diff --git a/nixos-infect b/nixos-infect
index 62779fd..09244f2 100755
--- a/nixos-infect
+++ b/nixos-infect
@@ -21,7 +21,7 @@ makeConf() {
   networking.hostName = "$(hostname)";
   networking.firewall.allowPing = true;
   services.openssh.enable = true;
-  users.users.root.openssh.authorizedKeys.keys = [$(for key in ${keys[@]}; do echo -n "
+  users.users.root.openssh.authorizedKeys.keys = [$(for key in "${keys[@]}"; do echo -n "
     \"$key\""; done)
   ];
 }
@@ -39,23 +39,23 @@ EOF
   # XXX It'd be better if we used procfs for all this...
   local IFS=$'\n'
   eth0_name=$(ip address show | grep '^2:' | awk -F': ' '{print $2}')
-  eth0_ip4s=($(ip address show dev $eth0_name | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
-  eth0_ip6s=($(ip address show dev $eth0_name | grep 'inet6 ' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|' || ''))
-  gateway=($(ip route show dev $eth0_name | grep default | sed -r 's|default via ([0-9.]+).*|\1|'))
-  ether0=($(ip address show dev $eth0_name | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|'))
+  eth0_ip4s=$(ip address show dev "$eth0_name" | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|')
+  eth0_ip6s=$(ip address show dev "$eth0_name" | grep 'inet6 ' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|' || '')
+  gateway=$(ip route show dev "$eth0_name" | grep default | sed -r 's|default via ([0-9.]+).*|\1|')
+  ether0=$(ip address show dev "$eth0_name" | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|')
 
   eth1_name=$(ip address show | grep '^3:' | awk -F': ' '{print $2}')||true
   if [ -n "$eth1_name" ];then
-    eth1_ip4s=($(ip address show dev $eth1_name | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
-    eth1_ip6s=($(ip address show dev $eth1_name | grep 'inet6 ' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|' || ''))
-    ether1=($(ip address show dev $eth1_name | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|'))
-    gateway6=($(ip -6 route show dev $eth1_name | grep default | sed -r 's|default via ([0-9a-f:]+).*|\1|' || true))
+    eth1_ip4s=$(ip address show dev "$eth1_name" | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|')
+    eth1_ip6s=$(ip address show dev "$eth1_name" | grep 'inet6 ' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|' || '')
+    ether1=$(ip address show dev "$eth1_name" | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|')
+    gateway6=$(ip -6 route show dev "$eth1_name" | grep default | sed -r 's|default via ([0-9a-f:]+).*|\1|' || true)
     interfaces1=<< EOF
       $eth1_name = {
-        ip4 = [$(for a in ${eth1_ip4s[@]}; do echo -n "
+        ip4 = [$(for a in "${eth1_ip4s[@]}"; do echo -n "
           $a"; done)
         ];
-        ip6 = [$(for a in ${eth1_ip6s[@]}; do echo -n "
+        ip6 = [$(for a in "${eth1_ip6s[@]}"; do echo -n "
           $a"; done)
         ];
 EOF
@@ -72,17 +72,17 @@ EOF
   # This file was populated at runtime with the networking
   # details gathered from the active system.
   networking = {
-    nameservers = [$(for a in ${nameservers[@]}; do echo -n "
+    nameservers = [$(for a in "${nameservers[@]}"; do echo -n "
       \"$a\""; done)
     ];
     defaultGateway = "${gateway}";
     defaultGateway6 = "${gateway6}";
     interfaces = {
       $eth0_name = {
-        ip4 = [$(for a in ${eth0_ip4s[@]}; do echo -n "
+        ip4 = [$(for a in "${eth0_ip4s[@]}"; do echo -n "
           $a"; done)
         ];
-        ip6 = [$(for a in ${eth0_ip6s[@]}; do echo -n "
+        ip6 = [$(for a in "${eth0_ip6s[@]}"; do echo -n "
           $a"; done)
         ];
       };
@@ -112,18 +112,18 @@ EOF
 
 makeSwap() {
   # TODO check currently available swapspace first
-  swapFile=`mktemp /tmp/nixos-infect.XXXXX.swp`
-  dd if=/dev/zero of=$swapFile bs=1M count=$((1*1024))
-  chmod 0600 $swapFile
-  mkswap $swapFile
-  swapon -v $swapFile
+  swapFile=$(mktemp /tmp/nixos-infect.XXXXX.swp)
+  dd if=/dev/zero "of=$swapFile" bs=1M count=$((1*1024))
+  chmod 0600 "$swapFile"
+  mkswap "$swapFile"
+  swapon -v "$swapFile"
 }
 
 removeSwap() {
     for swapFile in /tmp/nixos-infect.*.swp
     do
-        swapoff -v $swapFile
-        rm -vf $swapFile
+        swapoff -v "$swapFile"
+        rm -vf "$swapFile"
     done
 }
 
@@ -163,6 +163,7 @@ prepareEnv() {
 
   # Nix installer tries to use sudo regardless of whether we're already uid 0  
   #which sudo || { sudo() { eval "$@"; }; export -f sudo; }
+  # shellcheck disable=SC2174
   mkdir -p -m 0755 /nix
 }
 
@@ -192,13 +193,14 @@ infect() {
   # Add nix build users
   # FIXME run only if necessary, rather than defaulting true
   groupadd nixbld -g 30000 || true
-  for i in {1..10}; do useradd -c "Nix build user $i" -d /var/empty -g nixbld -G nixbld -M -N -r -s $(which nologin) nixbld$i || true; done
+  for i in {1..10}; do useradd -c "Nix build user $i" -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" nixbld$i || true; done
   # TODO use addgroup and adduser as fallbacks
   #addgroup nixbld -g 30000 || true
   #for i in {1..10}; do adduser -DH -G nixbld nixbld$i || true; done
 
   curl https://nixos.org/nix/install | $SHELL
 
+  # shellcheck disable=SC1090
   source ~/.nix-profile/etc/profile.d/nix.sh
 
   [[ -z "$NIX_CHANNEL" ]] && NIX_CHANNEL="nixos-17.03"