diff --git a/modules/networking/default.nix b/modules/networking/default.nix
index b53a9e4a..7a81ca1c 100644
--- a/modules/networking/default.nix
+++ b/modules/networking/default.nix
@@ -118,6 +118,7 @@ in
       echo "configuring networking..." >&2
 
       ${optionalString (cfg.computerName != null) ''
+        # shellcheck disable=SC1112
         scutil --set ComputerName ${escapeShellArg cfg.computerName}
       ''}
       ${optionalString (cfg.hostName != null) ''
diff --git a/modules/system/checks.nix b/modules/system/checks.nix
index 6d7ccc00..ec6e3b5d 100644
--- a/modules/system/checks.nix
+++ b/modules/system/checks.nix
@@ -88,7 +88,7 @@ let
 
   buildUsers = ''
     buildUser=$(dscl . -read /Groups/nixbld GroupMembership 2>&1 | awk '/^GroupMembership: / {print $2}') || true
-    if [ -z $buildUser ]; then
+    if [[ -z "$buildUser" ]]; then
         echo "[1;31merror: Using the nix-daemon requires build users, aborting activation[0m" >&2
         echo "Create the build users or disable the daemon:" >&2
         echo "$ darwin-install" >&2
@@ -104,7 +104,7 @@ let
   buildGroupID = ''
     buildGroupID=$(dscl . -read /Groups/nixbld PrimaryGroupID | awk '{print $2}')
     expectedBuildGroupID=${toString config.ids.gids.nixbld}
-    if [[ $buildGroupID != $expectedBuildGroupID ]]; then
+    if [[ $buildGroupID != "$expectedBuildGroupID" ]]; then
         printf >&2 '\e[1;31merror: Build user group has mismatching GID, aborting activation\e[0m\n'
         printf >&2 'The default Nix build user group ID was changed from 30000 to 350.\n'
         printf >&2 'You are currently managing Nix build users with nix-darwin, but your\n'
@@ -114,6 +114,7 @@ let
         printf >&2 'Possible causes include setting up a new Nix installation with an\n'
         printf >&2 'existing nix-darwin configuration, setting up a new nix-darwin\n'
         printf >&2 'installation with an existing Nix installation, or manually increasing\n'
+        # shellcheck disable=SC2016
         printf >&2 'your `system.stateVersion` setting.\n'
         printf >&2 '\n'
         printf >&2 'You can set the configured group ID to match the actual value:\n'
@@ -266,6 +267,7 @@ let
     if [[ -d /etc/ssh/authorized_keys.d ]]; then
         printf >&2 '\e[1;31merror: /etc/ssh/authorized_keys.d exists, aborting activation\e[0m\n'
         printf >&2 'SECURITY NOTICE: The previous implementation of the\n'
+        # shellcheck disable=SC2016
         printf >&2 '`users.users.<name>.openssh.authorizedKeys.*` options would not delete\n'
         printf >&2 'authorized keys files when the setting for a given user was removed.\n'
         printf >&2 '\n'
@@ -334,7 +336,7 @@ in
     system.activationScripts.checks.text = ''
       ${cfg.text}
 
-      if test ''${checkActivation:-0} -eq 1; then
+      if [[ "''${checkActivation:-0}" -eq 1 ]]; then
         echo "ok" >&2
         exit 0
       fi
diff --git a/modules/users/default.nix b/modules/users/default.nix
index 6a1cd2e6..d15deac6 100644
--- a/modules/users/default.nix
+++ b/modules/users/default.nix
@@ -115,6 +115,7 @@ in
         if ! sudo dscl . -change /Users/nobody NFSHomeDirectory "$homeDirectory" "$homeDirectory" &> /dev/null; then
           if [[ -n "$SSH_CONNECTION" ]]; then
             printf >&2 '\e[1;31merror: users cannot be %s over SSH without Full Disk Access, aborting activation\e[0m\n' "$2"
+            # shellcheck disable=SC2016
             printf >&2 'The user %s could not be %s as `darwin-rebuild` was not executed with Full Disk Access over SSH.\n' "$1" "$2"
             printf >&2 'You can either:\n'
             printf >&2 '\n'
@@ -122,6 +123,7 @@ in
             printf >&2 '\n'
             printf >&2 'or\n'
             printf >&2 '\n'
+            # shellcheck disable=SC2016
             printf >&2 '  run `darwin-rebuild` in a graphical session.\n'
             printf >&2 '\n'
             printf >&2 'The option "Allow full disk access for remote users" can be found by\n'
@@ -135,9 +137,11 @@ in
 
             if ! sudo dscl . -change /Users/nobody NFSHomeDirectory "$homeDirectory" "$homeDirectory" &> /dev/null; then
               printf >&2 '\e[1;31merror: permission denied when trying to %s user %s, aborting activation\e[0m\n' "$2" "$1"
-              printf >&2 '`darwin-rebuild` requires permissions to administrate your computer,\n' "$1" "$2"
+              # shellcheck disable=SC2016
+              printf >&2 '`darwin-rebuild` requires permissions to administrate your computer,\n'
               printf >&2 'please accept the dialog that pops up.\n'
               printf >&2 '\n'
+              # shellcheck disable=SC2016
               printf >&2 'If you do not wish to be prompted every time `darwin-rebuild updates your users,\n'
               printf >&2 'you can grant Full Disk Access to your terminal emulator in System Settings.\n'
               printf >&2 '\n'
@@ -187,6 +191,7 @@ in
           if [ "$u" -gt 501 ]; then
             # TODO: add `darwin.primaryUser` as well
             if [[ ${name} == "$USER" ]]; then
+              # shellcheck disable=SC2016
               printf >&2 '\e[1;31merror: refusing to delete the user calling `darwin-rebuild` (%s), aborting activation\e[0m\n', ${name}
               exit 1
             elif [[ ${name} == "root" ]]; then
