PHP_VER}"-mbstring php"${PHP_VER}"-zip php"${PHP_VER}"-apcu \
+	php"${PHP_VER}"-intl php"${PHP_VER}"-imagick php"${PHP_VER}"-gmp php"${PHP_VER}"-bcmath

 # Enable APC before Nextcloud tools are run.
-tools/editconf.py /etc/php/$PHP_VER/mods-available/apcu.ini -c ';' \
+tools/editconf.py /etc/php/"$PHP_VER"/mods-available/apcu.ini -c ';' \
 	apc.enabled=1 \
 	apc.enable_cli=1

@ -108,7 +108,7 @@ InstallNextcloud() {
 	echo

    # Download and verify
-	get_nc_download_url $version .zip
+	get_nc_download_url "$version" .zip
 	download_link "$DOWNLOAD_URL" to-file use-cache "$DOWNLOAD_URL_CACHE_ID" "" "$hash"
 	rm -f /tmp/nextcloud.zip
 	$DOWNLOAD_FILE_REMOVE && mv "$DOWNLOAD_FILE" /tmp/nextcloud.zip || ln -s "$DOWNLOAD_FILE" /tmp/nextcloud.zip
@ -125,11 +125,11 @@ InstallNextcloud() {
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps

-	wget_verify https://github.com/nextcloud-releases/contacts/archive/refs/tags/v$version_contacts.tar.gz $hash_contacts /tmp/contacts.tgz
+	wget_verify "https://github.com/nextcloud-releases/contacts/archive/refs/tags/v$version_contacts.tar.gz" "$hash_contacts" /tmp/contacts.tgz
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz

-	wget_verify https://github.com/nextcloud-releases/calendar/archive/refs/tags/v$version_calendar.tar.gz $hash_calendar /tmp/calendar.tgz
+	wget_verify "https://github.com/nextcloud-releases/calendar/archive/refs/tags/v$version_calendar.tar.gz" "$hash_calendar" /tmp/calendar.tgz
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz

@ -141,7 +141,7 @@ InstallNextcloud() {
 			git_clone https://github.com/nextcloud/user_external.git "$version_user_external" '' /usr/local/lib/owncloud/apps/user_external
 	else
 			# otherwise, download a release
-			wget_verify https://github.com/nextcloud-releases/user_external/releases/download/v$version_user_external/user_external-v$version_user_external.tar.gz $hash_user_external /tmp/user_external.tgz
+			wget_verify "https://github.com/nextcloud-releases/user_external/releases/download/v$version_user_external/user_external-v$version_user_external.tar.gz" "$hash_user_external" /tmp/user_external.tgz
 			tar -xf /tmp/user_external.tgz -C /usr/local/lib/owncloud/apps/
 			rm /tmp/user_external.tgz
 		fi
@ -152,33 +152,35 @@ InstallNextcloud() {

 	# Create a symlink to the config.php in STORAGE_ROOT (for upgrades we're restoring the symlink we previously
 	# put in, and in new installs we're creating a symlink and will create the actual config later).
-	ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
+	ln -sf "$STORAGE_ROOT/owncloud/config.php" /usr/local/lib/owncloud/config/config.php

 	# Make sure permissions are correct or the upgrade step won't run.
 	# $STORAGE_ROOT/owncloud may not yet exist, so use -f to suppress
 	# that error.
-	chown -f -R www-data:www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud || /bin/true
+	chown -f -R www-data:www-data "$STORAGE_ROOT/owncloud" /usr/local/lib/owncloud || /bin/true

 	# If this isn't a new installation, immediately run the upgrade script.
 	# Then check for success (0=ok and 3=no upgrade needed, both are success).
-	if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then
+	if [ -e "$STORAGE_ROOT/owncloud/owncloud.db" ]; then
 		# ownCloud 8.1.1 broke upgrades. It may fail on the first attempt, but
 		# that can be OK.
-		hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ upgrade
-		if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then
+		hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ upgrade
+		E=$?
+		if [ $E -ne 0 ] && [ $E -ne 3 ]; then
 			echo "Trying ownCloud upgrade again to work around ownCloud upgrade bug..."
-			sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ upgrade
-			if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
-			sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ maintenance:mode --off
+			sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ upgrade
+			E=$?
+			if [ $E -ne 0 ] && [ $E -ne 3 ]; then exit 1; fi
+			sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ maintenance:mode --off
 			echo "...which seemed to work."
 		fi

 		# Add missing indices. NextCloud didn't include this in the normal upgrade because it might take some time.
-		hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ db:add-missing-indices
-		hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ db:add-missing-primary-keys
+		hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ db:add-missing-indices
+		hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ db:add-missing-primary-keys

 		# Run conversion to BigInt identifiers, this process may take some time on large tables.
-		hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ db:convert-filecache-bigint --no-interaction
+		hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ db:convert-filecache-bigint --no-interaction
 	fi
 }

@ -194,7 +196,7 @@ if [ -d "/usr/local/lib/owncloud" ]; then
 fi
 # If config.php exists, get version number, otherwise CURRENT_NEXTCLOUD_VER is empty.
 if [ -f "$STORAGE_ROOT/owncloud/config.php" ]; then
-	CURRENT_NEXTCLOUD_VER=$(php$PHP_VER -r "include(\"$STORAGE_ROOT/owncloud/config.php\"); echo(\$CONFIG['version']);")
+	CURRENT_NEXTCLOUD_VER=$(php"$PHP_VER" -r "include(\"$STORAGE_ROOT/owncloud/config.php\"); echo(\$CONFIG['version']);")
 else
 	CURRENT_NEXTCLOUD_VER=""
 fi
@ -204,7 +206,7 @@ fi
 if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextcloud_ver ]]; then

 	# Stop php-fpm if running. If they are not running (which happens on a previously failed install), dont bail.
-	service php$PHP_VER-fpm stop &> /dev/null || /bin/true
+	service php"$PHP_VER"-fpm stop &> /dev/null || /bin/true

 	# Backup the existing ownCloud/Nextcloud.
 	# Create a backup directory to store the current installation and database to
@ -214,21 +216,21 @@ if [ ! -d /usr/local/lib/owncloud/ ] || [[ ! ${CURRENT_NEXTCLOUD_VER} =~ ^$nextc
 		echo "Upgrading Nextcloud --- backing up existing installation, configuration, and database to directory to $BACKUP_DIRECTORY..."
 		cp -r /usr/local/lib/owncloud "$BACKUP_DIRECTORY/owncloud-install"
 	fi
-	if [ -e $STORAGE_ROOT/owncloud/owncloud.db ]; then
-		cp $STORAGE_ROOT/owncloud/owncloud.db $BACKUP_DIRECTORY
+	if [ -e "$STORAGE_ROOT/owncloud/owncloud.db" ]; then
+		cp "$STORAGE_ROOT/owncloud/owncloud.db" "$BACKUP_DIRECTORY"
 	fi
-	if [ -e $STORAGE_ROOT/owncloud/config.php ]; then
-		cp $STORAGE_ROOT/owncloud/config.php $BACKUP_DIRECTORY
+	if [ -e "$STORAGE_ROOT/owncloud/config.php" ]; then
+		cp "$STORAGE_ROOT/owncloud/config.php" "$BACKUP_DIRECTORY"
 	fi

 	# If ownCloud or Nextcloud was previously installed....
-	if [ ! -z ${CURRENT_NEXTCLOUD_VER} ]; then
+	if [ -n "${CURRENT_NEXTCLOUD_VER}" ]; then
 		# Database migrations from ownCloud are no longer possible because ownCloud cannot be run under
 		# PHP 7.

-		if [ -e $STORAGE_ROOT/owncloud/config.php ]; then
+		if [ -e "$STORAGE_ROOT/owncloud/config.php" ]; then
 			# Remove the read-onlyness of the config, which is needed for migrations, especially for v24
-			sed -i -e '/config_is_read_only/d' $STORAGE_ROOT/owncloud/config.php
+			sed -i -e '/config_is_read_only/d' "$STORAGE_ROOT/owncloud/config.php"
 		fi

 		if [[ ${CURRENT_NEXTCLOUD_VER} =~ ^[89] ]]; then
@ -276,13 +278,13 @@ fi

 # Setup Nextcloud if the Nextcloud database does not yet exist. Running setup when
 # the database does exist wipes the database and user data.
-if [ ! -f $STORAGE_ROOT/owncloud/owncloud.db ]; then
+if [ ! -f "$STORAGE_ROOT/owncloud/owncloud.db" ]; then
 	# Create user data directory
-	mkdir -p $STORAGE_ROOT/owncloud
+	mkdir -p "$STORAGE_ROOT/owncloud"

 	# Create an initial configuration file.
-	instanceid=oc$(echo $PRIMARY_HOSTNAME | sha1sum | fold -w 10 | head -n 1)
-	cat > $STORAGE_ROOT/owncloud/config.php <<EOF;
+	instanceid=oc$(echo "$PRIMARY_HOSTNAME" | sha1sum | fold -w 10 | head -n 1)
+	cat > "$STORAGE_ROOT/owncloud/config.php" <<EOF;
 <?php
 \$CONFIG = array (
  'datadirectory' => '$STORAGE_ROOT/owncloud',
@ -335,12 +337,12 @@ EOF
 EOF

 	# Set permissions
-	chown -R www-data:www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
+	chown -R www-data:www-data "$STORAGE_ROOT/owncloud" /usr/local/lib/owncloud

 	# Execute Nextcloud's setup step, which creates the Nextcloud sqlite database.
 	# It also wipes it if it exists. And it updates config.php with database
 	# settings and deletes the autoconfig.php file.
-	(cd /usr/local/lib/owncloud; sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/index.php;)
+	(cd /usr/local/lib/owncloud || exit; sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/index.php;)
 fi

 # Update config.php.
@ -356,7 +358,7 @@ fi
 # Use PHP to read the settings file, modify it, and write out the new settings array.
 TIMEZONE=$(cat /etc/timezone)
 CONFIG_TEMP=$(/bin/mktemp)
-php$PHP_VER <<EOF > $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php;
+php"$PHP_VER" <<EOF > "$CONFIG_TEMP" && mv "$CONFIG_TEMP" "$STORAGE_ROOT/owncloud/config.php";
 <?php
 include("$STORAGE_ROOT/owncloud/config.php");

@ -387,31 +389,32 @@ var_export(\$CONFIG);
 echo ";";
 ?>
 EOF
-chown www-data:www-data $STORAGE_ROOT/owncloud/config.php
+chown www-data:www-data "$STORAGE_ROOT/owncloud/config.php"

 # Enable/disable apps. Note that this must be done after the Nextcloud setup.
 # The firstrunwizard gave Josh all sorts of problems, so disabling that.
 # user_external is what allows Nextcloud to use IMAP for login. The contacts
 # and calendar apps are the extensions we really care about here.
-hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/console.php app:disable firstrunwizard
-hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/console.php app:enable user_external
-hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/console.php app:enable contacts
-hide_output sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/console.php app:enable calendar
+hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/console.php app:disable firstrunwizard
+hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/console.php app:enable user_external
+hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/console.php app:enable contacts
+hide_output sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/console.php app:enable calendar

 # When upgrading, run the upgrade script again now that apps are enabled. It seems like
 # the first upgrade at the top won't work because apps may be disabled during upgrade?
 # Check for success (0=ok, 3=no upgrade needed).
-sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ upgrade
-if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
+sudo -u www-data php"$PHP_VER" /usr/local/lib/owncloud/occ upgrade
+E=$?
+if [ $E -ne 0 ] && [ $E -ne 3 ]; then exit 1; fi

 # Disable default apps that we don't support
 sudo -u www-data \
-	php$PHP_VER /usr/local/lib/owncloud/occ app:disable photos dashboard activity \
+	php"$PHP_VER" /usr/local/lib/owncloud/occ app:disable photos dashboard activity \
 	| (grep -v "No such app enabled" || /bin/true)

 # Set PHP FPM values to support large file uploads
 # (semicolon is the comment character in this file, hashes produce deprecation warnings)
-tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/"$PHP_VER"/fpm/php.ini -c ';' \
 	upload_max_filesize=16G \
 	post_max_size=16G \
 	output_buffering=16384 \
@ -420,7 +423,7 @@ tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \
 	short_open_tag=On

 # Set Nextcloud recommended opcache settings
-tools/editconf.py /etc/php/$PHP_VER/cli/conf.d/10-opcache.ini -c ';' \
+tools/editconf.py /etc/php/"$PHP_VER"/cli/conf.d/10-opcache.ini -c ';' \
 	opcache.enable=1 \
 	opcache.enable_cli=1 \
 	opcache.interned_strings_buffer=8 \
@ -434,7 +437,7 @@ tools/editconf.py /etc/php/$PHP_VER/cli/conf.d/10-opcache.ini -c ';' \
 # This version was probably in use in Mail-in-a-Box v0.41 (February 26, 2019) and earlier.
 # We moved to v0.6.3 in 193763f8. Ignore errors - maybe there are duplicated users with the
 # correct backend already.
-sqlite3 $STORAGE_ROOT/owncloud/owncloud.db "UPDATE oc_users_external SET backend='127.0.0.1';" || /bin/true
+sqlite3 "$STORAGE_ROOT/owncloud/owncloud.db" "UPDATE oc_users_external SET backend='127.0.0.1';" || /bin/true

 # Set up a general cron job for Nextcloud.
 # Also add another job for Calendar updates, per advice in the Nextcloud docs
@ -449,11 +452,11 @@ chmod +x /etc/cron.d/mailinabox-nextcloud

 # We also need to change the sending mode from background-job to occ.
 # Or else the reminders will just be sent as soon as possible when the background jobs run.
-hide_output sudo -u www-data php$PHP_VER -f /usr/local/lib/owncloud/occ config:app:set dav sendEventRemindersMode --value occ
+hide_output sudo -u www-data php"$PHP_VER" -f /usr/local/lib/owncloud/occ config:app:set dav sendEventRemindersMode --value occ

 # Now set the config to read-only.
 # Do this only at the very bottom when no further occ commands are needed.
-sed -i'' "s/'config_is_read_only'\s*=>\s*false/'config_is_read_only' => true/" $STORAGE_ROOT/owncloud/config.php
+sed -i'' "s/'config_is_read_only'\s*=>\s*false/'config_is_read_only' => true/" "$STORAGE_ROOT/owncloud/config.php"

 # Rotate the nextcloud.log file
 cat > /etc/logrotate.d/nextcloud <<EOF
@ -478,4 +481,4 @@ EOF
 # ```

 # Enable PHP modules and restart PHP.
-restart_service php$PHP_VER-fpm
+restart_service php"$PHP_VER"-fpm
--- a/setup/questions.sh
+++ b/setup/questions.sh
@ -1,3 +1,4 @@
+#!/bin/bash
 #####
 ##### This file is part of Mail-in-a-Box-LDAP which is released under the
 ##### terms of the GNU Affero General Public License as published by the
@ -16,7 +17,7 @@ if [ -z "${NONINTERACTIVE:-}" ]; then
 	#
 	# Also install dependencies needed to validate the email address.
 	if [ ! -f /usr/bin/dialog ] || [ ! -f /usr/bin/python3 ] || [ ! -f /usr/bin/pip3 ]; then
-		echo Installing packages needed for setup...
+		echo "Installing packages needed for setup..."
 		apt-get -q -q update
 		apt_get_quiet install dialog python3 python3-pip python3-ldap3 || exit 1
 	fi
@ -40,7 +41,7 @@ if [ -z "${PRIMARY_HOSTNAME:-}" ]; then
 		# domain the user possibly wants to use is example.com then.
 		# We strip the string "box." from the hostname to get the mail
 		# domain. If the hostname differs, nothing happens here.
-		DEFAULT_DOMAIN_GUESS=$(echo $(get_default_hostname) | sed -e 's/^box\.//')
+		DEFAULT_DOMAIN_GUESS=$(get_default_hostname | sed -e 's/^box\.//')

 		# This is the first run. Ask the user for his email address so we can
 		# provide the best default for the box's hostname.
@ -64,7 +65,7 @@ you really want.
 		do
 			input_box "Your Email Address" \
 				"That's not a valid email address.\n\nWhat email address are you setting this box up to manage?" \
-				$EMAIL_ADDR \
+				"$EMAIL_ADDR" \
 				EMAIL_ADDR
 			if [ -z "$EMAIL_ADDR" ]; then
 				# user hit ESC/cancel
@ -74,7 +75,7 @@ you really want.

 		# Take the part after the @-sign as the user's domain name, and add
 		# 'box.' to the beginning to create a default hostname for this machine.
-		DEFAULT_PRIMARY_HOSTNAME=box.$(echo $EMAIL_ADDR | sed 's/.*@//')
+		DEFAULT_PRIMARY_HOSTNAME=box.$(echo "$EMAIL_ADDR" | sed 's/.*@//')
 	fi

 	input_box "Hostname" \
@ -83,7 +84,7 @@ you really want.
 address, so we're suggesting $DEFAULT_PRIMARY_HOSTNAME.
 \n\nYou can change it, but we recommend you don't.
 \n\nHostname:" \
-		$DEFAULT_PRIMARY_HOSTNAME \
+		"$DEFAULT_PRIMARY_HOSTNAME" \
 		PRIMARY_HOSTNAME

 	if [ -z "$PRIMARY_HOSTNAME" ]; then
@ -101,7 +102,7 @@ if [ -z "${PUBLIC_IP:-}" ]; then

 	# On the first run, if we got an answer from the Internet then don't
 	# ask the user.
-	if [[ -z "${DEFAULT_PUBLIC_IP:-}" && ! -z "$GUESSED_IP" ]]; then
+	if [[ -z "${DEFAULT_PUBLIC_IP:-}" && -n "$GUESSED_IP" ]]; then
 		PUBLIC_IP=$GUESSED_IP

 	# Otherwise on the first run at least provide a default.
@ -118,7 +119,7 @@ if [ -z "${PUBLIC_IP:-}" ]; then
 		input_box "Public IP Address" \
 			"Enter the public IP address of this machine, as given to you by your ISP.
 			\n\nPublic IP address:" \
-			${DEFAULT_PUBLIC_IP:-} \
+			"${DEFAULT_PUBLIC_IP:-}" \
 			PUBLIC_IP

 		if [ -z "$PUBLIC_IP" ]; then
@ -134,7 +135,7 @@ if [ -z "${PUBLIC_IPV6:-}" ]; then
 	# Ask the Internet.
 	GUESSED_IP=$(get_publicip_from_web_service 6)
 	MATCHED=0
-	if [[ -z "${DEFAULT_PUBLIC_IPV6:-}" && ! -z "$GUESSED_IP" ]]; then
+	if [[ -z "${DEFAULT_PUBLIC_IPV6:-}" && -n "$GUESSED_IP" ]]; then
 		PUBLIC_IPV6=$GUESSED_IP
 	elif [[ "${DEFAULT_PUBLIC_IPV6:-}" == "$GUESSED_IP" ]]; then
 		# No IPv6 entered and machine seems to have none, or what
@ -150,10 +151,10 @@ if [ -z "${PUBLIC_IPV6:-}" ]; then
 			"Enter the public IPv6 address of this machine, as given to you by your ISP.
 			\n\nLeave blank if the machine does not have an IPv6 address.
 			\n\nPublic IPv6 address:" \
-			${DEFAULT_PUBLIC_IPV6:-} \
+			"${DEFAULT_PUBLIC_IPV6:-}" \
 			PUBLIC_IPV6

-		if [ ! $PUBLIC_IPV6_EXITCODE ]; then
+		if [ ! -n "$PUBLIC_IPV6_EXITCODE" ]; then
 			# user hit ESC/cancel
 			exit
 		fi
@ -206,7 +207,7 @@ fi
 echo
 echo "Primary Hostname: $PRIMARY_HOSTNAME"
 echo "Public IP Address: $PUBLIC_IP"
-if [ ! -z "$PUBLIC_IPV6" ]; then
+if [ -n "$PUBLIC_IPV6" ]; then
 	echo "Public IPv6 Address: $PUBLIC_IPV6"
 fi
 if [ "$PRIVATE_IP" != "$PUBLIC_IP" ]; then
@ -216,6 +217,6 @@ if [ "$PRIVATE_IPV6" != "$PUBLIC_IPV6" ]; then
 	echo "Private IPv6 Address: $PRIVATE_IPV6"
 fi
 if [ -f /usr/bin/git ] && [ -d .git ]; then
-	echo "Mail-in-a-Box Version: " $(git describe --always)
+	echo "Mail-in-a-Box Version: $(git describe --always)"
 fi
 echo
--- a/setup/spamassassin.sh
+++ b/setup/spamassassin.sh
@ -162,11 +162,11 @@ EOF
 # the filemode in the config file.

 tools/editconf.py /etc/spamassassin/local.cf -s \
-	bayes_path=$STORAGE_ROOT/mail/spamassassin/bayes \
+	bayes_path="$STORAGE_ROOT/mail/spamassassin/bayes" \
 	bayes_file_mode=0666

-mkdir -p $STORAGE_ROOT/mail/spamassassin
-chown -R spampd:spampd $STORAGE_ROOT/mail/spamassassin
+mkdir -p "$STORAGE_ROOT/mail/spamassassin"
+chown -R spampd:spampd "$STORAGE_ROOT/mail/spamassassin"

 # To mark mail as spam or ham, just drag it in or out of the Spam folder. We'll
 # use the Dovecot antispam plugin to detect the message move operation and execute
@ -211,8 +211,8 @@ chmod a+x /usr/local/bin/sa-learn-pipe.sh
 # Create empty bayes training data (if it doesn't exist). Once the files exist,
 # ensure they are group-writable so that the Dovecot process has access.
 sudo -u spampd /usr/bin/sa-learn --sync 2>/dev/null
-chmod -R 660 $STORAGE_ROOT/mail/spamassassin
-chmod 770 $STORAGE_ROOT/mail/spamassassin
+chmod -R 660 "$STORAGE_ROOT/mail/spamassassin"
+chmod 770 "$STORAGE_ROOT/mail/spamassassin"

 # Initial training?
 # sa-learn --ham storage/mail/mailboxes/*/*/cur/
--- a/setup/ssl.sh
+++ b/setup/ssl.sh
@ -37,11 +37,11 @@ source /etc/mailinabox.conf # load global vars

 # Show a status line if we are going to take any action in this file.
 if	[ ! -f /usr/bin/openssl ] \
- || [ ! -s $STORAGE_ROOT/ssl/ca_private_key.pem ] \
- || [ ! -f $STORAGE_ROOT/ssl/ca_certificate.pem ] \
- || [ ! -s $STORAGE_ROOT/ssl/ssl_private_key.pem ] \
- || [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ] \
- || [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
+ || [ ! -s "$STORAGE_ROOT/ssl/ca_private_key.pem" ] \
+ || [ ! -f "$STORAGE_ROOT/ssl/ca_certificate.pem" ] \
+ || [ ! -s "$STORAGE_ROOT/ssl/ssl_private_key.pem" ] \
+ || [ ! -f "$STORAGE_ROOT/ssl/ssl_certificate.pem" ] \
+ || [ ! -f "$STORAGE_ROOT/ssl/dh2048.pem" ]; then
 	echo "Creating initial SSL certificate and perfect forward secrecy Diffie-Hellman parameters..."
 fi

@ -51,7 +51,7 @@ apt_install openssl

 # Create a directory to store TLS-related things like "SSL" certificates.

-mkdir -p $STORAGE_ROOT/ssl
+mkdir -p "$STORAGE_ROOT/ssl"

 # Generate new private keys.
 #
@ -73,62 +73,62 @@ mkdir -p $STORAGE_ROOT/ssl
 #
 # Since we properly seed /dev/urandom in system.sh we should be fine, but I leave
 # in the rest of the notes in case that ever changes.
-if [ ! -s $STORAGE_ROOT/ssl/ca_private_key.pem ]; then
+if [ ! -s "$STORAGE_ROOT/ssl/ca_private_key.pem" ]; then
 	# Set the umask so the key file is never world-readable.
 	(umask 077; hide_output \
 		openssl genrsa -aes256 -passout 'pass:SECRET-PASSWORD' \
-		-out $STORAGE_ROOT/ssl/ca_private_key.pem 4096)
+		-out "$STORAGE_ROOT/ssl/ca_private_key.pem" 4096)

 	# remove the existing ca-certificate, it must be regenerated
-	rm -f $STORAGE_ROOT/ssl/ca_certificate.pem
-	
+	rm -f "$STORAGE_ROOT/ssl/ca_certificate.pem"
+
 	# Remove the ssl_certificate.pem symbolic link to force a
 	# regeneration of a self-signed server certificate. Old certs need
 	# to be signed by the new ca.
-	if [ -L $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
+	if [ -L "$STORAGE_ROOT/ssl/ssl_certificate.pem" ]; then
        # Get the name of the certificate issuer
-        issuer="$(openssl x509 -issuer -nocert -in $STORAGE_ROOT/ssl/ssl_certificate.pem)"
-        
+        issuer="$(openssl x509 -issuer -nocert -in "$STORAGE_ROOT/ssl/ssl_certificate.pem")"
+
        # Determine if the ssl cert if self-signed. If unique hashes is 1,
        # the cert is self-signed (pior versions of MiaB used self-signed
        # certs).
-        uniq_hashes="$(openssl x509 -subject_hash -issuer_hash -nocert -in $STORAGE_ROOT/ssl/ssl_certificate.pem | uniq | wc -l)"
-        
+        uniq_hashes="$(openssl x509 -subject_hash -issuer_hash -nocert -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" | uniq | wc -l)"
+
        if [ "$uniq_hashes" == "1" ] || grep "Temporary-Mail-In-A-Box-CA" <<<"$issuer" >/dev/null
        then
-		    rm -f $STORAGE_ROOT/ssl/ssl_certificate.pem
+		    rm -f "$STORAGE_ROOT/ssl/ssl_certificate.pem"
 	    fi
    fi
 fi

-if [ ! -s $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then
+if [ ! -s "$STORAGE_ROOT/ssl/ssl_private_key.pem" ]; then
 	# Set the umask so the key file is never world-readable.
 	(umask 037; hide_output \
-		openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
-	
+		openssl genrsa -out "$STORAGE_ROOT/ssl/ssl_private_key.pem" 2048)
+
 	# Remove the ssl_certificate.pem symbolic link to force a
 	# regeneration of the server certificate. It needs to be
 	# signed by the new ca.
-	if [ -L $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
-		rm -f $STORAGE_ROOT/ssl/ssl_certificate.pem
+	if [ -L "$STORAGE_ROOT/ssl/ssl_certificate.pem" ]; then
+		rm -f "$STORAGE_ROOT/ssl/ssl_certificate.pem"
 	fi
 fi

 # Give the group 'ssl-cert' read access so slapd can read it
 groupadd -fr ssl-cert
-chgrp ssl-cert $STORAGE_ROOT/ssl/ssl_private_key.pem
-chmod g+r $STORAGE_ROOT/ssl/ssl_private_key.pem
+chgrp ssl-cert "$STORAGE_ROOT/ssl/ssl_private_key.pem"
+chmod g+r "$STORAGE_ROOT/ssl/ssl_private_key.pem"

 #
 # Generate a root CA certificate
 #
-if [ ! -f $STORAGE_ROOT/ssl/ca_certificate.pem ]; then
+if [ ! -f "$STORAGE_ROOT/ssl/ca_certificate.pem" ]; then
 	# Generate the self-signed certificate.
-	CERT=$STORAGE_ROOT/ssl/ca_certificate.pem
+	CERT="$STORAGE_ROOT/ssl/ca_certificate.pem"
 	hide_output \
 	openssl req -new -x509 \
 	  -days 3650 -sha384 \
-	  -key $STORAGE_ROOT/ssl/ca_private_key.pem \
+	  -key "$STORAGE_ROOT/ssl/ca_private_key.pem" \
 	  -passin 'pass:SECRET-PASSWORD' \
 	  -out $CERT \
 	  -subj '/CN=Temporary-Mail-In-A-Box-CA'
@ -139,9 +139,9 @@ if [ ! -e /usr/local/share/ca-certificates/mailinabox.crt ]; then
 	# this is required for openldap's TLS implementation
    # do this as a separate step in case a CA certificate is manually
    # copied onto the machine for QA/test
-	CERT=$STORAGE_ROOT/ssl/ca_certificate.pem
+	CERT="$STORAGE_ROOT/ssl/ca_certificate.pem"
 	hide_output \
-	  cp $CERT /usr/local/share/ca-certificates/mailinabox.crt
+	  cp "$CERT" /usr/local/share/ca-certificates/mailinabox.crt
 	hide_output \
 	  update-ca-certificates
 fi
@ -150,28 +150,28 @@ fi
 # Generate a signed SSL certificate because things like nginx, dovecot,
 # etc. won't even start without some certificate in place, and we need nginx
 # so we can offer the user a control panel to install a better certificate.
-if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
-	# # Generate a certificate signing request.
-	CSR=/tmp/ssl_cert_sign_req-$$.csr
+if [ ! -f "$STORAGE_ROOT/ssl/ssl_certificate.pem" ]; then
+	# Generate a certificate signing request.
+	CSR="$(mktemp XXXXXXXXXX.csr)"
 	hide_output \
-	openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $CSR \
+	openssl req -new -key "$STORAGE_ROOT/ssl/ssl_private_key.pem" -out "$CSR" \
 	  -sha256 -subj "/CN=$PRIMARY_HOSTNAME"

 	# create a ca database (directory) for openssl
-	CADIR=$STORAGE_ROOT/ssl/ca
-	mkdir -p $CADIR/newcerts
-	touch $CADIR/index.txt $CADIR/index.txt.attr
-	[ ! -e $CADIR/serial ] && date +%s > $CADIR/serial
+	CADIR="$STORAGE_ROOT/ssl/ca"
+	mkdir -p "$CADIR/newcerts"
+	touch "$CADIR/index.txt" "$CADIR/index.txt.attr"
+	[ ! -e "$CADIR/serial" ] && date +%s > "$CADIR/serial"

 	# Generate the signed certificate.
-	CERT=$STORAGE_ROOT/ssl/$PRIMARY_HOSTNAME-cert-$(date --rfc-3339=date | sed s/-//g).pem
+	CERT="$STORAGE_ROOT/ssl/$PRIMARY_HOSTNAME-cert-$(date --rfc-3339=date | sed s/-//g).pem"
 	hide_output \
 	openssl ca -batch \
-		-keyfile $STORAGE_ROOT/ssl/ca_private_key.pem \
-		-cert $STORAGE_ROOT/ssl/ca_certificate.pem \
+		-keyfile "$STORAGE_ROOT/ssl/ca_private_key.pem" \
+		-cert "$STORAGE_ROOT/ssl/ca_certificate.pem" \
 		-passin 'pass:SECRET-PASSWORD' \
-		-in $CSR \
-		-out $CERT \
+		-in "$CSR" \
+		-out "$CERT" \
 		-days 365 \
 		-name miab_ca \
 		-config - <<< "
@ -206,16 +206,16 @@ authorityKeyIdentifier	= keyid,issuer
 "

 	# Delete the certificate signing request because it has no other purpose.
-	rm -f $CSR
+	rm -f "$CSR"

 	# Symlink the certificates into the system certificate path, so system services
 	# can find it.
-	ln -s $CERT $STORAGE_ROOT/ssl/ssl_certificate.pem
+	ln -s "$CERT" "$STORAGE_ROOT/ssl/ssl_certificate.pem"
 fi

 # Generate some Diffie-Hellman cipher bits.
 # openssl's default bit length for this is 1024 bits, but we'll create
 # 2048 bits of bits per the latest recommendations.
-if [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
-	openssl dhparam -out $STORAGE_ROOT/ssl/dh2048.pem 2048
+if [ ! -f "$STORAGE_ROOT/ssl/dh2048.pem" ]; then
+	openssl dhparam -out "$STORAGE_ROOT/ssl/dh2048.pem" 2048
 fi
--- a/setup/start.sh
+++ b/setup/start.sh
@ -37,7 +37,7 @@ export LC_TYPE=en_US.UTF-8
 export NCURSES_NO_UTF8_ACS=1

 # if encryption-at-rest is enabled, make sure the drive is mounted
-ehdd/mount.sh    
+ehdd/mount.sh

 # Recall the last settings used if we're running this a second time.
 if [ -f /etc/mailinabox.conf ]; then
@ -58,7 +58,7 @@ fi
 # in the first dialog prompt, so we should do this before that starts.
 cat > /usr/local/bin/mailinabox << EOF;
 #!/bin/bash
-cd $(pwd)
+cd $PWD
 source $(source ehdd/ehdd_funcs.sh; if hdd_exists; then echo 'ehdd/start-encrypted.sh'; else echo 'setup/start.sh'; fi)
 EOF
 chmod +x /usr/local/bin/mailinabox
@ -87,22 +87,22 @@ fi
 # migration (schema) number for the files stored there, assume this is a fresh
 # installation to that directory and write the file to contain the current
 # migration number for this version of Mail-in-a-Box.
-if ! id -u $STORAGE_USER >/dev/null 2>&1; then
-	useradd -m $STORAGE_USER
+if ! id -u "$STORAGE_USER" >/dev/null 2>&1; then
+	useradd -m "$STORAGE_USER"
 	# default permissions for new home directories in jammy (ubuntu
 	# 22) changed from 0755 to 0750. openldap (slapd.service) runs
 	# under its own user account (openldap) and requires access to
 	# STORAGE_ROOT
-	chmod o+x $STORAGE_ROOT
+	chmod o+x "$STORAGE_ROOT"
 fi
-if [ ! -d $STORAGE_ROOT ]; then
-	mkdir -p $STORAGE_ROOT
+if [ ! -d "$STORAGE_ROOT" ]; then
+	mkdir -p "$STORAGE_ROOT"
 fi
 f=$STORAGE_ROOT
 while [[ $f != / ]]; do chmod a+rx "$f"; f=$(dirname "$f"); done;
-if [ ! -f $STORAGE_ROOT/mailinabox-ldap.version ]; then
-	setup/migrate.py --current > $STORAGE_ROOT/mailinabox-ldap.version
-	chown $STORAGE_USER:$STORAGE_USER $STORAGE_ROOT/mailinabox-ldap.version
+if [ ! -f "$STORAGE_ROOT/mailinabox-ldap.version" ]; then
+	setup/migrate.py --current > "$STORAGE_ROOT/mailinabox-ldap.version"
+	chown "$STORAGE_USER:$STORAGE_USER" "$STORAGE_ROOT/mailinabox-ldap.version"
 fi

 # normalize the directory path for setup mods
@ -161,14 +161,14 @@ source setup/firstuser.sh
 # We'd let certbot ask the user interactively, but when this script is
 # run in the recommended curl-pipe-to-bash method there is no TTY and
 # certbot will fail if it tries to ask.
-if [ -z "${SKIP_CERTBOT:-}" ] && [ ! -d $STORAGE_ROOT/ssl/lets_encrypt/accounts/acme-v02.api.letsencrypt.org/ ]; then
+if [ -z "${SKIP_CERTBOT:-}" ] && [ ! -d "$STORAGE_ROOT/ssl/lets_encrypt/accounts/acme-v02.api.letsencrypt.org/" ]; then
 echo
 echo "-----------------------------------------------"
 echo "Mail-in-a-Box uses Let's Encrypt to provision free SSL/TLS certificates"
 echo "to enable HTTPS connections to your box. We're automatically"
 echo "agreeing you to their subscriber agreement. See https://letsencrypt.org."
 echo
-certbot register --register-unsafely-without-email --agree-tos --config-dir $STORAGE_ROOT/ssl/lets_encrypt
+certbot register --register-unsafely-without-email --agree-tos --config-dir "$STORAGE_ROOT/ssl/lets_encrypt"
 fi

 #
@ -179,27 +179,27 @@ source setup/setupmods.sh
 echo
 echo "-----------------------------------------------"
 echo
-echo Your Mail-in-a-Box is running.
+echo "Your Mail-in-a-Box is running."
 echo
-echo Please log in to the control panel for further instructions at:
+echo "Please log in to the control panel for further instructions at:"
 echo
 if management/status_checks.py --check-primary-hostname; then
 	# Show the nice URL if it appears to be resolving and has a valid certificate.
-	echo https://$PRIMARY_HOSTNAME/admin
+	echo "https://$PRIMARY_HOSTNAME/admin"
 	echo
 	echo "If you have a DNS problem put the box's IP address in the URL"
 	echo "(https://$PUBLIC_IP/admin) but then check the TLS fingerprint:"
-	openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint -sha256\
+	openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256\
        	| sed "s/SHA256 Fingerprint=//i"
 else
-	echo https://$PUBLIC_IP/admin
+	echo "https://$PUBLIC_IP/admin"
 	echo
-	echo You will be alerted that the website has an invalid certificate. Check that
-	echo the certificate fingerprint matches:
+	echo "You will be alerted that the website has an invalid certificate. Check that"
+	echo "the certificate fingerprint matches:"
 	echo
-	openssl x509 -in $STORAGE_ROOT/ssl/ssl_certificate.pem -noout -fingerprint -sha256\
+	openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256\
        	| sed "s/SHA256 Fingerprint=//i"
 	echo
-	echo Then you can confirm the security exception and continue.
+	echo "Then you can confirm the security exception and continue."
 	echo
 fi
--- a/setup/system.sh
+++ b/setup/system.sh
@ -1,3 +1,4 @@
+#!/bin/bash
 #####
 ##### This file is part of Mail-in-a-Box-LDAP which is released under the
 ##### terms of the GNU Affero General Public License as published by the
@ -20,8 +21,8 @@ source setup/functions.sh # load our functions
 #
 # First set the hostname in the configuration file, then activate the setting

-echo $PRIMARY_HOSTNAME > /etc/hostname
-hostname $PRIMARY_HOSTNAME
+echo "$PRIMARY_HOSTNAME" > /etc/hostname
+hostname "$PRIMARY_HOSTNAME"

 # ### Fix permissions

@ -62,14 +63,14 @@ if
 	[ -z "$SWAP_IN_FSTAB" ] &&
 	[ ! -e /swapfile ] &&
 	[ -z "$ROOT_IS_BTRFS" ] &&
-	[ $TOTAL_PHYSICAL_MEM -lt 1900000 ] &&
-	[ $AVAILABLE_DISK_SPACE -gt 5242880 ]
+	[ "$TOTAL_PHYSICAL_MEM" -lt 1900000 ] &&
+	[ "$AVAILABLE_DISK_SPACE" -gt 5242880 ]
 then
 	echo "Adding a swap file to the system..."

 	# Allocate and activate the swap file. Allocate in 1KB chuncks
 	# doing it in one go, could fail on low memory systems
-	dd if=/dev/zero of=/swapfile bs=1024 count=$[1024*1024] status=none
+	dd if=/dev/zero of=/swapfile bs=1024 count=$((1024*1024)) status=none
 	if [ -e /swapfile ]; then
 		chmod 600 /swapfile
 		hide_output mkswap /swapfile
@ -120,13 +121,13 @@ hide_output add-apt-repository --y ppa:ondrej/php
 # PPAs so we can install those packages later.

 if [ "${SKIP_SYSTEM_UPDATE:-0}" != "1" ]; then
-	echo Updating system packages...
+	echo "Updating system packages..."
 	hide_output apt-get update
 	apt_get_quiet upgrade

-# Old kernels pile up over time and take up a lot of disk space, and because of Mail-in-a-Box
-# changes there may be other packages that are no longer needed. Clear out anything apt knows
-# is safe to delete.
+	# Old kernels pile up over time and take up a lot of disk space, and because of Mail-in-a-Box
+	# changes there may be other packages that are no longer needed. Clear out anything apt knows
+	# is safe to delete.

 	apt_get_quiet autoremove
 fi
@ -146,7 +147,7 @@ fi
 # * bc: allows us to do math to compute sane defaults
 # * openssh-client: provides ssh-keygen

-echo Installing system packages...
+echo "Installing system packages..."
 apt_install python3 python3-dev python3-pip python3-setuptools \
 	netcat-openbsd wget curl git sudo coreutils bc file \
 	pollinate openssh-client unzip \
@ -175,7 +176,7 @@ fi
 # not likely the user will want to change this, so we only ask on first
 # setup.
 if [ -z "${NONINTERACTIVE:-}" ]; then
-	if [ ! -f /etc/timezone ] || [ ! -z ${FIRST_TIME_SETUP:-} ]; then
+	if [ ! -f /etc/timezone ] || [ -n "${FIRST_TIME_SETUP:-}" ]; then
 		# If the file is missing or this is the user's first time running
 		# Mail-in-a-Box setup, run the interactive timezone configuration
 		# tool.
@ -237,7 +238,7 @@ fi
 # hardware entropy to get going, by drawing from /dev/random. haveged makes this
 # less likely to stall for very long.

-echo Initializing system random number generator...
+echo "Initializing system random number generator..."
 dd if=/dev/random of=/dev/urandom bs=1 count=32 2> /dev/null

 # This is supposedly sufficient. But because we're not sure if hardware entropy
@ -281,11 +282,11 @@ if [ -z "${DISABLE_FIREWALL:-}" ]; then
 	# settings, find the port it is supposedly running on, and open that port #NODOC
 	# too. #NODOC
 	SSH_PORT=$(sshd -T 2>/dev/null | grep "^port " | sed "s/port //") #NODOC
-	if [ ! -z "$SSH_PORT" ]; then
+	if [ -n "$SSH_PORT" ]; then
 	if [ "$SSH_PORT" != "22" ]; then

-	echo Opening alternate SSH port $SSH_PORT. #NODOC
-	ufw_limit $SSH_PORT #NODOC
+	echo "Opening alternate SSH port $SSH_PORT." #NODOC
+	ufw_limit "$SSH_PORT" #NODOC

 	fi
 	fi
--- a/setup/web.sh
+++ b/setup/web.sh
@ -17,7 +17,7 @@ source /etc/mailinabox.conf # load global vars
 # Some Ubuntu images start off with Apache. Remove it since we
 # will use nginx. Use autoremove to remove any Apache depenencies.
 if [ -f /usr/sbin/apache2 ]; then
-	echo Removing apache...
+	echo "Removing apache..."
 	hide_output apt-get -y purge apache2 apache2-*
 	hide_output apt-get -y --purge autoremove
 fi
@ -28,7 +28,7 @@ fi

 echo "Installing Nginx (web server)..."

-apt_install nginx php${PHP_VER}-cli php${PHP_VER}-fpm idn2
+apt_install nginx php"${PHP_VER}"-cli php"${PHP_VER}"-fpm idn2

 rm -f /etc/nginx/sites-enabled/default

@ -55,15 +55,15 @@ tools/editconf.py /etc/nginx/nginx.conf -s \
 	ssl_protocols="TLSv1.2 TLSv1.3;"

 # Tell PHP not to expose its version number in the X-Powered-By header.
-tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/"$PHP_VER"/fpm/php.ini -c ';' \
 	expose_php=Off

 # Set PHPs default charset to UTF-8, since we use it. See #367.
-tools/editconf.py /etc/php/$PHP_VER/fpm/php.ini -c ';' \
+tools/editconf.py /etc/php/"$PHP_VER"/fpm/php.ini -c ';' \
        default_charset="UTF-8"

 # Configure the path environment for php-fpm
-tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
+tools/editconf.py /etc/php/"$PHP_VER"/fpm/pool.d/www.conf -c ';' \
 	env[PATH]=/usr/local/bin:/usr/bin:/bin \

 # Configure php-fpm based on the amount of memory the machine has
@ -71,32 +71,32 @@ tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
 # Some synchronisation issues can occur when many people access the site at once.
 # The pm=ondemand setting is used for memory constrained machines < 2GB, this is copied over from PR: 1216
 TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true)
-if [ $TOTAL_PHYSICAL_MEM -lt 1000000 ]
+if [ "$TOTAL_PHYSICAL_MEM" -lt 1000000 ]
 then
-        tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
+        tools/editconf.py /etc/php/"$PHP_VER"/fpm/pool.d/www.conf -c ';' \
                pm=ondemand \
                pm.max_children=8 \
                pm.start_servers=2 \
                pm.min_spare_servers=1 \
                pm.max_spare_servers=3
-elif [ $TOTAL_PHYSICAL_MEM -lt 2000000 ]
+elif [ "$TOTAL_PHYSICAL_MEM" -lt 2000000 ]
 then
-        tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
+        tools/editconf.py /etc/php/"$PHP_VER"/fpm/pool.d/www.conf -c ';' \
                pm=ondemand \
                pm.max_children=16 \
                pm.start_servers=4 \
                pm.min_spare_servers=1 \
                pm.max_spare_servers=6
-elif [ $TOTAL_PHYSICAL_MEM -lt 3000000 ]
+elif [ "$TOTAL_PHYSICAL_MEM" -lt 3000000 ]
 then
-        tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
+        tools/editconf.py /etc/php/"$PHP_VER"/fpm/pool.d/www.conf -c ';' \
                pm=dynamic \
                pm.max_children=60 \
                pm.start_servers=6 \
                pm.min_spare_servers=3 \
                pm.max_spare_servers=9
 else
-        tools/editconf.py /etc/php/$PHP_VER/fpm/pool.d/www.conf -c ';' \
+        tools/editconf.py /etc/php/"$PHP_VER"/fpm/pool.d/www.conf -c ';' \
                pm=dynamic \
                pm.max_children=120 \
                pm.start_servers=12 \
@ -133,7 +133,7 @@ chmod a+r /var/lib/mailinabox/mozilla-autoconfig.xml

 # Create a generic mta-sts.txt file which is exposed via the
 # nginx configuration at /.well-known/mta-sts.txt
-# more documentation is available on: 
+# more documentation is available on:
 # https://www.uriports.com/blog/mta-sts-explained/
 # default mode is "enforce". In /etc/mailinabox.conf change
 # "MTA_STS_MODE=testing" which means "Messages will be delivered
@ -147,16 +147,16 @@ cat conf/mta-sts.txt \
 chmod a+r /var/lib/mailinabox/mta-sts.txt

 # make a default homepage
-if [ -d $STORAGE_ROOT/www/static ]; then mv $STORAGE_ROOT/www/static $STORAGE_ROOT/www/default; fi # migration #NODOC
-mkdir -p $STORAGE_ROOT/www/default
-if [ ! -f $STORAGE_ROOT/www/default/index.html ]; then
-	cp conf/www_default.html $STORAGE_ROOT/www/default/index.html
+if [ -d "$STORAGE_ROOT/www/static" ]; then mv "$STORAGE_ROOT/www/static" "$STORAGE_ROOT/www/default"; fi # migration #NODOC
+mkdir -p "$STORAGE_ROOT/www/default"
+if [ ! -f "$STORAGE_ROOT/www/default/index.html" ]; then
+	cp conf/www_default.html "$STORAGE_ROOT/www/default/index.html"
 fi
-chown -R $STORAGE_USER $STORAGE_ROOT/www
+chown -R "$STORAGE_USER" "$STORAGE_ROOT/www"

 # Start services.
 restart_service nginx
-restart_service php$PHP_VER-fpm
+restart_service php"$PHP_VER"-fpm

 # Open ports.
 ufw_allow http
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@ -14,7 +14,7 @@
 source setup/functions.sh # load our functions
 source setup/functions-downloads.sh
 source /etc/mailinabox.conf # load global vars
-source ${STORAGE_ROOT}/ldap/miab_ldap.conf
+source "${STORAGE_ROOT}/ldap/miab_ldap.conf"

 # ### Installing Roundcube

@ -33,11 +33,11 @@ source ${STORAGE_ROOT}/ldap/miab_ldap.conf
 echo "Installing Roundcube (webmail)..."
 apt_install \
 	dbconfig-common \
-	php${PHP_VER}-cli php${PHP_VER}-sqlite3 php${PHP_VER}-intl php${PHP_VER}-common php${PHP_VER}-curl php${PHP_VER}-imap \
-	php${PHP_VER}-gd php${PHP_VER}-pspell php${PHP_VER}-mbstring libjs-jquery libjs-jquery-mousewheel libmagic1 \
+	php"${PHP_VER}"-cli php"${PHP_VER}"-sqlite3 php"${PHP_VER}"-intl php"${PHP_VER}"-common php"${PHP_VER}"-curl php"${PHP_VER}"-imap \
+	php"${PHP_VER}"-gd php"${PHP_VER}"-pspell php"${PHP_VER}"-mbstring libjs-jquery libjs-jquery-mousewheel libmagic1 \
 	sqlite3

-apt_install php${PHP_VER}-ldap
+apt_install php"${PHP_VER}"-ldap

 # Install Roundcube from source if it is not already present or if it is out of date.
 # Combine the Roundcube version number with the commit hash of plugins to track
@ -248,8 +248,8 @@ cat > ${RCM_PLUGIN_DIR}/persistent_login/config.inc.php <<EOF
 EOF

 # Create writable directories.
-mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
-chown -R www-data:www-data /var/log/roundcubemail /var/tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+mkdir -p /var/log/roundcubemail /var/tmp/roundcubemail "$STORAGE_ROOT/mail/roundcube"
+chown -R www-data:www-data /var/log/roundcubemail /var/tmp/roundcubemail "$STORAGE_ROOT/mail/roundcube"

 # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
 sudo -u www-data touch /var/log/roundcubemail/errors.log
@ -283,22 +283,22 @@ chown -f -R root:www-data ${RCM_PLUGIN_DIR}/carddav
 chmod -R 774 ${RCM_PLUGIN_DIR}/carddav

 # Run Roundcube database migration script (database is created if it does not exist)
-php$PHP_VER ${RCM_DIR}/bin/updatedb.sh --dir ${RCM_DIR}/SQL --package roundcube
-chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
-chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
+php"$PHP_VER" ${RCM_DIR}/bin/updatedb.sh --dir ${RCM_DIR}/SQL --package roundcube
+chown www-data:www-data "$STORAGE_ROOT/mail/roundcube/roundcube.sqlite"
+chmod 664 "$STORAGE_ROOT/mail/roundcube/roundcube.sqlite"

 # Create persistent login plugin's database tables
-sqlite3 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite < ${RCM_PLUGIN_DIR}/persistent_login/sql/sqlite.sql
+sqlite3 "$STORAGE_ROOT/mail/roundcube/roundcube.sqlite" < "${RCM_PLUGIN_DIR}/persistent_login/sql/sqlite.sql"

 # Enable PHP modules.
-phpenmod -v $PHP_VER imap ldap
-restart_service php$PHP_VER-fpm
+phpenmod -v "$PHP_VER" imap ldap
+restart_service php"$PHP_VER"-fpm

 # Periodically clean the roundcube database (see roundcubemail/INSTALL)
 cat > /etc/cron.daily/mailinabox-roundcubemail << EOF
 #!/bin/bash
 # Mail-in-a-Box
 # Clean up the roundcube database
-cd $RCM_DIR && bin/cleandb.sh >/dev/null
+cd "$RCM_DIR" && bin/cleandb.sh >/dev/null
 EOF
 chmod +x /etc/cron.daily/mailinabox-roundcubemail
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@ -26,9 +26,9 @@ source /etc/mailinabox.conf # load global vars

 echo "Installing Z-Push (Exchange/ActiveSync server)..."
 apt_install \
-       php${PHP_VER}-soap php${PHP_VER}-imap libawl-php php$PHP_VER-xml
+       php"${PHP_VER}"-soap php"${PHP_VER}"-imap libawl-php php"$PHP_VER"-xml

-phpenmod -v $PHP_VER imap
+phpenmod -v "$PHP_VER" imap

 # Copy Z-Push into place.
 VERSION=2.7.1
@ -53,10 +53,10 @@ if [ $needs_update == 1 ]; then
 	# Create admin and top scripts with PHP_VER  
 	rm -f /usr/sbin/z-push-{admin,top}
    echo '#!/bin/bash' > /usr/sbin/z-push-admin
-    echo php$PHP_VER /usr/local/lib/z-push/z-push-admin.php '"$@"' >> /usr/sbin/z-push-admin
+    echo php"$PHP_VER" /usr/local/lib/z-push/z-push-admin.php '"$@"' >> /usr/sbin/z-push-admin
    chmod 755 /usr/sbin/z-push-admin
    echo '#!/bin/bash' > /usr/sbin/z-push-top
-    echo php$PHP_VER /usr/local/lib/z-push/z-push-top.php '"$@"' >> /usr/sbin/z-push-top
+    echo php"$PHP_VER" /usr/local/lib/z-push/z-push-top.php '"$@"' >> /usr/sbin/z-push-top
    chmod 755 /usr/sbin/z-push-top
 	
 	echo $VERSION > /usr/local/lib/z-push/version
@ -118,8 +118,8 @@ EOF

 # Restart service.

-restart_service php$PHP_VER-fpm
+restart_service php"$PHP_VER"-fpm

 # Fix states after upgrade

-hide_output php$PHP_VER /usr/local/lib/z-push/z-push-admin.php -a fixstates
+hide_output php"$PHP_VER" /usr/local/lib/z-push/z-push-admin.php -a fixstates
--- a/tests/vagrant/preloaded/prepvm.sh
+++ b/tests/vagrant/preloaded/prepvm.sh
@ -56,10 +56,10 @@ OS_MAJOR=$(. /etc/os-release; echo $VERSION_ID | awk -F. '{print $1}')
 remove_line_continuation() {
    local file="$1"
    awk '
-BEGIN            { C=0 } 
-C==1 && /[^\\]$/ { C=0; print $0; next } 
-C==1             { printf("%s",substr($0,0,length($0)-1)); next } 
-/\\$/            { C=1; printf("%s",substr($0,0,length($0)-1)); next } 
+BEGIN            { C=0 }
+C==1 && /[^\\]$/ { C=0; print $0; next }
+C==1             { printf("%s",substr($0,0,length($0)-1)); next }
+/\\$/            { C=1; printf("%s",substr($0,0,length($0)-1)); next }
                 { print $0 }' \
                     "$file"
 }
@ -79,15 +79,15 @@ install_packages() {
                 pkgs="$(cut -c12- <<<"$line")"
                 ;;
        esac
-        
+
        # don't install slapd
        pkgs="$(sed 's/slapd//g' <<< "$pkgs")"

        # manually set PHP_VER if necessary
        if grep "PHP_VER" <<<"$pkgs" >/dev/null; then
-            pkgs="$(sed "s/\${*PHP_VER}*/$PHP_VER/g" <<< "$pkgs")"
+            pkgs="$(sed "s/\"\?\${*PHP_VER}*\"\?/$PHP_VER/g" <<< "$pkgs")"
        fi
-        
+
        if [ ! -z "$pkgs" ]; then
            H2 "install: $pkgs"
            if ! $dry_run; then
@ -108,7 +108,7 @@ install_ppas() {
            if ! $dry_run; then
                exec_no_output $line
            fi
-        done 
+        done
 }

 add_swap() {
@ -181,7 +181,7 @@ for file in "${desired_order[@]}" "${setup_files[@]}"; do
 done

 failed=0
-    
+
 for file in ${ordered_files[@]}; do
    H1 "$file"
    remove_line_continuation "$file" | install_packages
@ -228,4 +228,3 @@ else
    echo ""
    exit 0
 fi
-
--- a/tools/archive_conf_files.sh
+++ b/tools/archive_conf_files.sh
@ -1,3 +1,4 @@
+#!/bin/bash
 #####
 ##### This file is part of Mail-in-a-Box-LDAP which is released under the
 ##### terms of the GNU Affero General Public License as published by the
@ -9,10 +10,9 @@

 # Use this script to make an archive of the contents of all
 # of the configuration files we edit with editconf.py.
-for fn in `grep -hr editconf.py setup | sed "s/tools\/editconf.py //" | sed "s/ .*//" | sort | uniq`; do
+for fn in $(grep -hr editconf.py setup | sed "s/tools\/editconf.py //" | sed "s/ .*//" | sort | uniq); do
 	echo ======================================================================
-	echo $fn
+	echo "$fn"
 	echo ======================================================================
-	cat $fn
+	cat "$fn"
 done
-
--- a/tools/dns_update
+++ b/tools/dns_update
@ -12,4 +12,4 @@ POSTDATA=dummy
 if [ "$1" == "--force" ]; then
 	POSTDATA=force=1
 fi
-curl -s -d $POSTDATA --user $(</var/lib/mailinabox/api.key): http://127.0.0.1:10222/dns/update
+curl -s -d $POSTDATA --user "$(</var/lib/mailinabox/api.key):" http://127.0.0.1:10222/dns/update
--- a/tools/owncloud-restore.sh
+++ b/tools/owncloud-restore.sh
@ -23,13 +23,13 @@ if [ -z "$1" ]; then
 	echo
 	echo "Available backups:"
 	echo
-	find $STORAGE_ROOT/owncloud-backup/* -maxdepth 0 -type d
+	find "$STORAGE_ROOT/owncloud-backup/"* -maxdepth 0 -type d
 	echo
 	echo "Supply the directory that was created during the last installation as the only commandline argument"
 	exit
 fi

-if [ ! -f $1/config.php ]; then
+if [ ! -f "$1/config.php" ]; then
 	echo "This isn't a valid backup location"
 	exit 1
 fi
@ -45,14 +45,14 @@ cp -r  "$1/owncloud-install" /usr/local/lib/owncloud
 # restore access rights
 chmod 750 /usr/local/lib/owncloud/{apps,config}

-cp "$1/owncloud.db" $STORAGE_ROOT/owncloud/
-cp "$1/config.php" $STORAGE_ROOT/owncloud/
+cp "$1/owncloud.db" "$STORAGE_ROOT/owncloud/"
+cp "$1/config.php" "$STORAGE_ROOT/owncloud/"

-ln -sf $STORAGE_ROOT/owncloud/config.php /usr/local/lib/owncloud/config/config.php
-chown -f -R www-data:www-data $STORAGE_ROOT/owncloud /usr/local/lib/owncloud
-chown www-data:www-data $STORAGE_ROOT/owncloud/config.php
+ln -sf "$STORAGE_ROOT/owncloud/config.php" /usr/local/lib/owncloud/config/config.php
+chown -f -R www-data:www-data "$STORAGE_ROOT/owncloud" /usr/local/lib/owncloud
+chown www-data:www-data "$STORAGE_ROOT/owncloud/config.php"

-sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ maintenance:mode --off
+sudo -u www-data "php$PHP_VER" /usr/local/lib/owncloud/occ maintenance:mode --off

 service php8.0-fpm start
 echo "Done"
--- a/tools/owncloud-unlockadmin.sh
+++ b/tools/owncloud-unlockadmin.sh
@ -18,15 +18,15 @@
 source /etc/mailinabox.conf # load global vars

 ADMIN=$(./mail.py user admins | head -n 1)
-test -z "$1" || ADMIN=$1 
+test -z "$1" || ADMIN=$1

-echo I am going to unlock admin features for $ADMIN.
-echo You can provide another user to unlock as the first argument of this script.
+echo "I am going to unlock admin features for $ADMIN."
+echo "You can provide another user to unlock as the first argument of this script."
 echo
-echo WARNING: you could break mail-in-a-box when fiddling around with Nextcloud\'s admin interface
-echo If in doubt, press CTRL-C to cancel.
-echo 
-echo Press enter to continue.
+echo "WARNING: you could break mail-in-a-box when fiddling around with Nextcloud's admin interface"
+echo "If in doubt, press CTRL-C to cancel."
+echo
+echo "Press enter to continue."
 read

-sudo -u www-data php$PHP_VER /usr/local/lib/owncloud/occ group:adduser admin $ADMIN && echo Done.
+sudo -u www-data "php$PHP_VER" /usr/local/lib/owncloud/occ group:adduser admin "$ADMIN" && echo "Done."
--- a/tools/web_update
+++ b/tools/web_update
@ -8,4 +8,4 @@
 ##### details.
 #####

-curl -s -d POSTDATA --user $(</var/lib/mailinabox/api.key): http://127.0.0.1:10222/web/update
+curl -s -d POSTDATA --user "$(</var/lib/mailinabox/api.key):" http://127.0.0.1:10222/web/update