diff --git a/.circleci/config.yml b/.circleci/config.yml
index e4b2c3c..79ce09a 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -8,9 +8,9 @@ workflows:
           requires:
             - test
           filters:
-             branches:
-               only: 
-                 - master
+            branches:
+              only:
+                - master
       - build_children:
           context: circle-api
           requires:
@@ -58,8 +58,7 @@ jobs:
           destination: docker-lancachenet-monolithic.tar
       - persist_to_workspace:
           root: workspace
-          paths:
-            lancachenet-monolithic.tar
+          paths: lancachenet-monolithic.tar
   publish_latest:
     executor: testbuild-executor
     steps:
@@ -78,7 +77,7 @@ jobs:
       - run:
           name: "Request API to build children"
           command: |
-              for child in {"generic"}; do
-                 echo "Asking API to trigger build for $child"
-                 curl -X POST --header "Content-Type: application/json" -d '{"branch":"master"}' https://circleci.com/api/v1.1/project/github/lancachenet/$child/build?circle-token=${CIRCLE_API_USER_TOKEN}
-              done
+            for child in {"generic"}; do
+              echo "Asking API to trigger build for $child"
+              curl -X POST --header "Content-Type: application/json" -d '{"branch":"master"}' https://circleci.com/api/v1.1/project/github/lancachenet/$child/build?circle-token=${CIRCLE_API_USER_TOKEN}
+            done
diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..bcaa1e3
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,14 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+end_of_line = lf
+insert_final_newline = true
+
+[*.md]
+indent_size = 0
+
+[*.sh]
+indent_style = tab
diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
new file mode 100644
index 0000000..ebecca6
--- /dev/null
+++ b/.github/workflows/mega-linter.yml
@@ -0,0 +1,55 @@
+# MegaLinter GitHub Action configuration file
+# More info at https://megalinter.io
+---
+name: MegaLinter
+
+on:
+  pull_request:
+    branches:
+      - master
+
+env:
+  GITHUB_STATUS_REPORTER: true
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  megalinter:
+    name: MegaLinter
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      - name: MegaLinter
+        uses: oxsecurity/megalinter@v8
+        id: ml
+        env:
+          VALIDATE_ALL_CODEBASE: >-
+            ${{
+              github.event_name == 'push' &&
+              github.ref == 'refs/heads/master'
+            }}
+
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Archive production artifacts
+        uses: actions/upload-artifact@v4
+        if: success() || failure()
+        with:
+          name: MegaLinter reports
+          include-hidden-files: "true"
+          path: |
+            megalinter-reports
+            mega-linter.log
diff --git a/.gitignore b/.gitignore
index 27a3afb..4dbb08b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 reports
+megalinter-reports
diff --git a/.lefthook.yml b/.lefthook.yml
new file mode 100644
index 0000000..128cbac
--- /dev/null
+++ b/.lefthook.yml
@@ -0,0 +1,6 @@
+pre-commit:
+  parallel: true
+  jobs:
+    - name: megalinter
+      run: docker run --rm -e USER=$(id -u) -e GROUP=$(id -g) -v "$PWD:/tmp/lint" oxsecurity/megalinter:beta
+      stage_fixed: true
diff --git a/.mega-linter.yml b/.mega-linter.yml
new file mode 100644
index 0000000..0687c88
--- /dev/null
+++ b/.mega-linter.yml
@@ -0,0 +1,28 @@
+# Configuration file for MegaLinter
+#
+# See all available variables at https://megalinter.io/latest/config-file/ and in
+# linters documentation
+
+APPLY_FIXES: all
+FLAVOR_SUGGESTIONS: false
+PRINT_ALPACA: false
+SHOW_ELAPSED_TIME: true
+
+ENABLE:
+  - ACTION
+  - BASH
+  - DOCKERFILE
+  - EDITORCONFIG
+  - MARKDOWN
+  - YAML
+
+DISABLE_LINTERS:
+  - MARKDOWN_MARKDOWNLINT
+  - YAML_V8R
+
+BASH_SHELLCHECK_ARGUMENTS: "-f gcc"
+EDITORCONFIG_EDITORCONFIG_CHECKER_ARGUMENTS: "-f gcc"
+
+POST_COMMANDS:
+  - command: find . -user root -group root -exec chown ${USER}:${GROUP} {} \;
+    cwd: workspace
diff --git a/Dockerfile b/Dockerfile
index 3ed4c76..efe63e4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,50 +1,55 @@
+# hadolint ignore=DL3007
 FROM lancachenet/ubuntu-nginx:latest
-LABEL version=3
-LABEL description="Single caching container for caching game content at LAN parties."
-LABEL maintainer="LanCache.Net Team <team@lancache.net>"
-
-RUN	apt-get update							;\
-	apt-get install -y jq git				;
-
-ENV GENERICCACHE_VERSION=2 \
-    CACHE_MODE=monolithic \
-    WEBUSER=www-data \
-    CACHE_INDEX_SIZE=500m \
-    CACHE_DISK_SIZE=1000g \
-    MIN_FREE_DISK=10g \
-    CACHE_MAX_AGE=3560d \
-    CACHE_SLICE_SIZE=1m \
-    UPSTREAM_DNS="8.8.8.8 8.8.4.4" \
-    BEAT_TIME=1h \
-    LOGFILE_RETENTION=3560 \
-    CACHE_DOMAINS_REPO="https://github.com/uklans/cache-domains.git" \
-    CACHE_DOMAINS_BRANCH=master \
-    NGINX_WORKER_PROCESSES=auto \
-    NGINX_LOG_FORMAT=cachelog
-
-COPY overlay/ /
-
-RUN rm /etc/nginx/sites-enabled/* /etc/nginx/stream-enabled/* ;\
-    rm /etc/nginx/conf.d/gzip.conf ;\
-    chmod 754  /var/log/tallylog ; \
-    id -u ${WEBUSER} &> /dev/null || adduser --system --home /var/www/ --no-create-home --shell /bin/false --group --disabled-login ${WEBUSER} ;\
-    chmod 755 /scripts/*		;\
-	  mkdir -m 755 -p /data/cache		;\
-	  mkdir -m 755 -p /data/info		;\
-    mkdir -m 755 -p /data/logs		;\
-    mkdir -m 755 -p /tmp/nginx/		;\
-    chown -R ${WEBUSER}:${WEBUSER} /data/	;\
-    mkdir -p /etc/nginx/sites-enabled	;\
-    ln -s /etc/nginx/sites-available/10_cache.conf /etc/nginx/sites-enabled/10_generic.conf; \
-    ln -s /etc/nginx/sites-available/20_upstream.conf /etc/nginx/sites-enabled/20_upstream.conf; \
-    ln -s /etc/nginx/sites-available/30_metrics.conf /etc/nginx/sites-enabled/30_metrics.conf; \
-    ln -s /etc/nginx/stream-available/10_sni.conf /etc/nginx/stream-enabled/10_sni.conf; \
-    mkdir -m 755 -p /data/cachedomains		;\
-    mkdir -m 755 -p /tmp/nginx
-
-RUN git clone --depth=1 --no-single-branch https://github.com/uklans/cache-domains/ /data/cachedomains
 
-VOLUME ["/data/logs", "/data/cache", "/data/cachedomains", "/var/www"]
+LABEL org.opencontainers.image.version=3
+LABEL org.opencontainers.image.description="Single container for caching game content at LAN parties."
+LABEL org.opencontainers.image.authors="LanCache.Net Team <team@lancache.net>"
+
+SHELL ["/bin/bash", "-c"]
+
+# hadolint ignore=DL3008
+RUN	<<EOF
+  apt-get update
+  apt-get install -y ca-certificates git jq --no-install-recommends
+  apt-get -y clean
+  rm -rf /var/lib/apt/lists/*
+EOF
+
+ENV \
+  GENERICCACHE_VERSION=2 \
+  CACHE_MODE=monolithic \
+  WEBUSER=www-data \
+  CACHE_INDEX_SIZE=500m \
+  CACHE_DISK_SIZE=1000g \
+  MIN_FREE_DISK=10g \
+  CACHE_MAX_AGE=3560d \
+  CACHE_SLICE_SIZE=1m \
+  UPSTREAM_DNS="8.8.8.8 8.8.4.4" \
+  BEAT_TIME=1h \
+  LOGFILE_RETENTION=3560 \
+  CACHE_DOMAINS_REPO="https://github.com/uklans/cache-domains.git" \
+  CACHE_DOMAINS_BRANCH=master \
+  NGINX_WORKER_PROCESSES=auto \
+  NGINX_LOG_FORMAT=cachelog
 
+COPY --link overlay/ /
+
+RUN <<EOF
+  id -u ${WEBUSER} &> /dev/null || adduser --system --home /var/www/ --no-create-home --shell /bin/false --group --disabled-login ${WEBUSER}
+  mkdir -p /etc/nginx/sites-enabled /data/{cache,cachedomains,info,logs} /tmp/nginx
+  rm /etc/nginx/sites-enabled/* /etc/nginx/stream-enabled/* /etc/nginx/conf.d/gzip.conf
+  chown -R ${WEBUSER}: /data/
+  chmod 754 /var/log/tallylog
+  for file in sites-available/10_cache.conf sites-available/20_upstream.conf sites-available/30_metrics.conf stream-available/10_sni.conf; do
+    ln -s "/etc/nginx/${file}" "/etc/nginx/${file/available/enabled}"
+  done
+EOF
+
+RUN <<EOF
+git clone --depth=1 --no-single-branch https://github.com/uklans/cache-domains.git /data/cachedomains
+git config --global --add safe.directory /data/cachedomains
+EOF
+
+VOLUME ["/data/logs", "/data/cache", "/data/cachedomains", "/var/www"]
 EXPOSE 80 443 8080
 WORKDIR /scripts
diff --git a/build-locally.sh b/build-locally.sh
index fe70881..cba15c9 100755
--- a/build-locally.sh
+++ b/build-locally.sh
@@ -3,20 +3,20 @@
 
 PURPLEBOLD="$(tput setf 5 bold)"
 
-printf "${PURPLEBOLD}Building temporary modified Ubuntu image:\n"
+printf "%sBuilding temporary modified Ubuntu image:\n" "${PURPLEBOLD}"
 docker build -t lancachenet/ubuntu:latest --progress tty https://github.com/lancachenet/ubuntu.git
 
-printf  "${PURPLEBOLD}Building temporary Ubuntu-Nginx image:\n"
+printf "%sBuilding temporary Ubuntu-Nginx image:\n" "${PURPLEBOLD}"
 docker build -t lancachenet/ubuntu-nginx:latest --progress tty https://github.com/lancachenet/ubuntu-nginx.git
 
-printf "${PURPLEBOLD}Building Monolithic image:\n"
+printf "%sBuilding Monolithic image:\n" "${PURPLEBOLD}"
 docker build -t lancachenet/monolithic:latest --progress tty .
 
-printf "${PURPLEBOLD}Removing temporary Ubuntu image:\n"
+printf "%sRemoving temporary Ubuntu image:\n" "${PURPLEBOLD}"
 docker rmi lancachenet/ubuntu
 
-printf "${PURPLEBOLD}Removing temporary Ubuntu-Nginx image:\n"
+printf "%sRemoving temporary Ubuntu-Nginx image:\n" "${PURPLEBOLD}"
 docker rmi lancachenet/ubuntu-nginx
 
-printf "${PURPLEBOLD}Completed local build. Image now available as lancachenet/monolithic:latest\n"
-docker image ls lancachenet/monolithic:latest
\ No newline at end of file
+printf "%sCompleted local build. Image now available as lancachenet/monolithic:latest\n" "${PURPLEBOLD}"
+docker image ls lancachenet/monolithic:latest
diff --git a/goss.yaml b/goss.yaml
index 54e5354..97ae350 100644
--- a/goss.yaml
+++ b/goss.yaml
@@ -12,7 +12,7 @@ command:
   /scripts/cache_test.sh:
     exit-status: 0
     stdout:
-    - Succesfully Cached
+      - Succesfully Cached
     timeout: 20000
 process:
   nginx:
diff --git a/overlay/etc/nginx/conf.d/10_log_format.conf b/overlay/etc/nginx/conf.d/10_log_format.conf
index cb386ab..72ac216 100644
--- a/overlay/etc/nginx/conf.d/10_log_format.conf
+++ b/overlay/etc/nginx/conf.d/10_log_format.conf
@@ -1,2 +1,2 @@
-    log_format cachelog '[$cacheidentifier] $remote_addr / $http_x_forwarded_for - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_cache_status" "$host" "$http_range"';
-    log_format cachelog-json escape=json '{"timestamp":"$msec","time_local":"$time_local","cache_identifier":"$cacheidentifier","remote_addr":"$remote_addr","forwarded_for":"$http_x_forwarded_for","remote_user":"$remote_user","status":"$status","bytes_sent":$body_bytes_sent,"referer":"$http_referer","user_agent":"$http_user_agent","upstream_cache_status":"$upstream_cache_status","host":"$host","http_range":"$http_range","method":"$request_method","path":"$request_uri","proto":"$server_protocol","scheme":"$scheme"}';
+log_format cachelog '[$cacheidentifier] $remote_addr / $http_x_forwarded_for - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_cache_status" "$host" "$http_range"';
+log_format cachelog-json escape=json '{"timestamp":"$msec","time_local":"$time_local","cache_identifier":"$cacheidentifier","remote_addr":"$remote_addr","forwarded_for":"$http_x_forwarded_for","remote_user":"$remote_user","status":"$status","bytes_sent":$body_bytes_sent,"referer":"$http_referer","user_agent":"$http_user_agent","upstream_cache_status":"$upstream_cache_status","host":"$host","http_range":"$http_range","method":"$request_method","path":"$request_uri","proto":"$server_protocol","scheme":"$scheme"}';
diff --git a/overlay/etc/nginx/conf.d/30_maps.conf b/overlay/etc/nginx/conf.d/30_maps.conf
index 89cde18..8ee4919 100644
--- a/overlay/etc/nginx/conf.d/30_maps.conf
+++ b/overlay/etc/nginx/conf.d/30_maps.conf
@@ -1,4 +1,4 @@
 map "$http_user_agent£££$http_host" $cacheidentifier {
-    default $http_host;
-    ~Valve\/Steam\ HTTP\ Client\ 1\.0£££.* steam;
+  default $http_host;
+  ~Valve\/Steam\ HTTP\ Client\ 1\.0£££.* steam;
 }
diff --git a/overlay/etc/nginx/nginx.conf b/overlay/etc/nginx/nginx.conf
index a3b2da4..edaed20 100644
--- a/overlay/etc/nginx/nginx.conf
+++ b/overlay/etc/nginx/nginx.conf
@@ -1,8 +1,7 @@
 user www-data;
 include /etc/nginx/workers.conf;
-pid /run/nginx.pid;
-
 include /etc/nginx/modules-enabled/*.conf;
+pid /run/nginx.pid;
 
 events {
   worker_connections 4096;
@@ -24,18 +23,13 @@ http {
   access_log /var/log/nginx/access.log;
   error_log /var/log/nginx/error.log;
 
-
-
   gzip on;
 
   include /etc/nginx/conf.d/*.conf;
-
   include /etc/nginx/sites-enabled/*.conf;
 }
 
-
-stream {                                
-  include /etc/nginx/stream.d/*.conf; 
+stream {
+  include /etc/nginx/stream.d/*.conf;
   include /etc/nginx/stream-enabled/*;
-}                                       
-
+}
diff --git a/overlay/etc/nginx/sites-available/20_upstream.conf b/overlay/etc/nginx/sites-available/20_upstream.conf
index 305005b..9c980fa 100644
--- a/overlay/etc/nginx/sites-available/20_upstream.conf
+++ b/overlay/etc/nginx/sites-available/20_upstream.conf
@@ -4,7 +4,6 @@
 # This is particularly important for sony / ps5 as upstreams redirect between them which confuses slice map on caching
 
 server {
-
   # Internal bind on 3128, this should not be externally mapped
   listen localhost:3128 reuseport;
 
diff --git a/overlay/etc/nginx/sites-available/cache.conf.d/10_root.conf b/overlay/etc/nginx/sites-available/cache.conf.d/10_root.conf
index f065502..0891c35 100644
--- a/overlay/etc/nginx/sites-available/cache.conf.d/10_root.conf
+++ b/overlay/etc/nginx/sites-available/cache.conf.d/10_root.conf
@@ -1,7 +1,7 @@
-  resolver UPSTREAM_DNS ipv6=off;
+resolver UPSTREAM_DNS ipv6=off;
 
-  location / {
+location / {
 
-    include /etc/nginx/sites-available/cache.conf.d/root/*.conf;
+  include /etc/nginx/sites-available/cache.conf.d/root/*.conf;
 
-  }
+}
diff --git a/overlay/etc/nginx/sites-available/cache.conf.d/20_lol.conf b/overlay/etc/nginx/sites-available/cache.conf.d/20_lol.conf
index 5f1e6ed..d92861a 100644
--- a/overlay/etc/nginx/sites-available/cache.conf.d/20_lol.conf
+++ b/overlay/etc/nginx/sites-available/cache.conf.d/20_lol.conf
@@ -1,4 +1,4 @@
-  # Fix for League of Legends Updater
-  location ~ ^.+(releaselisting_.*|.version$) {
-    proxy_pass http://$host;
-  }
+# Fix for League of Legends Updater
+location ~ ^.+(releaselisting_.*|.version$) {
+  proxy_pass http://$host;
+}
diff --git a/overlay/etc/nginx/sites-available/cache.conf.d/21_arenanet_manifest.conf b/overlay/etc/nginx/sites-available/cache.conf.d/21_arenanet_manifest.conf
index 0169230..35cac08 100644
--- a/overlay/etc/nginx/sites-available/cache.conf.d/21_arenanet_manifest.conf
+++ b/overlay/etc/nginx/sites-available/cache.conf.d/21_arenanet_manifest.conf
@@ -1,6 +1,6 @@
-  # Fix for GW2 manifest
-  location ^~ /latest64 {
-    proxy_cache_bypass 1;
-    proxy_no_cache 1;
-    proxy_pass http://$host$request_uri;
-  }
+# Fix for GW2 manifest
+location ^~ /latest64 {
+  proxy_cache_bypass 1;
+  proxy_no_cache 1;
+  proxy_pass http://$host$request_uri;
+}
diff --git a/overlay/etc/nginx/sites-available/cache.conf.d/22_wsus_cabs.conf b/overlay/etc/nginx/sites-available/cache.conf.d/22_wsus_cabs.conf
index 9fe085d..c1a9bfa 100644
--- a/overlay/etc/nginx/sites-available/cache.conf.d/22_wsus_cabs.conf
+++ b/overlay/etc/nginx/sites-available/cache.conf.d/22_wsus_cabs.conf
@@ -1,6 +1,6 @@
-  # Fix for WSUS authroot cab files
-  location ~* (authrootstl.cab|pinrulesstl.cab|disallowedcertstl.cab)$ {
-    proxy_cache_bypass 1;
-    proxy_no_cache 1;
-    proxy_pass http://$host$request_uri;
-  }
+# Fix for WSUS authroot cab files
+location ~* (authrootstl.cab|pinrulesstl.cab|disallowedcertstl.cab)$ {
+  proxy_cache_bypass 1;
+  proxy_no_cache 1;
+  proxy_pass http://$host$request_uri;
+}
diff --git a/overlay/etc/nginx/sites-available/cache.conf.d/23_steam_server_status.conf b/overlay/etc/nginx/sites-available/cache.conf.d/23_steam_server_status.conf
index 6f4f8df..ea86479 100644
--- a/overlay/etc/nginx/sites-available/cache.conf.d/23_steam_server_status.conf
+++ b/overlay/etc/nginx/sites-available/cache.conf.d/23_steam_server_status.conf
@@ -1,4 +1,4 @@
-  location = /server-status {
-    proxy_no_cache 1;
-    proxy_cache_bypass 1;
-  }
\ No newline at end of file
+location = /server-status {
+  proxy_no_cache 1;
+  proxy_cache_bypass 1;
+}
diff --git a/overlay/etc/nginx/sites-available/cache.conf.d/90_lancache_heartbeat.conf b/overlay/etc/nginx/sites-available/cache.conf.d/90_lancache_heartbeat.conf
index 11b519c..38177d7 100644
--- a/overlay/etc/nginx/sites-available/cache.conf.d/90_lancache_heartbeat.conf
+++ b/overlay/etc/nginx/sites-available/cache.conf.d/90_lancache_heartbeat.conf
@@ -1,7 +1,7 @@
-  location = /lancache-heartbeat {
-    add_header X-LanCache-Processed-By $hostname;
-    include /etc/nginx/sites-available/cache.conf.d/root/99_gnu.conf;
-    add_header 'Access-Control-Expose-Headers' '*';
-    add_header 'Access-Control-Allow-Origin' '*';
-    return 204;
-  }
+location = /lancache-heartbeat {
+  add_header X-LanCache-Processed-By $hostname;
+  include /etc/nginx/sites-available/cache.conf.d/root/99_gnu.conf;
+  add_header 'Access-Control-Expose-Headers' '*';
+  add_header 'Access-Control-Allow-Origin' '*';
+  return 204;
+}
diff --git a/overlay/etc/nginx/sites-available/cache.conf.d/root/10_loop_detection.conf b/overlay/etc/nginx/sites-available/cache.conf.d/root/10_loop_detection.conf
index 478ad36..56bcf28 100644
--- a/overlay/etc/nginx/sites-available/cache.conf.d/root/10_loop_detection.conf
+++ b/overlay/etc/nginx/sites-available/cache.conf.d/root/10_loop_detection.conf
@@ -1,7 +1,7 @@
-  # Abort any circular requests
-  if ($http_X_LanCache_Processed_By = $hostname) {
-    return 508;
-  }
+# Abort any circular requests
+if ($http_X_LanCache_Processed_By = $hostname) {
+  return 508;
+}
 
-  proxy_set_header X-LanCache-Processed-By $hostname;
-  add_header X-LanCache-Processed-By $hostname,$http_X_LanCache_Processed_By;
+proxy_set_header X-LanCache-Processed-By $hostname;
+add_header X-LanCache-Processed-By $hostname,$http_X_LanCache_Processed_By;
diff --git a/overlay/etc/nginx/sites-available/cache.conf.d/root/20_cache.conf b/overlay/etc/nginx/sites-available/cache.conf.d/root/20_cache.conf
index 4fb1ce4..de4ddff 100644
--- a/overlay/etc/nginx/sites-available/cache.conf.d/root/20_cache.conf
+++ b/overlay/etc/nginx/sites-available/cache.conf.d/root/20_cache.conf
@@ -1,33 +1,33 @@
-    # Cache Location
-    slice 1m;
-    proxy_cache generic;
+# Cache Location
+slice 1m;
+proxy_cache generic;
 
-    proxy_ignore_headers Expires Cache-Control;
-    proxy_cache_valid 200 206 CACHE_MAX_AGE;
-    proxy_set_header  Range $slice_range;
+proxy_ignore_headers Expires Cache-Control;
+proxy_cache_valid 200 206 CACHE_MAX_AGE;
+proxy_set_header  Range $slice_range;
 
-    # Only download one copy at a time and use a large timeout so
-    # this really happens, otherwise we end up wasting bandwith
-    # getting the file multiple times.
-    proxy_cache_lock on;
-    # If it's taken over a minute to download a 1m file, we are probably stuck!
-    # Allow the next request to cache
-    proxy_cache_lock_age 2m;
-    # If it's totally broken after an hour, stick it in bypass (this shouldn't ever trigger)
-    proxy_cache_lock_timeout 1h;
+# Only download one copy at a time and use a large timeout so
+# this really happens, otherwise we end up wasting bandwith
+# getting the file multiple times.
+proxy_cache_lock on;
+# If it's taken over a minute to download a 1m file, we are probably stuck!
+# Allow the next request to cache
+proxy_cache_lock_age 2m;
+# If it's totally broken after an hour, stick it in bypass (this shouldn't ever trigger)
+proxy_cache_lock_timeout 1h;
 
-    # Allow the use of state entries
-    proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+# Allow the use of state entries
+proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
 
-    # Allow caching of 200 but not 301 or 302 as our cache key may not include query params
-    # hence may not be valid for all users
-    proxy_cache_valid 301 302 0;
+# Allow caching of 200 but not 301 or 302 as our cache key may not include query params
+# hence may not be valid for all users
+proxy_cache_valid 301 302 0;
 
-    # Enable cache revalidation
-    proxy_cache_revalidate on;
-    
-    # Don't cache requests marked as nocache=1
-    proxy_cache_bypass $arg_nocache;
+# Enable cache revalidation
+proxy_cache_revalidate on;
 
-    # 40G max file
-    proxy_max_temp_file_size 40960m;
+# Don't cache requests marked as nocache=1
+proxy_cache_bypass $arg_nocache;
+
+# 40G max file
+proxy_max_temp_file_size 40960m;
diff --git a/overlay/etc/nginx/sites-available/cache.conf.d/root/30_cache_key.conf b/overlay/etc/nginx/sites-available/cache.conf.d/root/30_cache_key.conf
index e2d5580..937d38b 100644
--- a/overlay/etc/nginx/sites-available/cache.conf.d/root/30_cache_key.conf
+++ b/overlay/etc/nginx/sites-available/cache.conf.d/root/30_cache_key.conf
@@ -1 +1 @@
-    proxy_cache_key      $cacheidentifier$uri$slice_range;
+proxy_cache_key      $cacheidentifier$uri$slice_range;
diff --git a/overlay/etc/nginx/sites-available/cache.conf.d/root/40_etags.conf b/overlay/etc/nginx/sites-available/cache.conf.d/root/40_etags.conf
index a6d85c9..57aac27 100644
--- a/overlay/etc/nginx/sites-available/cache.conf.d/root/40_etags.conf
+++ b/overlay/etc/nginx/sites-available/cache.conf.d/root/40_etags.conf
@@ -1,3 +1,3 @@
-    # Battle.net Fix
-    proxy_hide_header ETag;
+# Battle.net Fix
+proxy_hide_header ETag;
 
diff --git a/overlay/etc/nginx/sites-available/cache.conf.d/root/90_upstream.conf b/overlay/etc/nginx/sites-available/cache.conf.d/root/90_upstream.conf
index 7dddf27..1090c3d 100644
--- a/overlay/etc/nginx/sites-available/cache.conf.d/root/90_upstream.conf
+++ b/overlay/etc/nginx/sites-available/cache.conf.d/root/90_upstream.conf
@@ -1,13 +1,13 @@
-    # Upstream Configuration
-    proxy_next_upstream error timeout http_404;
+# Upstream Configuration
+proxy_next_upstream error timeout http_404;
 
-    # Proxy into the redirect handler
-    proxy_pass http://127.0.0.1:3128$request_uri;
+# Proxy into the redirect handler
+proxy_pass http://127.0.0.1:3128$request_uri;
 
-    proxy_redirect off;
-    proxy_ignore_client_abort on;
+proxy_redirect off;
+proxy_ignore_client_abort on;
 
-    # Upstream request headers
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+# Upstream request headers
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/overlay/etc/nginx/sites-available/cache.conf.d/root/99_debug_header.conf b/overlay/etc/nginx/sites-available/cache.conf.d/root/99_debug_header.conf
index 694746f..8b43bfb 100644
--- a/overlay/etc/nginx/sites-available/cache.conf.d/root/99_debug_header.conf
+++ b/overlay/etc/nginx/sites-available/cache.conf.d/root/99_debug_header.conf
@@ -1,4 +1,4 @@
-    # Debug Headers
-    add_header X-Upstream-Status $upstream_status;
-    add_header X-Upstream-Response-Time $upstream_response_time;
-    add_header X-Upstream-Cache-Status $upstream_cache_status;
+# Debug Headers
+add_header X-Upstream-Status $upstream_status;
+add_header X-Upstream-Response-Time $upstream_response_time;
+add_header X-Upstream-Cache-Status $upstream_cache_status;
diff --git a/overlay/etc/nginx/sites-available/upstream.conf.d/10_resolver.conf b/overlay/etc/nginx/sites-available/upstream.conf.d/10_resolver.conf
index 3375ec2..41fb578 100644
--- a/overlay/etc/nginx/sites-available/upstream.conf.d/10_resolver.conf
+++ b/overlay/etc/nginx/sites-available/upstream.conf.d/10_resolver.conf
@@ -1,2 +1,2 @@
-  resolver UPSTREAM_DNS ipv6=off;
+resolver UPSTREAM_DNS ipv6=off;
 
diff --git a/overlay/etc/nginx/sites-available/upstream.conf.d/20_tracking.conf b/overlay/etc/nginx/sites-available/upstream.conf.d/20_tracking.conf
index b8f389b..255d6b3 100644
--- a/overlay/etc/nginx/sites-available/upstream.conf.d/20_tracking.conf
+++ b/overlay/etc/nginx/sites-available/upstream.conf.d/20_tracking.conf
@@ -1,2 +1,2 @@
-  # Header to track if resolved from upstream or 302 redirect
-  set $orig_loc 'upstream';
+# Header to track if resolved from upstream or 302 redirect
+set $orig_loc 'upstream';
diff --git a/overlay/etc/nginx/sites-available/upstream.conf.d/30_primary_proxy.conf b/overlay/etc/nginx/sites-available/upstream.conf.d/30_primary_proxy.conf
index e237e60..32d61a2 100644
--- a/overlay/etc/nginx/sites-available/upstream.conf.d/30_primary_proxy.conf
+++ b/overlay/etc/nginx/sites-available/upstream.conf.d/30_primary_proxy.conf
@@ -1,9 +1,9 @@
-  # Proxy all requests to upstream
-  location / {
-    # Simple proxy the request
-    proxy_pass http://$host$request_uri;
+# Proxy all requests to upstream
+location / {
+  # Simple proxy the request
+  proxy_pass http://$host$request_uri;
 
-    # Catch the errors to process the redirects
-    proxy_intercept_errors on;
-    error_page 301 302 307 = @upstream_redirect;
-  }
+  # Catch the errors to process the redirects
+  proxy_intercept_errors on;
+  error_page 301 302 307 = @upstream_redirect;
+}
diff --git a/overlay/etc/nginx/sites-available/upstream.conf.d/40_redirect_proxy.conf b/overlay/etc/nginx/sites-available/upstream.conf.d/40_redirect_proxy.conf
index 75adca5..34aa1fd 100644
--- a/overlay/etc/nginx/sites-available/upstream.conf.d/40_redirect_proxy.conf
+++ b/overlay/etc/nginx/sites-available/upstream.conf.d/40_redirect_proxy.conf
@@ -1,11 +1,11 @@
-  # Special location block to handle 302 redirects
-  location @upstream_redirect {
-    # Upstream_http_location contains the Location: redirection from the upstream server
-    set $saved_upstream_location '$upstream_http_location';
+# Special location block to handle 302 redirects
+location @upstream_redirect {
+  # Upstream_http_location contains the Location: redirection from the upstream server
+  set $saved_upstream_location '$upstream_http_location';
 
-    # Set debug header
-    set $orig_loc 'upstream-302';
+  # Set debug header
+  set $orig_loc 'upstream-302';
 
-    # Pass to proxy and reproxy the request
-    proxy_pass $saved_upstream_location;
-  }
+  # Pass to proxy and reproxy the request
+  proxy_pass $saved_upstream_location;
+}
diff --git a/overlay/hooks/entrypoint-pre.d/00_deprecation.sh b/overlay/hooks/entrypoint-pre.d/00_deprecation.sh
old mode 100644
new mode 100755
index a841f3b..713d252
--- a/overlay/hooks/entrypoint-pre.d/00_deprecation.sh
+++ b/overlay/hooks/entrypoint-pre.d/00_deprecation.sh
@@ -1,15 +1,14 @@
 #!/bin/bash
 
-if [[ ! -z "${CACHE_DOMAIN_REPO}" ]]; then
+if [[ -n "${CACHE_DOMAIN_REPO}" ]]; then
 
 	echo "ERROR: CACHE_DOMAIN_REPO environment variable has be deprecated in favour of CACHE_DOMAINS_REPO. Please update your config"
 	exit 1
 
 fi
 
-if [[ ! -z "${CACHE_MEM_SIZE}" ]]; then
+if [[ -n "${CACHE_MEM_SIZE}" ]]; then
 	echo " *** CACHE_MEM_SIZE has been deprecated in place of CACHE_INDEX_SIZE"
 	echo " *** Using CACHE_MEM_SIZE as the value"
 	echo " *** Please update your configuration at your earliest convenience"
-	CACHE_INDEX_SIZE=$CACHE_MEM_SIZE
 fi
diff --git a/overlay/hooks/entrypoint-pre.d/05_config_check.sh b/overlay/hooks/entrypoint-pre.d/05_config_check.sh
old mode 100644
new mode 100755
index 26ed761..1ac5bdd
--- a/overlay/hooks/entrypoint-pre.d/05_config_check.sh
+++ b/overlay/hooks/entrypoint-pre.d/05_config_check.sh
@@ -2,45 +2,47 @@
 
 echo "Checking cache configuration"
 
+print_confighash_warning() {
+	cat <<-'EOF'
 
-print_confighash_warning () {
-	echo ""
-	echo "ABORTING STARTUP TO AVOID POTENTIALLY INVALIDATING THE CACHE"
-	echo ""
-	echo "If you are happy that this cache is valid with the current config changes"
-	echo "please delete \`/<cache_mount>/CONFIGHASH\`"
-	echo ""
-	echo "See: https://lancache.net/docs/advanced/config-hash/ for more details"
+		ABORTING STARTUP TO AVOID POTENTIALLY INVALIDATING THE CACHE
 
+		If you are happy that this cache is valid with the current config changes
+		please delete `/<cache_mount>/CONFIGHASH`
+
+		See: https://lancache.net/docs/advanced/config-hash/ for more details
+	EOF
 }
 
-DETECTED_CACHE_KEY=`grep proxy_cache_key /etc/nginx/sites-available/cache.conf.d/root/30_cache_key.conf | awk '{print $2}'`
+DETECTED_CACHE_KEY=$(grep proxy_cache_key /etc/nginx/sites-available/cache.conf.d/root/30_cache_key.conf | awk '{print $2}')
 NEWHASH="GENERICCACHE_VERSION=${GENERICCACHE_VERSION};CACHE_MODE=${CACHE_MODE};CACHE_SLICE_SIZE=${CACHE_SLICE_SIZE};CACHE_KEY=${DETECTED_CACHE_KEY}"
 
 if [ -d /data/cache/cache ]; then
 	echo " Detected existing cache data, checking config hash for consistency"
 	if [ -f /data/cache/CONFIGHASH ]; then
-		OLDHASH=`cat /data/cache/CONFIGHASH`
-		if [ ${OLDHASH} != ${NEWHASH} ]; then
+		OLDHASH=$(cat /data/cache/CONFIGHASH)
+		if [ "${OLDHASH}" != "${NEWHASH}" ]; then
 			echo "ERROR: Detected CONFIGHASH does not match current CONFIGHASH"
-			echo " Detected: ${OLDHASH}"
-			echo " Current:  ${NEWHASH}"
-			print_confighash_warning ${NEWHASH}
-			exit -1;
+			echo "Detected: ${OLDHASH}"
+			echo "Current:  ${NEWHASH}"
+			print_confighash_warning "${NEWHASH}"
+			exit 1
 		else
-			echo " CONFIGHASH matches current configuration"
+			echo "CONFIGHASH matches current configuration"
 		fi
 	else
-		echo " Could not find CONFIGHASH for existing cachedata"
-		echo "  This is either an upgrade from an older instance of Lancache"
-		echo "  or CONFIGHASH has been deleted intentionally"
-		echo ""
-		echo " Creating CONFIGHASH from current live configuration"
-		echo "   Current:  ${NEWHASH}"
-		echo ""
-		echo "  See: https://lancache.net/docs/advanced/config-hash/ for more details"
+		cat <<-EOF
+			Could not find CONFIGHASH for existing cachedata
+			This is either an upgrade from an older instance of Lancache
+			or CONFIGHASH has been deleted intentionally
+
+			Creating CONFIGHASH from current live configuration
+			Current:  ${NEWHASH}
+
+			See: https://lancache.net/docs/advanced/config-hash/ for more details
+		EOF
 	fi
 fi
 
 mkdir -p /data/cache/cache
-echo ${NEWHASH} > /data/cache/CONFIGHASH
+echo "${NEWHASH}" >/data/cache/CONFIGHASH
diff --git a/overlay/hooks/entrypoint-pre.d/10_setup.sh b/overlay/hooks/entrypoint-pre.d/10_setup.sh
old mode 100644
new mode 100755
index 039f645..6988a77
--- a/overlay/hooks/entrypoint-pre.d/10_setup.sh
+++ b/overlay/hooks/entrypoint-pre.d/10_setup.sh
@@ -2,23 +2,23 @@
 set -e
 
 # Handle CACHE_MEM_SIZE deprecation
-if [[ ! -z "${CACHE_MEM_SIZE}" ]]; then
-    CACHE_INDEX_SIZE=${CACHE_MEM_SIZE}
+if [[ -n "${CACHE_MEM_SIZE}" ]]; then
+	CACHE_INDEX_SIZE=${CACHE_MEM_SIZE}
 fi
 
 # Preprocess UPSTREAM_DNS to allow for multiple resolvers using the same syntax as lancache-dns
 UPSTREAM_DNS="$(echo -n "${UPSTREAM_DNS}" | sed 's/[;]/ /g')"
 
-echo "worker_processes ${NGINX_WORKER_PROCESSES};" > /etc/nginx/workers.conf
+echo "worker_processes ${NGINX_WORKER_PROCESSES};" >/etc/nginx/workers.conf
 sed -i "s/^user .*/user ${WEBUSER};/" /etc/nginx/nginx.conf
-sed -i "s/CACHE_INDEX_SIZE/${CACHE_INDEX_SIZE}/"  /etc/nginx/conf.d/20_proxy_cache_path.conf
+sed -i "s/CACHE_INDEX_SIZE/${CACHE_INDEX_SIZE}/" /etc/nginx/conf.d/20_proxy_cache_path.conf
 sed -i "s/CACHE_DISK_SIZE/${CACHE_DISK_SIZE}/" /etc/nginx/conf.d/20_proxy_cache_path.conf
 sed -i "s/MIN_FREE_DISK/${MIN_FREE_DISK}/" /etc/nginx/conf.d/20_proxy_cache_path.conf
 sed -i "s/CACHE_MAX_AGE/${CACHE_MAX_AGE}/" /etc/nginx/conf.d/20_proxy_cache_path.conf
-sed -i "s/CACHE_MAX_AGE/${CACHE_MAX_AGE}/"    /etc/nginx/sites-available/cache.conf.d/root/20_cache.conf
+sed -i "s/CACHE_MAX_AGE/${CACHE_MAX_AGE}/" /etc/nginx/sites-available/cache.conf.d/root/20_cache.conf
 sed -i "s/slice 1m;/slice ${CACHE_SLICE_SIZE};/" /etc/nginx/sites-available/cache.conf.d/root/20_cache.conf
-sed -i "s/UPSTREAM_DNS/${UPSTREAM_DNS}/"    /etc/nginx/sites-available/cache.conf.d/10_root.conf
-sed -i "s/UPSTREAM_DNS/${UPSTREAM_DNS}/"    /etc/nginx/sites-available/upstream.conf.d/10_resolver.conf
-sed -i "s/UPSTREAM_DNS/${UPSTREAM_DNS}/"    /etc/nginx/stream-available/10_sni.conf
-sed -i "s/LOG_FORMAT/${NGINX_LOG_FORMAT}/"  /etc/nginx/sites-available/10_cache.conf
-sed -i "s/LOG_FORMAT/${NGINX_LOG_FORMAT}/"  /etc/nginx/sites-available/20_upstream.conf
+sed -i "s/UPSTREAM_DNS/${UPSTREAM_DNS}/" /etc/nginx/sites-available/cache.conf.d/10_root.conf
+sed -i "s/UPSTREAM_DNS/${UPSTREAM_DNS}/" /etc/nginx/sites-available/upstream.conf.d/10_resolver.conf
+sed -i "s/UPSTREAM_DNS/${UPSTREAM_DNS}/" /etc/nginx/stream-available/10_sni.conf
+sed -i "s/LOG_FORMAT/${NGINX_LOG_FORMAT}/" /etc/nginx/sites-available/10_cache.conf
+sed -i "s/LOG_FORMAT/${NGINX_LOG_FORMAT}/" /etc/nginx/sites-available/20_upstream.conf
diff --git a/overlay/hooks/entrypoint-pre.d/15_generate_maps.sh b/overlay/hooks/entrypoint-pre.d/15_generate_maps.sh
old mode 100644
new mode 100755
index f35e475..6ac5e76
--- a/overlay/hooks/entrypoint-pre.d/15_generate_maps.sh
+++ b/overlay/hooks/entrypoint-pre.d/15_generate_maps.sh
@@ -7,50 +7,52 @@ echo "Bootstrapping Monolithic from ${CACHE_DOMAINS_REPO}"
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
 cd /data/cachedomains
 if [[ ! -d .git ]]; then
-	git clone ${CACHE_DOMAINS_REPO} .
+	git clone "${CACHE_DOMAINS_REPO}" .
 fi
 
 if [[ "${NOFETCH:-false}" != "true" ]]; then
 	# Disable error checking whilst we attempt to get latest
 	set +e
-	git remote set-url origin ${CACHE_DOMAINS_REPO}
+	git remote set-url origin "${CACHE_DOMAINS_REPO}"
 	git fetch origin || echo "Failed to update from remote, using local copy of cache_domains"
-	git reset --hard origin/${CACHE_DOMAINS_BRANCH}
+	git reset --hard "origin/${CACHE_DOMAINS_BRANCH}"
 	# Reenable error checking
 	set -e
 fi
 
 TEMP_PATH=$(mktemp -d)
 OUTPUTFILE=${TEMP_PATH}/outfile.conf
-echo "map \"\$http_user_agent£££\$http_host\" \$cacheidentifier {" >> $OUTPUTFILE
-echo "    default \$http_host;" >> $OUTPUTFILE
-echo "    ~Valve\\/Steam\\ HTTP\\ Client\\ 1\.0£££.* steam;" >> $OUTPUTFILE
+cat <<'EOF' >>"${OUTPUTFILE}"
+map "$http_user_agent£££$http_host" $cacheidentifier {
+		default $http_host;
+		~Valve\/Steam\ HTTP\ Client\ 1\.0£££.* steam;
+EOF
 #Next line probably no longer needed as we are now regexing to victory
 #echo "    hostnames;" >> $OUTPUTFILE
-jq -r '.cache_domains | to_entries[] | .key' cache_domains.json | while read CACHE_ENTRY; do 
+jq -r '.cache_domains | to_entries[] | .key' cache_domains.json | while read -r CACHE_ENTRY; do
 	#for each cache entry, find the cache indentifier
-	CACHE_IDENTIFIER=$(jq -r ".cache_domains[$CACHE_ENTRY].name" cache_domains.json)
-	jq -r ".cache_domains[$CACHE_ENTRY].domain_files | to_entries[] | .key" cache_domains.json | while read CACHEHOSTS_FILEID; do
+	CACHE_IDENTIFIER=$(jq -r ".cache_domains[${CACHE_ENTRY}].name" cache_domains.json)
+	jq -r ".cache_domains[${CACHE_ENTRY}].domain_files | to_entries[] | .key" cache_domains.json | while read -r CACHEHOSTS_FILEID; do
 		#Get the key for each domain files
-		jq -r ".cache_domains[$CACHE_ENTRY].domain_files[$CACHEHOSTS_FILEID]" cache_domains.json | while read CACHEHOSTS_FILENAME; do
+		jq -r ".cache_domains[${CACHE_ENTRY}].domain_files[${CACHEHOSTS_FILEID}]" cache_domains.json | while read -r CACHEHOSTS_FILENAME; do
 			#Get the actual file name
-			echo Reading cache ${CACHE_IDENTIFIER} from ${CACHEHOSTS_FILENAME}
-			cat ${CACHEHOSTS_FILENAME} | while read CACHE_HOST; do
+			echo "Reading cache ${CACHE_IDENTIFIER} from ${CACHEHOSTS_FILENAME}"
+			while read -r CACHE_HOST; do
 				#for each file in the hosts file
 				#remove all whitespace (mangles comments but ensures valid config files)
-				echo "host: $CACHE_HOST"
+				echo "host: ${CACHE_HOST}"
 				CACHE_HOST=${CACHE_HOST// /}
-				echo "new host: $CACHE_HOST"
-				if [ ! "x${CACHE_HOST}" == "x" ]; then
+				echo "new host: ${CACHE_HOST}"
+				if [ -n "${CACHE_HOST}" ]; then
 					#Use sed to replace . with \. and * with .*
-					REGEX_CACHE_HOST=$(sed -e "s#\.#\\\.#g" -e "s#\*#\.\*#g" <<< ${CACHE_HOST})
-					echo "    ~.*£££.*?${REGEX_CACHE_HOST} ${CACHE_IDENTIFIER};" >> $OUTPUTFILE
+					REGEX_CACHE_HOST=$(sed -e "s#\.#\\\.#g" -e "s#\*#\.\*#g" <<<"${CACHE_HOST}")
+					echo "    ~.*£££.*?${REGEX_CACHE_HOST} ${CACHE_IDENTIFIER};" >>"${OUTPUTFILE}"
 				fi
-			done
+			done <"${CACHEHOSTS_FILENAME}"
 		done
 	done
 done
-echo "}" >> $OUTPUTFILE
-cat $OUTPUTFILE
-cp $OUTPUTFILE /etc/nginx/conf.d/30_maps.conf
-rm -rf $TEMP_PATH
+echo "}" >>"${OUTPUTFILE}"
+cat "${OUTPUTFILE}"
+cp "${OUTPUTFILE}" /etc/nginx/conf.d/30_maps.conf
+rm -rf "${TEMP_PATH}"
diff --git a/overlay/hooks/entrypoint-pre.d/20_perms_check.sh b/overlay/hooks/entrypoint-pre.d/20_perms_check.sh
old mode 100644
new mode 100755
index b686cde..7a6868e
--- a/overlay/hooks/entrypoint-pre.d/20_perms_check.sh
+++ b/overlay/hooks/entrypoint-pre.d/20_perms_check.sh
@@ -1,14 +1,20 @@
 #!/bin/bash
-if [ -d "/data/cache/cache" ]; then
+
+CACHE_DIR="/data/cache/cache"
+
+if [ -d "${CACHE_DIR}" ]; then
 	echo "Running fast permissions check"
-	ls -l /data/cache/cache | tail --lines=+2 | grep -v ${WEBUSER} > /dev/null
 
-	if [[ $? -eq 0 || "$FORCE_PERMS_CHECK" == "true" ]]; then
-		echo "Doing full checking of permissions (This WILL take a long time on large caches)..."
-		find /data \! -user ${WEBUSER} -exec chown ${WEBUSER}:${WEBUSER} '{}' +
-		echo "Permissions ok"
+	if [[ "${FORCE_PERMS_CHECK}" == "true" ]]; then
+		echo "FORCE_PERMS_CHECK is set, proceeding with full permissions fix"
+	elif ! find "${CACHE_DIR}" -mindepth 1 ! -user "${WEBUSER}" | read -r; then
+		echo "Fast permissions check successful, if you have any permissions error try running with -e FORCE_PERMS_CHECK=true"
+		exit 0
 	else
-		echo "Fast permissions check successful, if you have any permissions error try running with -e FORCE_PERMS_CHECK = true"
+		echo "Some files are not owned by ${WEBUSER}"
 	fi
 
+	echo "Doing full checking of permissions (This WILL take a long time on large caches)..."
+	find /data \! -user "${WEBUSER}" -exec chown "${WEBUSER}:" '{}' +
+	echo "Permissions ok"
 fi
diff --git a/overlay/hooks/supervisord-pre.d/99_config_check.sh b/overlay/hooks/supervisord-pre.d/99_config_check.sh
old mode 100644
new mode 100755
index cbf3956..316fee3
--- a/overlay/hooks/supervisord-pre.d/99_config_check.sh
+++ b/overlay/hooks/supervisord-pre.d/99_config_check.sh
@@ -4,14 +4,11 @@ echo "Currently configured config:"
 /scripts/getconfig.sh /etc/nginx/nginx.conf
 
 echo "Checking nginx config"
-/usr/sbin/nginx -t
-
- [ $? -ne 0 ] || echo "Config check successful"
+/usr/sbin/nginx -t && echo "Config check successful"
 
 echo "Ready for supervisord startup"
-if [ -n "$CACHE_ROOT" ]
-then
-    echo "Monitor ${CACHE_ROOT}/logs/access.log and ${CACHE_ROOT}/logs/error.log on the host for cache activity"
+if [ -n "$CACHE_ROOT" ]; then
+	echo "Monitor ${CACHE_ROOT}/logs/access.log and ${CACHE_ROOT}/logs/error.log on the host for cache activity"
 else
-    echo "Monitor access.log and error.log on the host for cache activity"
+	echo "Monitor access.log and error.log on the host for cache activity"
 fi
diff --git a/overlay/scripts/cache_test.sh b/overlay/scripts/cache_test.sh
index 1bbe799..99e9a7f 100755
--- a/overlay/scripts/cache_test.sh
+++ b/overlay/scripts/cache_test.sh
@@ -1,24 +1,24 @@
 #!/bin/bash
 set -e
-pageload1=`curl http://ping1.lancache.net/api/timezone/ETC/GMT --resolve ping1.lancache.net:80:127.0.0.1`
+pageload1=$(curl http://ping1.lancache.net/api/timezone/ETC/GMT --resolve ping1.lancache.net:80:127.0.0.1)
 sleep 2
-pageload2=`curl http://ping1.lancache.net/api/timezone/ETC/GMT --resolve ping1.lancache.net:80:127.0.0.1`
+pageload2=$(curl http://ping1.lancache.net/api/timezone/ETC/GMT --resolve ping1.lancache.net:80:127.0.0.1)
 sleep 2
-pageload3=`curl http://ping2.lancache.net/api/timezone/ETC/GMT --resolve ping2.lancache.net:80:127.0.0.1`
+pageload3=$(curl http://ping2.lancache.net/api/timezone/ETC/GMT --resolve ping2.lancache.net:80:127.0.0.1)
 sleep 2
-pageload4=`curl http://ping2.lancache.net/api/timezone/ETC/GMT --resolve ping2.lancache.net:80:127.0.0.1`
+pageload4=$(curl http://ping2.lancache.net/api/timezone/ETC/GMT --resolve ping2.lancache.net:80:127.0.0.1)
 
-if [ "$pageload1" == "$pageload2" ]; then
-	if [ "$pageload3" == "$pageload4" ]; then
-		if [ "$pageload1" == "$pageload3" ]; then
+if [ "${pageload1}" == "${pageload2}" ]; then
+	if [ "${pageload3}" == "${pageload4}" ]; then
+		if [ "${pageload1}" == "${pageload3}" ]; then
 			#In monolithic pages 1+3 should be different as there is no map for this test case
 			echo "Error caching test page, pages 1+3 are identical"
 
 			echo "pageload1:"
-			echo $pageload1
+			echo "${pageload1}"
 
 			echo "pageload3:"
-			echo $pageload3
+			echo "${pageload3}"
 
 			exit 3
 		else
@@ -29,12 +29,11 @@ if [ "$pageload1" == "$pageload2" ]; then
 	else
 		echo "Error caching test page, pages 3+4 differed"
 
-
 		echo "pageload3:"
-		echo $pageload3
+		echo "${pageload3}"
 
 		echo "pageload4:"
-		echo $pageload4
+		echo "${pageload4}"
 
 		exit 2
 	fi
@@ -42,12 +41,11 @@ if [ "$pageload1" == "$pageload2" ]; then
 else
 	echo "Error caching test page, pages 1+2 differed"
 
-
 	echo "pageload1:"
-	echo $pageload1
+	echo "${pageload1}"
 
 	echo "pageload2:"
-	echo $pageload2
+	echo "${pageload2}"
 
 	exit 1
 fi
diff --git a/overlay/scripts/getconfig.sh b/overlay/scripts/getconfig.sh
index 21c94f7..eea3bd4 100755
--- a/overlay/scripts/getconfig.sh
+++ b/overlay/scripts/getconfig.sh
@@ -1,39 +1,35 @@
 #!/bin/bash
 
 get_file_contents() {
-	FILES=$1
-	local FILE;
-	for FILE in $FILES; do
-		echo "# Including $FILE"
-		local LINE
-		while read LINE; do
-			CLEANLINE=`echo $LINE | sed -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*\$//g'`
-			if [[ "$CLEANLINE" =~ ^include ]]; then
-				local CL_LEN
-				local INCUDE
-				CL_LEN=${#CLEANLINE}-9;
-				INCLUDE=${CLEANLINE:8:$CL_LEN}
-				get_file_contents "$INCLUDE"
+	local FILE
+	for FILE in "$@"; do
+		echo "# Including ${FILE}"
+		while IFS= read -r LINE; do
+			CLEANLINE=$(echo "${LINE}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
+			if [[ "${CLEANLINE}" =~ ^include[[:space:]]+(.+) ]]; then
+				local INCLUDE_EXPR="${BASH_REMATCH[1]}"
+				INCLUDE_EXPR="${INCLUDE_EXPR%;}"
+				eval "get_file_contents ${INCLUDE_EXPR}"
 			else
-				echo $LINE
+				echo "${LINE}"
 			fi
-		done < $FILE
-		echo "# Finished including $FILE"
-
+		done <"${FILE}"
+		echo "# Finished including ${FILE}"
 	done
 }
 
-
 main() {
+	local ABS_PATH
+	ABS_PATH=$(readlink -f "${1}") || {
+		echo "Failed to resolve path: ${1}" >&2
+		exit 1
+	}
 
-	echo "NGINX CONFIG DUMP FOR $1"
-
-	cd `dirname $1`
+	echo "NGINX CONFIG DUMP FOR ${ABS_PATH}"
 
-	get_file_contents $1
+	cd "$(dirname "${ABS_PATH}")" || exit 1
 
+	get_file_contents "${ABS_PATH}"
 }
 
-
-
-main `readlink -f $1`
+main "${1}"
diff --git a/overlay/scripts/heartbeat.sh b/overlay/scripts/heartbeat.sh
index fb17107..b734710 100755
--- a/overlay/scripts/heartbeat.sh
+++ b/overlay/scripts/heartbeat.sh
@@ -1,16 +1,20 @@
 #!/bin/bash
 set -e
-if [[ "$1" == "" ]]; then
-	BEATTIME=${BEAT_TIME}
+
+if [[ -n "${1}" ]]; then
+	BEATTIME="${1}"
+	[[ "${BEATTIME}" == 0 ]] && exit 0
 else
-	BEATTIME=$1
-	if [[ "$1" == 0 ]]; then 
-		exit 0;
-	fi
+	# shellcheck disable=SC2153
+	BEATTIME="${BEAT_TIME}"
 fi
 
+if [[ -z "${BEATTIME}" || ! "${BEATTIME}" =~ ^[0-9]+([smhd])?$ ]]; then
+	echo "Error: BEATTIME must be a positive integer optionally followed by s, m, h, or d." >&2
+	exit 1
+fi
 
-while [ 1 ]; do
-    sleep $BEATTIME;
-	wget http://127.0.0.1/lancache-heartbeat -S -O - > /dev/null 2>&1
+while true; do
+	sleep "${BEATTIME}"
+	wget http://127.0.0.1/lancache-heartbeat -S -O - >/dev/null 2>&1
 done
diff --git a/run-tests.sh b/run-tests.sh
index 3a1ff52..e29bb3c 100755
--- a/run-tests.sh
+++ b/run-tests.sh
@@ -1,9 +1,9 @@
 #!/bin/bash
 
-if [[ "$@" == *" -- "* ]]; then
-	SD_LOGLEVEL="-e SUPERVISORD_LOGLEVEL=INFO"
-else
-	SD_LOGLEVEL="-- -e SUPERVISORD_LOGLEVEL=INFO"
-fi
+SD_LOGLEVEL=(-- -e SUPERVISORD_LOGLEVEL=INFO)
 
-curl -fsSL https://raw.githubusercontent.com/lancachenet/test-suite/master/dgoss-tests.sh | bash -s -- --imagename="lancachenet/monolithic:goss-test" $@ $SD_LOGLEVEL -e GOSS_LOGLEVEL=DEBUG
+for arg in "$@"; do
+	[[ "${arg}" == "--" ]] && SD_LOGLEVEL=(-e SUPERVISORD_LOGLEVEL=INFO) && break
+done
+
+curl -fsSL https://raw.githubusercontent.com/lancachenet/test-suite/master/dgoss-tests.sh | bash -s -- --imagename="lancachenet/monolithic:goss-test" "$@" "${SD_LOGLEVEL[@]}" -e GOSS_LOGLEVEL="DEBUG"