diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 95d6841af..9e659135a 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2.0.6
+current_version = 2.1.0
 commit = True
 tag = False
 tag_name = {new_version}
@@ -30,11 +30,11 @@ search = {current_version}
 replace = {new_version}
 
 [bumpversion:file:RELEASE.txt]
-search = {current_version} 2024-02-15T16:29:01Z
+search = {current_version} 2024-02-23T20:32:41Z
 replace = {new_version} {utcnow:%Y-%m-%dT%H:%M:%SZ}
 
 [bumpversion:part:releaseTime]
-values = 2024-02-15T16:29:01Z
+values = 2024-02-23T20:32:41Z
 
 [bumpversion:file(version):birdhouse/components/canarie-api/docker_configuration.py.template]
 search = 'version': '{current_version}'
diff --git a/.gitignore b/.gitignore
index 84d36d61b..128ede050 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,4 @@ venv/
 
 ## Testing
 .pytest_cache/
+*.log
diff --git a/CHANGES.md b/CHANGES.md
index 90a4071ea..ceca39fe7 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -15,13 +15,49 @@
 [Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest)
 ------------------------------------------------------------------------------------------------------------------
 
-## Fixes
+[//]: # (list changes here, using '-' for each new entry, remove this when items are added)
+
+[2.1.0](https://github.com/bird-house/birdhouse-deploy/tree/2.1.0) (2024-02-23)
+------------------------------------------------------------------------------------------------------------------
 
+## Changes
+- Compose script utilities:
+  * Add `BIRDHOUSE_COLOR` option and various logging/messaging definitions in `birdhouse/scripts/logging.include.sh`.
+  * Replace all explicit color "logging" related `echo` in scripts by a utility `log {LEVEL} {message}` function
+    that employs variables `LOG_DEBUG`, `LOG_INFO`, `LOG_WARN`, `LOG_ERROR` and `LOG_CRITICAL` as applicable per
+    respective messages to report logging messages in a standard approach.
+    Colors can be disabled with `BIRDHOUSE_COLOR=0` and logging level can be set with `BIRDHOUSE_LOG_LEVEL={LEVEL}`
+    where all levels above or equal to the configured one will be displayed (default logging level is `INFO`).
+  * Unify all `birdhouse/scripts` utilities to employ the same `COMPOSE_DIR` variable (auto-resolved or explicitly set)
+    in order to include or source any relevant dependencies they might have within the `birdhouse-deploy` repository.
+  * Add `info` option (ie: `pavics-compose.sh info`) that will stop processing just before `docker-compose` call.
+    This can be used to perform a "dry-run" of the command and validate that was is loaded is as expected, by inspecting
+    provided log messages.
+  * Replace older backtick (``` ` ```) executions by `$(...)` representation except for `eval` calls that require
+    them for backward compatibility of `sh` on some server instances.
+  * Modify the `sh -x` calls to scripts listed in `COMPONENT_PRE_COMPOSE_UP` and `COMPONENT_POST_COMPOSE_UP` to employ
+    the `-x` flag (showing commands) only when `BIRDHOUSE_LOG_LEVEL=DEBUG`.
+
+- Defaults:
+  * Add multiple `SERVER_[...]` variables with defaults using previously hard coded values referring to PAVICS.
+    These variables use a special combination of `DELAYED_EVAL` and `OPTIONAL_VARS` definitions that can make use
+    of a variable formatted as `<ANY_NAME>='${__DEFAULT__<ANY_NAME>}'` that will print a warning messages indicating
+    that the default is employed, although *STRONGLY* recommended to be overridden. This allows a middle ground between
+    backward-compatible `env.local` while flagging potentially misused configurations.
+
+## Fixes
+- Canarie-API: updated references
+  * Use the new `SERVER_[...]` variables.
+  * Replace the LICENSE URL of the server node pointing
+    at [Ouranosinc/pavics-sdi](https://github.com/Ouranosinc/pavics-sdi) instead
+    of intended [bird-house/birdhouse-deploy](https://github.com/bird-house/birdhouse-deploy).
+- Magpie: ensure that the `MAGPIE_ADMIN_USERNAME` variable is respected
+  * When determining the `JUPYTERHUB_ADMIN_USERS` variable
+  * Double check that it is being respected everywhere else
 - env.local.example: fix `JUPYTERHUB_CONFIG_OVERRIDE` comment section
 
   `JUPYTERHUB_CONFIG_OVERRIDE` was disconnected from its sample code.
 
-
 [2.0.6](https://github.com/bird-house/birdhouse-deploy/tree/2.0.6) (2024-02-15)
 ------------------------------------------------------------------------------------------------------------------
 
diff --git a/Makefile b/Makefile
index c21836bfa..332c9177b 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 # Generic variables
 override SHELL       := bash
 override APP_NAME    := birdhouse-deploy
-override APP_VERSION := 2.0.6
+override APP_VERSION := 2.1.0
 
 # utility to remove comments after value of an option variable
 override clean_opt = $(shell echo "$(1)" | $(_SED) -r -e "s/[ '$'\t'']+$$//g")
diff --git a/README.rst b/README.rst
index 82436e237..ab9e92bd0 100644
--- a/README.rst
+++ b/README.rst
@@ -14,13 +14,13 @@ for a full-fledged production platform.
     * - releases
       - | |latest-version| |commits-since|
 
-.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/2.0.6.svg
+.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/2.1.0.svg
     :alt: Commits since latest release
-    :target: https://github.com/bird-house/birdhouse-deploy/compare/2.0.6...master
+    :target: https://github.com/bird-house/birdhouse-deploy/compare/2.1.0...master
 
-.. |latest-version| image:: https://img.shields.io/badge/tag-2.0.6-blue.svg?style=flat
+.. |latest-version| image:: https://img.shields.io/badge/tag-2.1.0-blue.svg?style=flat
     :alt: Latest Tag
-    :target: https://github.com/bird-house/birdhouse-deploy/tree/2.0.6
+    :target: https://github.com/bird-house/birdhouse-deploy/tree/2.1.0
 
 .. |readthedocs| image:: https://readthedocs.org/projects/birdhouse-deploy/badge/?version=latest
     :alt: ReadTheDocs Build Status (latest version)
diff --git a/RELEASE.txt b/RELEASE.txt
index 652e5ffbe..b77a8711e 100644
--- a/RELEASE.txt
+++ b/RELEASE.txt
@@ -1 +1 @@
-2.0.6 2024-02-15T16:29:01Z
+2.1.0 2024-02-23T20:32:41Z
diff --git a/birdhouse/README.rst b/birdhouse/README.rst
index 3d9f8557a..d9f53f5fe 100644
--- a/birdhouse/README.rst
+++ b/birdhouse/README.rst
@@ -148,7 +148,7 @@ instructions below.
 Manual instructions:
 
 * Go to
-  ``https://<PAVICS_FQDN>/magpie/ui/login`` and login with the ``admin`` user. The password should be in ``env.local``.
+  ``https://<PAVICS_FQDN>/magpie/ui/login`` and login with the ``MAGPIE_ADMIN_USERNAME`` user. The password should be in ``env.local``.
 
 * Then go to ``https://<PAVICS_FQDN>/magpie/ui/users/add``.
 
diff --git a/birdhouse/components/README.rst b/birdhouse/components/README.rst
index 80f25bf73..a56e460ac 100644
--- a/birdhouse/components/README.rst
+++ b/birdhouse/components/README.rst
@@ -304,7 +304,7 @@ birdhouse-deploy software stack and the machine that it is running on. It is hig
 make these routes available to anyone who does not have proper access permissions.
 
 Add existing users to the ``monitoring`` group to allow them access to the various monitoring WebUI.
-This way, we do not need to share the ``admin`` user account and do not have to add them to the
+This way, we do not need to share the ``MAGPIE_ADMIN_USERNAME`` user account and do not have to add them to the
 ``administrators`` group, which would give them too much permissions.
 
 
diff --git a/birdhouse/components/canarie-api/docker_configuration.py.template b/birdhouse/components/canarie-api/docker_configuration.py.template
index 2a3aed472..642d68127 100644
--- a/birdhouse/components/canarie-api/docker_configuration.py.template
+++ b/birdhouse/components/canarie-api/docker_configuration.py.template
@@ -109,25 +109,25 @@ SERVICES = {
             # NOTE:
             #   Below version and release time auto-managed by 'make VERSION=x.y.z bump'.
             #   Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'.
-            'version': '2.0.6',
-            'releaseTime': '2024-02-15T16:29:01Z',
-            'institution': 'Ouranos',
-            'researchSubject': 'Climatology',
+            'version': '2.1.0',
+            'releaseTime': '2024-02-23T20:32:41Z',
+            'institution': '${SERVER_INSTITUTION}',
+            'researchSubject': '${SERVER_SUBJECT}',
             'supportEmail': '${SUPPORT_EMAIL}',
             'category': 'Resource/Cloud Management',
-            'tags': ['Climatology']
+            'tags': [tag.strip() for tag in "${SERVER_TAGS}".split(",") if tag.strip()],
         },
         'stats': {
             'method': '.*',
             'route': '(?!)'  # this will be set by CANARIE_STATS_ROUTES (see below)
         },
         'redirect': {
-            'doc': 'https://pavics-sdi.readthedocs.io/en/latest/arch/backend.html',
-            'releasenotes': 'https://github.com/bird-house/birdhouse-deploy/blob/master/CHANGES.md',
-            'support': 'https://github.com/bird-house/birdhouse-deploy/issues',
+            'doc': '${SERVER_DOCUMENTATION_URL}',
+            'releasenotes': '${SERVER_RELEASE_NOTES_URL}',
+            'support': '${SERVER_SUPPORT_URL}',
             'source': 'https://github.com/bird-house/birdhouse-deploy',
             'tryme': 'https://${PAVICS_FQDN_PUBLIC}',
-            'licence': 'https://pavics-sdi.readthedocs.io/en/latest/license.html',
+            'licence': '${SERVER_LICENSE_URL}',
             'provenance': 'https://pavics-sdi.readthedocs.io/en/latest/provenance/index.html'
         },
         'monitoring': {}  # filled in after processing everything, see end of script
@@ -142,12 +142,12 @@ PLATFORMS = {
             # NOTE:
             #   Below version and release time auto-managed by 'make VERSION=x.y.z bump'.
             #   Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'.
-            'version': '2.0.6',
-            'releaseTime': '2024-02-15T16:29:01Z',
-            'institution': 'Ouranos',
-            'researchSubject': 'Climatology',
+            'version': '2.1.0',
+            'releaseTime': '2024-02-23T20:32:41Z',
+            'institution': '${SERVER_INSTITUTION}',
+            'researchSubject': '${SERVER_SUBJECT}',
             'supportEmail': '${SUPPORT_EMAIL}',
-            'tags': ['Climatology', 'Cloud']
+            'tags': [tag.strip() for tag in "${SERVER_TAGS}".split(",") if tag.strip()],
         },
         'stats': {
             'method': '.*',
diff --git a/birdhouse/components/geoserver/pre-docker-compose-up b/birdhouse/components/geoserver/pre-docker-compose-up
index 78cc13880..cd482ea2f 100755
--- a/birdhouse/components/geoserver/pre-docker-compose-up
+++ b/birdhouse/components/geoserver/pre-docker-compose-up
@@ -1,10 +1,17 @@
 #!/bin/sh
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
-COMPOSE_DIR="$THIS_DIR/../.."
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}/..")}"
+
+if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
+  . "${COMPOSE_DIR}/read-configs.include.sh"
+
+  # resolve GEOSERVER_DATA_DIR
+  read_configs
+fi
 
 if [ ! -f "${GEOSERVER_DATA_DIR}/global.xml" ]; then
-  echo "fix GeoServer data dir permission on first run only, when data dir do not exist yet."
-  FIRST_RUN_ONLY=1 "$COMPOSE_DIR"/deployment/fix-geoserver-data-dir-perm
+  log INFO "fix GeoServer data dir permission on first run only, when data dir do not exist yet."
+  FIRST_RUN_ONLY=1 "${COMPOSE_DIR}/deployment/fix-geoserver-data-dir-perm"
 fi
diff --git a/birdhouse/components/jupyterhub/default.env b/birdhouse/components/jupyterhub/default.env
index c7013f931..2a77689ad 100644
--- a/birdhouse/components/jupyterhub/default.env
+++ b/birdhouse/components/jupyterhub/default.env
@@ -68,9 +68,13 @@ export JUPYTERHUB_CRYPT_KEY=
 # JUPYTERHUB_CRYPT_KEY is set.
 export JUPYTERHUB_AUTHENTICATOR_REFRESH_AGE=60
 
+# Usernames that should be given admin access in jupyterhub
+export JUPYTERHUB_ADMIN_USERS='{\"${MAGPIE_ADMIN_USERNAME}\"}'  # python set syntax
+
 export DELAYED_EVAL="
   $DELAYED_EVAL
   JUPYTERHUB_USER_DATA_DIR
+  JUPYTERHUB_ADMIN_USERS
 "
 
 # add any new variables not already in 'VARS' or 'OPTIONAL_VARS' that must be replaced in templates here
diff --git a/birdhouse/components/proxy/pre-docker-compose-up b/birdhouse/components/proxy/pre-docker-compose-up
index 0d5acbe8c..698ecb289 100755
--- a/birdhouse/components/proxy/pre-docker-compose-up
+++ b/birdhouse/components/proxy/pre-docker-compose-up
@@ -3,12 +3,11 @@
 # Create JSON files containing the version information, available services, and
 # enabled components. These files will be served by the nginx proxy as static files.
 
-THIS_FILE="$(realpath "$0")"
-THIS_DIR="$(dirname "$THIS_FILE")"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
 
 mkdir -p "${THIS_DIR}/static"
 
 echo "${BIRDHOUSE_VERSION_JSON}" > "${THIS_DIR}/static/version.json"
 echo "${BIRDHOUSE_DEPLOY_SERVICES_JSON}" > "${THIS_DIR}/static/services.json"
 echo "${BIRDHOUSE_DEPLOY_COMPONENTS_JSON}" > "${THIS_DIR}/static/components.json"
-
diff --git a/birdhouse/default.env b/birdhouse/default.env
index 1db0e7f32..bec5cec1c 100644
--- a/birdhouse/default.env
+++ b/birdhouse/default.env
@@ -6,6 +6,13 @@
 # must use single quotes to avoid early expansion before overrides in env.local
 # are applied and must be added to the list of DELAYED_EVAL.
 
+# Any default value that should be marked for security concern or recommended modificiation should
+# use the '${__DEFAULT__{var}}' naming format. These can then be referenced in 'env.local.example' to
+# avoid literal value duplication, and ensure they remain in sync. Also, those '${__DEFAULT__{var}}'
+# definitions should *NOT* be exported to avoid unnecessary polution of the environment variables.
+# Variables with format '${__DEFAULT__{var}}' will be flagged accordingly to their required/optional status
+# (see also: 'check_default_vars' in 'birdhouse/read-configs.include.sh').
+
 export BASH_IMAGE="bash:5.1.4"
 
 # Root directory under which all data persistence should be nested under
@@ -29,19 +36,86 @@ export PAVICS_FQDN_PUBLIC='${PAVICS_FQDN}'
 export DELAYED_EVAL="
   $DELAYED_EVAL
   PAVICS_FQDN_PUBLIC
+  DOC_URL
+  SUPPORT_EMAIL
+  SSL_CERTIFICATE
   DATA_PERSIST_SHARED_ROOT
   WPS_OUTPUTS_DIR
+  SERVER_NAME
+  SERVER_DESCRIPTION
+  SERVER_INSTITUTION
+  SERVER_SUBJECT
+  SERVER_TAGS
+  SERVER_DOCUMENTATION_URL
+  SERVER_RELEASE_NOTES_URL
+  SERVER_SUPPORT_URL
+  SERVER_LICENSE_URL
 "
 
-
-export SERVER_NAME=PAVICS
-export SERVER_DESCRIPTION="
+# Server Identification Details
+#   Following definitions should definitenly be updated.
+#   Previous defaults are defined for backward-compatibility.
+#   If not overridden explicitly by their non '__' prefixed variant,
+#   a WARN message will be displayed by pavics-compose.
+__DEFAULT__SERVER_NAME="PAVICS"
+__DEFAULT__SERVER_DESCRIPTION="
 The PAVICS (Power Analytics for Visualization of Climate Science) platform is a collection of
 climate analysis services served through Open Geospatial Consortium (OGC) protocols.
 These services include data access, processing and visualization. Both data and algorithms
 can be accessed either programmatically, through OGC-compliant clients such as QGIS or ArcGIS,
 or a custom web interface.
 "
+__DEFAULT__SERVER_INSTITUTION="Ouranos"
+__DEFAULT__SERVER_SUBJECT="Climatology"
+# below can be a CSV list of tags
+__DEFAULT__SERVER_TAGS="Climatology"
+__DEFAULT__SERVER_DOCUMENTATION_URL="https://pavics-sdi.readthedocs.io/en/latest/arch/backend.html"
+__DEFAULT__SERVER_RELEASE_NOTES_URL="https://github.com/bird-house/birdhouse-deploy/blob/master/CHANGES.md"
+__DEFAULT__SERVER_SUPPORT_URL="https://github.com/bird-house/birdhouse-deploy/issues"
+# NOTE:
+#   This value does not use the previously hard coded default.
+#   Previous default pointed at the wrong repository with a mismatching LICENSE file.
+__DEFAULT__SERVER_LICENSE_URL="https://github.com/bird-house/birdhouse-deploy/blob/master/LICENSE"
+__DEFAULT__SUPPORT_EMAIL="helpdesk@example.com"
+__DEFAULT__DOC_URL="https://www.example.com/"
+__DEFAULT__PAVICS_FQDN="hostname.domainname"
+__DEFAULT__SSL_CERTIFICATE="/path/to/ssl/cert.pem"
+
+# apply overrides or fallback above defaults with delayed evaluation
+# exceptions for 'SUPPORT_EMAIL' and 'DOC_URL' using the old name for backward compatibility.
+export SUPPORT_EMAIL='${__DEFAULT__SUPPORT_EMAIL}'
+export DOC_URL='${__DEFAULT__DOC_URL}'
+export SSL_CERTIFICATE='${__DEFAULT__SSL_CERTIFICATE}'
+export SERVER_NAME='${__DEFAULT__SERVER_NAME}'
+export SERVER_DESCRIPTION='${__DEFAULT__SERVER_DESCRIPTION}'
+export SERVER_INSTITUTION='${__DEFAULT__SERVER_INSTITUTION}'
+export SERVER_SUBJECT='${__DEFAULT__SERVER_SUBJECT}'
+export SERVER_TAGS='${__DEFAULT__SERVER_TAGS}'
+export SERVER_DOCUMENTATION_URL='${__DEFAULT__SERVER_DOCUMENTATION_URL}'
+export SERVER_RELEASE_NOTES_URL='${__DEFAULT__SERVER_RELEASE_NOTES_URL}'
+export SERVER_SUPPORT_URL='${__DEFAULT__SERVER_SUPPORT_URL}'
+export SERVER_LICENSE_URL='${__DEFAULT__SERVER_LICENSE_URL}'
+
+# Defaults for required variables recommended for override for security reasons.
+# Those will not be set explicitly as defaults to ensure they are overridden explicitly by the instance.
+# These values would be detected only if the instance was configured using a copy of 'env.local.example'.
+__DEFAULT__MAGPIE_SECRET="itzaseekrit"
+__DEFAULT__MAGPIE_ADMIN_USERNAME="admin"
+__DEFAULT__MAGPIE_ADMIN_PASSWORD="qwertyqwerty!"
+__DEFAULT__POSTGRES_PAVICS_USERNAME="postgres-pavics"
+__DEFAULT__POSTGRES_PAVICS_PASSWORD="postgres-qwerty"
+__DEFAULT__POSTGRES_MAGPIE_USERNAME="postgres-magpie"
+__DEFAULT__POSTGRES_MAGPIE_PASSWORD="postgres-qwerty"
+__DEFAULT__GEOSERVER_ADMIN_USER="admingeo"
+__DEFAULT__GEOSERVER_ADMIN_PASSWORD="geoserverpass"
+#############################################################################
+# Deprecated vars (for components in the ./deprecated-components directory)
+#############################################################################
+__DEFAULT__TOMCAT_NCWMS_PASSWORD="ncwmspass"
+__DEFAULT__CATALOG_USERNAME="admin-catalog"
+__DEFAULT__CATALOG_PASSWORD="qwerty"
+__DEFAULT__PHOENIX_PASSWORD="phoenix_pass"
+__DEFAULT__PHOENIX_PASSWORD_HASH="sha256:123456789012:1234567890123456789012345678901234567890123456789012345678901234"
 
 export DEFAULT_CONF_DIRS='
   ./components/proxy
diff --git a/birdhouse/deployment/certbotwrapper b/birdhouse/deployment/certbotwrapper
index 4cc3769dc..34828d67c 100755
--- a/birdhouse/deployment/certbotwrapper
+++ b/birdhouse/deployment/certbotwrapper
@@ -46,8 +46,8 @@ certbotwrapper START_TIME=$START_TIME"
 
 set -x
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
 SAVED_PWD="`pwd`"
 
 . "$THIS_DIR/../read-configs.include.sh"
diff --git a/birdhouse/deployment/deploy.sh b/birdhouse/deployment/deploy.sh
index 7159ae5e3..8df019bf3 100755
--- a/birdhouse/deployment/deploy.sh
+++ b/birdhouse/deployment/deploy.sh
@@ -53,9 +53,9 @@
 #   are re-read.  docker-compose is not aware of any changes outside of the
 #   docker-compose.yml file.
 
-if [ ! -z "$AUTODEPLOY_SILENT" ]; then
+if [ ! -z "${AUTODEPLOY_SILENT}" ]; then
     LOG_FILE="/var/log/PAVICS/autodeploy.log"
-    exec >>$LOG_FILE 2>&1
+    exec >> "${LOG_FILE}" 2>&1
 fi
 
 usage() {
@@ -65,7 +65,7 @@ usage() {
 COMPOSE_DIR="$1"
 ENV_LOCAL_FILE="$2"
 
-if [ -z "$COMPOSE_DIR" ]; then
+if [ -z "${COMPOSE_DIR}" ]; then
     echo "ERROR: please provide path to PAVICS docker-compose dir." 1>&2
     usage
     exit 2
@@ -73,23 +73,22 @@ else
     shift
 fi
 
-if [ -z "$ENV_LOCAL_FILE" ]; then
-    ENV_LOCAL_FILE="$COMPOSE_DIR/env.local"
+if [ -z "${ENV_LOCAL_FILE}" ]; then
+    ENV_LOCAL_FILE="${COMPOSE_DIR}/env.local"
 else
     shift
 fi
 
-COMPOSE_DIR="`realpath "$COMPOSE_DIR"`"
-REPO_ROOT="`realpath "$COMPOSE_DIR/.."`"
+COMPOSE_DIR="$(realpath "${COMPOSE_DIR}")"
 
-if [ ! -f "$COMPOSE_DIR/docker-compose.yml" -o \
-     ! -f "$COMPOSE_DIR/pavics-compose.sh" ]; then
-    echo "ERROR: missing docker-compose.yml or pavics-compose.sh file in '$COMPOSE_DIR'" 1>&2
+if [ ! -f "${COMPOSE_DIR}/docker-compose.yml" ] || \
+   [ ! -f "${COMPOSE_DIR}/pavics-compose.sh" ]; then
+    echo "ERROR: missing docker-compose.yml or pavics-compose.sh file in '${COMPOSE_DIR}'" 1>&2
     exit 2
 fi
 
-if [ ! -f "$ENV_LOCAL_FILE" ]; then
-    echo "ERROR: env.local '$ENV_LOCAL_FILE' not found, please instantiate from '$COMPOSE_DIR/env.local.example'" 1>&2
+if [ ! -f "${ENV_LOCAL_FILE}" ]; then
+    echo "ERROR: env.local '${ENV_LOCAL_FILE}' not found, please instantiate from '${COMPOSE_DIR}/env.local.example'" 1>&2
     exit 2
 fi
 
@@ -100,56 +99,56 @@ fi
 # Setup COMPOSE_DIR and PWD for sourcing env.local.
 # Prevent un-expected difference when this script is run inside autodeploy
 # container and manually from the host.
-cd $COMPOSE_DIR
+cd "${COMPOSE_DIR}" || exit
 
-START_TIME="`date -Isecond`"
-echo "deploy START_TIME=$START_TIME"
+START_TIME="$(date -Isecond)"
+echo "deploy START_TIME=${START_TIME}"
 
-. "$COMPOSE_DIR/read-configs.include.sh"
+. "${COMPOSE_DIR}/read-configs.include.sh"
 
 # Read AUTODEPLOY_EXTRA_REPOS
 read_basic_configs_only
 
 set -x
 
-for adir in $COMPOSE_DIR $AUTODEPLOY_EXTRA_REPOS; do
-    if [ -d "$adir" ]; then
-        cd $adir
+for adir in "${COMPOSE_DIR}" ${AUTODEPLOY_EXTRA_REPOS}; do
+    if [ -d "${adir}" ]; then
+        cd "${adir}" || exit
 
         # fail fast if unclean checkout
-        if [ ! -z "`git status -u --porcelain`" ]; then
-            echo "ERROR: unclean repo '$adir'" 1>&2
+        if [ ! -z "$(git status -u --porcelain)" ]; then
+            echo "ERROR: unclean repo '${adir}'" 1>&2
             exit 1
         fi
     else
-        echo "WARNING: extra repo '$adir' do not exist"
+        echo "WARNING: extra repo '${adir}' do not exist"
     fi
 done
 
-cd $COMPOSE_DIR
+cd "${COMPOSE_DIR}" || exit
 
 read_basic_configs_only
 
 # stop all to force reload any changed config that are volume-mount into the containers
 ./pavics-compose.sh stop
 
-for adir in $COMPOSE_DIR $AUTODEPLOY_EXTRA_REPOS; do
-    if [ -d "$adir" ]; then
-        cd $adir
+for adir in "${COMPOSE_DIR}" ${AUTODEPLOY_EXTRA_REPOS}; do
+    if [ -d "${adir}" ]; then
+        cd "${adir}" || exit
 
-        EXTRA_REPO="`git rev-parse --show-toplevel`"
-        DEPLOY_KEY="$AUTODEPLOY_DEPLOY_KEY_ROOT_DIR/`basename "$EXTRA_REPO"`_deploy_key"
-        DEFAULT_DEPLOY_KEY="$AUTODEPLOY_DEPLOY_KEY_ROOT_DIR/id_rsa_git_ssh_read_only"
-        if [ ! -e "$DEPLOY_KEY" -a -e "$DEFAULT_DEPLOY_KEY" ]; then
-            DEPLOY_KEY="$DEFAULT_DEPLOY_KEY"
+        EXTRA_REPO="$(git rev-parse --show-toplevel)"
+        DEPLOY_KEY="${AUTODEPLOY_DEPLOY_KEY_ROOT_DIR}/$(basename "${EXTRA_REPO}")_deploy_key"
+        DEFAULT_DEPLOY_KEY="${AUTODEPLOY_DEPLOY_KEY_ROOT_DIR}/id_rsa_git_ssh_read_only"
+        if [ ! -e "${DEPLOY_KEY}" ] && [ -e "${DEFAULT_DEPLOY_KEY}" ]; then
+            DEPLOY_KEY="${DEFAULT_DEPLOY_KEY}"
         fi
 
         export GIT_SSH_COMMAND=""  # git ver 2.3+
-        if [ -e "$DEPLOY_KEY" ]; then
+        if [ -e "${DEPLOY_KEY}" ]; then
             # override git ssh command for private repos only
             #
             # https://git-scm.com/docs/git-config#Documentation/git-config.txt-sshvariant
-            export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentityFile=$DEPLOY_KEY"
+            export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentityFile=${DEPLOY_KEY}"
         else
             unset GIT_SSH_COMMAND
         fi
@@ -160,18 +159,18 @@ for adir in $COMPOSE_DIR $AUTODEPLOY_EXTRA_REPOS; do
         # This runs as the root user so new/updated files will be owned by root after the git pull, this sets the
         # owner of the code to CODE_OWNERSHIP if set. CODE_OWNERSHIP should contain uids instead of usernames since
         # usernames within a docker container will not necessarily line up with those on the host system.
-        if [ -n "$CODE_OWNERSHIP" ]; then
-          chown -R "$CODE_OWNERSHIP" "$(git rev-parse --show-toplevel)"
+        if [ -n "${CODE_OWNERSHIP}" ]; then
+          chown -R "${CODE_OWNERSHIP}" "$(git rev-parse --show-toplevel)"
         fi
     else
-        echo "WARNING: extra repo '$adir' do not exist"
+        echo "WARNING: extra repo '${adir}' do not exist"
     fi
 done
 
-cd $COMPOSE_DIR
+cd "${COMPOSE_DIR}" || exit
 
 # reload again after git pull because this file could be changed by the pull
-. "$COMPOSE_DIR/read-configs.include.sh"
+. "${COMPOSE_DIR}/read-configs.include.sh"
 
 # reload again after default.env since env.local can override default.env
 # (ex: JUPYTERHUB_USER_DATA_DIR)
@@ -183,8 +182,8 @@ read_basic_configs_only
 set +x
 
 echo "
-deploy finished START_TIME=$START_TIME
-deploy finished   END_TIME=`date -Isecond`"
+deploy finished START_TIME=${START_TIME}
+deploy finished   END_TIME=$(date -Isecond)"
 
 
 # vi: tabstop=8 expandtab shiftwidth=4 softtabstop=4
diff --git a/birdhouse/deployment/fix-geoserver-data-dir-perm b/birdhouse/deployment/fix-geoserver-data-dir-perm
index 644922674..f87dfa2d4 100755
--- a/birdhouse/deployment/fix-geoserver-data-dir-perm
+++ b/birdhouse/deployment/fix-geoserver-data-dir-perm
@@ -8,13 +8,11 @@
 # global.xml will exist and this script will not execute.  Without
 # FIRST_RUN_ONLY, this script will always execute.
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
 
-# Go to repo root.
-cd $THIS_DIR/../..
-
-. birdhouse/read-configs.include.sh
+. "${COMPOSE_DIR}/read-configs.include.sh"
 
 # Get BASH_IMAGE
 # Get GEOSERVER_DATA_DIR
@@ -22,15 +20,15 @@ read_configs
 
 set -x
 
-DATA_DIR="$GEOSERVER_DATA_DIR"
+DATA_DIR="${GEOSERVER_DATA_DIR}"
 
 if [ -n "$1" ]; then
     DATA_DIR="$1"; shift
 fi
 
 docker run --rm --name fix-geoserver-data-dir-perm \
-    --volume ${DATA_DIR}:/datadir \
+    --volume "${DATA_DIR}":/datadir \
     --env FIRST_RUN_ONLY \
-    $BASH_IMAGE \
+    "${BASH_IMAGE}" \
     bash -xc 'if [ -z "$FIRST_RUN_ONLY" -o ! -f /datadir/global.xml ]; \
     then chown -R 1000:10001 /datadir; else echo "No execute."; fi'
diff --git a/birdhouse/deployment/fix-write-perm b/birdhouse/deployment/fix-write-perm
index 49d2cd73d..00d73df55 100755
--- a/birdhouse/deployment/fix-write-perm
+++ b/birdhouse/deployment/fix-write-perm
@@ -37,26 +37,27 @@
 # So the setfacl solution is the simplest, most portable/generic and most
 # localized (only the directories we need) solution.
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
 
-# Go to repo root.
-cd $THIS_DIR/../..
-
-. birdhouse/read-configs.include.sh
+. "${COMPOSE_DIR}/read-configs.include.sh"
 
 # Get GEOSERVER_DATA_DIR, JUPYTERHUB_USER_DATA_DIR, MAGPIE_PERSIST_DIR
 read_configs
 
-DEFAULT_EXTRA_DATA_DIR="$GEOSERVER_DATA_DIR/ $JUPYTERHUB_USER_DATA_DIR/ \
-    $MAGPIE_PERSIST_DIR/"
+DEFAULT_EXTRA_DATA_DIR="
+    ${GEOSERVER_DATA_DIR}/
+    ${JUPYTERHUB_USER_DATA_DIR}/ \
+    ${MAGPIE_PERSIST_DIR}/ \
+"
 
 EXTRA_DATA_DIR=""
 if [ -n "$FIX_WRITE_PERM_EXTRA" ]; then
-    EXTRA_DATA_DIR="$DEFAULT_EXTRA_DATA_DIR"
+    EXTRA_DATA_DIR="${DEFAULT_EXTRA_DATA_DIR}"
 fi
 
 set -x
 
-sudo setfacl -Rdm u:$USER:rwX $PWD $AUTODEPLOY_EXTRA_REPOS $EXTRA_DATA_DIR "$@"  # for future files
-sudo setfacl -Rm u:$USER:rwX $PWD $AUTODEPLOY_EXTRA_REPOS $EXTRA_DATA_DIR "$@"  # for existing files
+sudo setfacl -Rdm "u:${USER}:rwX" "${PWD}" ${AUTODEPLOY_EXTRA_REPOS} ${EXTRA_DATA_DIR} "$@"  # for future files
+sudo setfacl -Rm "u:${USER}:rwX" "${PWD}" ${AUTODEPLOY_EXTRA_REPOS} ${EXTRA_DATA_DIR} "$@"  # for existing files
diff --git a/birdhouse/deployment/install-deploy-notebook b/birdhouse/deployment/install-deploy-notebook
index baf148e57..2a64b33bb 100755
--- a/birdhouse/deployment/install-deploy-notebook
+++ b/birdhouse/deployment/install-deploy-notebook
@@ -21,21 +21,21 @@ if [ -z "$1" ]; then
 fi
 
 
-REPO_ROOT="`realpath "$1"`"; shift  # path to PAVICS checkout
+REPO_ROOT="$(realpath "$1")"; shift  # path to PAVICS checkout
 
-if [ ! -e "$REPO_ROOT/birdhouse/deployment/trigger-deploy-notebook" ]; then
-    echo "ERROR: bad/wrong pavics-checkout '$REPO_ROOT' " 1>&2
+if [ ! -e "${REPO_ROOT}/birdhouse/deployment/trigger-deploy-notebook" ]; then
+    echo "ERROR: bad/wrong pavics-checkout '${REPO_ROOT}' " 1>&2
     usage
     exit 2
 fi
 
-. "$REPO_ROOT/birdhouse/read-configs.include.sh"
+. "${REPO_ROOT}/birdhouse/read-configs.include.sh"
 
 # Get JUPYTERHUB_USER_DATA_DIR
 read_configs
 
 set -x
 
-cat $REPO_ROOT/birdhouse/deployment/trigger-deploy-notebook | envsubst '${JUPYTERHUB_USER_DATA_DIR}' | sudo tee $CRON_FILE
-sudo chown root:root $CRON_FILE
-sudo chmod 755 $CRON_FILE
+cat "${REPO_ROOT}/birdhouse/deployment/trigger-deploy-notebook" | envsubst '${JUPYTERHUB_USER_DATA_DIR}' | sudo tee "${CRON_FILE}"
+sudo chown root:root "${CRON_FILE}"
+sudo chmod 755 "${CRON_FILE}"
diff --git a/birdhouse/deployment/trigger-deploy-notebook b/birdhouse/deployment/trigger-deploy-notebook
index bb052d3c0..c0da0aa70 100755
--- a/birdhouse/deployment/trigger-deploy-notebook
+++ b/birdhouse/deployment/trigger-deploy-notebook
@@ -12,6 +12,10 @@
 #
 # Logs to /var/log/PAVICS/notebookdeploy.log, re-use existing logrotate.
 
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
+
 LOG_FILE="/var/log/PAVICS/notebookdeploy.log"
 exec >>$LOG_FILE 2>&1
 
@@ -20,24 +24,21 @@ cleanup_on_exit() {
     set +x
     echo "
 notebookdeploy finished START_TIME=$START_TIME
-notebookdeploy finished   END_TIME=`date -Isecond`"
+notebookdeploy finished   END_TIME=$(date -Isecond)"
 }
 
 trap cleanup_on_exit EXIT
 
-START_TIME="`date -Isecond`"
+START_TIME="$(date -Isecond)"
 echo "==========
 notebookdeploy START_TIME=$START_TIME"
 
 # running script manually (not with cron) source env.local file.
-if [ -z "$COMPOSE_DIR" ]; then
-    COMPOSE_DIR="$(dirname -- "$(dirname -- "$(realpath "$0")")")"
-fi
-
-if [ -f "$COMPOSE_DIR/read-configs.include.sh" ]; then
-    . "$COMPOSE_DIR/read-configs.include.sh"
+if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
+    . "${COMPOSE_DIR}/read-configs.include.sh"
 
     # Get JUPYTERHUB_USER_DATA_DIR
+    # Get BASH_IMAGE
     read_configs
 fi
 
@@ -45,31 +46,31 @@ set -x
 
 NOTEBOOK_DIR_MNT="/notebook_dir"
 TUTORIAL_NOTEBOOKS_DIR="tutorial-notebooks"
-if [ -z "$WORKFLOW_TESTS_BRANCH" ]; then
+if [ -z "${WORKFLOW_TESTS_BRANCH}" ]; then
     # when testing, override this
     WORKFLOW_TESTS_BRANCH="master"
 fi
 
-if [ -z "$TMP_BASE_DIR" ]; then
+if [ -z "${TMP_BASE_DIR}" ]; then
     TMP_BASE_DIR="/tmp"
 fi
 
-TMPDIR="`mktemp -d -t notebookdeploy.XXXXXXXXXXXX -p $TMP_BASE_DIR`"
+TMPDIR="$(mktemp -d -t notebookdeploy.XXXXXXXXXXXX -p "${TMP_BASE_DIR}")"
 
-cd $TMPDIR
-mkdir $TUTORIAL_NOTEBOOKS_DIR
-cd $TUTORIAL_NOTEBOOKS_DIR
+cd "${TMPDIR}" || exit
+mkdir "${TUTORIAL_NOTEBOOKS_DIR}"
+cd "${TUTORIAL_NOTEBOOKS_DIR}" || exit
 
-wget --quiet https://raw.githubusercontent.com/Ouranosinc/PAVICS-e2e-workflow-tests/$WORKFLOW_TESTS_BRANCH/downloadrepos
+wget --quiet "https://raw.githubusercontent.com/Ouranosinc/PAVICS-e2e-workflow-tests/${WORKFLOW_TESTS_BRANCH}/downloadrepos"
 chmod a+x downloadrepos
 
-wget --quiet https://raw.githubusercontent.com/Ouranosinc/PAVICS-e2e-workflow-tests/$WORKFLOW_TESTS_BRANCH/default_build_params
+wget --quiet "https://raw.githubusercontent.com/Ouranosinc/PAVICS-e2e-workflow-tests/${WORKFLOW_TESTS_BRANCH}/default_build_params"
 
-wget --quiet https://raw.githubusercontent.com/Ouranosinc/PAVICS-e2e-workflow-tests/$WORKFLOW_TESTS_BRANCH/binder/reorg-notebooks
+wget --quiet "https://raw.githubusercontent.com/Ouranosinc/PAVICS-e2e-workflow-tests/${WORKFLOW_TESTS_BRANCH}/binder/reorg-notebooks"
 chmod a+x reorg-notebooks
 
 # same sequence as Binder, same layout as Binder
-wget --quiet --output-document - https://github.com/Ouranosinc/PAVICS-e2e-workflow-tests/archive/master.tar.gz | tar xz
+wget --quiet --output-document - "https://github.com/Ouranosinc/PAVICS-e2e-workflow-tests/archive/master.tar.gz" | tar xz
 ./downloadrepos
 ./reorg-notebooks
 mv -v PAVICS-e2e-workflow-tests-master/notebooks/*.ipynb ./
@@ -77,30 +78,30 @@ rm -rf PAVICS-e2e-workflow-tests-master
 rm -rf downloadrepos default_build_params reorg-notebooks
 
 TMP_SCRIPT="$TMPDIR/deploy-notebook"
-cat << __EOF__ > $TMP_SCRIPT
+cat << __EOF__ > "${TMP_SCRIPT}"
 #!/bin/sh -x
 
 if [ -n "\`ls -A /$TUTORIAL_NOTEBOOKS_DIR/\`" ]; then
-    cd $NOTEBOOK_DIR_MNT
-    rm -rf $TUTORIAL_NOTEBOOKS_DIR/*
-    if [ ! -d $TUTORIAL_NOTEBOOKS_DIR ]; then
-        mkdir $TUTORIAL_NOTEBOOKS_DIR
+    cd "${NOTEBOOK_DIR_MNT}"
+    rm -rf ${TUTORIAL_NOTEBOOKS_DIR}/*
+    if [ ! -d "${TUTORIAL_NOTEBOOKS_DIR}" ]; then
+        mkdir "${TUTORIAL_NOTEBOOKS_DIR}"
     fi
-    cp -rv /$TUTORIAL_NOTEBOOKS_DIR/* $TUTORIAL_NOTEBOOKS_DIR
+    cp -rv /${TUTORIAL_NOTEBOOKS_DIR}/* "${TUTORIAL_NOTEBOOKS_DIR}"
     # make read-only
-    chown -R root:root $TUTORIAL_NOTEBOOKS_DIR
+    chown -R root:root "${TUTORIAL_NOTEBOOKS_DIR}"
 fi
 __EOF__
-chmod a+x $TMP_SCRIPT
+chmod a+x "${TMP_SCRIPT}"
 
 docker run --rm \
   --name deploy_tutorial_notebooks \
   -u root \
-  -v $TMP_SCRIPT:/deploy-notebook:ro \
-  -v $TMPDIR/$TUTORIAL_NOTEBOOKS_DIR:/$TUTORIAL_NOTEBOOKS_DIR:ro \
-  -v "$JUPYTERHUB_USER_DATA_DIR":$NOTEBOOK_DIR_MNT:rw \
+  -v "${TMP_SCRIPT}":/deploy-notebook:ro \
+  -v "${TMPDIR}/${TUTORIAL_NOTEBOOKS_DIR}":"/${TUTORIAL_NOTEBOOKS_DIR}":ro \
+  -v "${JUPYTERHUB_USER_DATA_DIR}":"${NOTEBOOK_DIR_MNT}":rw \
   --entrypoint /deploy-notebook \
-  bash:5.1.4
+  "${BASH_IMAGE}"
 
 
 # vi: tabstop=8 expandtab shiftwidth=4 softtabstop=4
diff --git a/birdhouse/deployment/triggerdeploy.sh b/birdhouse/deployment/triggerdeploy.sh
index 4ddce8122..82752dfb8 100755
--- a/birdhouse/deployment/triggerdeploy.sh
+++ b/birdhouse/deployment/triggerdeploy.sh
@@ -59,7 +59,7 @@ else
     shift
 fi
 
-COMPOSE_DIR="`realpath "$COMPOSE_DIR"`"
+COMPOSE_DIR="$(realpath "$COMPOSE_DIR")"
 
 if [ ! -f "$COMPOSE_DIR/docker-compose.yml" ]; then
     echo "ERROR: missing docker-compose.yml in '$COMPOSE_DIR'" 1>&2
@@ -78,12 +78,12 @@ cd $COMPOSE_DIR
 
 
 should_trigger() {
-    EXTRA_REPO="`git rev-parse --show-toplevel`"
+    EXTRA_REPO="$(git rev-parse --show-toplevel)"
 
-    DEPLOY_KEY="$AUTODEPLOY_DEPLOY_KEY_ROOT_DIR/`basename "$EXTRA_REPO"`_deploy_key"
-    DEFAULT_DEPLOY_KEY="$AUTODEPLOY_DEPLOY_KEY_ROOT_DIR/id_rsa_git_ssh_read_only"
-    if [ ! -e "$DEPLOY_KEY" -a -e "$DEFAULT_DEPLOY_KEY" ]; then
-        DEPLOY_KEY="$DEFAULT_DEPLOY_KEY"
+    DEPLOY_KEY="${AUTODEPLOY_DEPLOY_KEY_ROOT_DIR}/$(basename "$EXTRA_REPO")_deploy_key"
+    DEFAULT_DEPLOY_KEY="${AUTODEPLOY_DEPLOY_KEY_ROOT_DIR}/id_rsa_git_ssh_read_only"
+    if [ ! -e "$DEPLOY_KEY" ] && [ -e "${DEFAULT_DEPLOY_KEY}" ]; then
+        DEPLOY_KEY="${DEFAULT_DEPLOY_KEY}"
     fi
     DEPLOY_KEY_DISPLAY=""
 
@@ -100,80 +100,84 @@ should_trigger() {
     # fetch remote branches, not affecting current checkout
     git fetch --prune --all
 
-    CURRENT_BRANCH="`git rev-parse --abbrev-ref HEAD`"
+    CURRENT_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
 
     # find out if we are behind and/or ahead remote tracking branch
     TMP_SAVE_FILE="/tmp/triggerdeploy-behindcnt.txt"
-    echo "BEHIND_CNT=-1" > $TMP_SAVE_FILE
-    echo "AHEAD_CNT=-1" >> $TMP_SAVE_FILE
-    echo "local=" >> $TMP_SAVE_FILE
-    echo "remote=" >> $TMP_SAVE_FILE
+    {
+      echo "BEHIND_CNT=-1"
+      echo "AHEAD_CNT=-1"
+      echo "local="
+      echo "remote="
+    } >> "${TMP_SAVE_FILE}"
     git for-each-ref --format="%(refname:short) %(upstream:short)" refs/heads | \
     while read local remote
     do
-        [ -z "$remote" ] && continue
-        git show-branch remotes/$remote || continue
-        [ "$local" != "$CURRENT_BRANCH" ] && continue
-        BEHIND_CNT="`git rev-list --right-only --count ${local}...${remote}`"
-        AHEAD_CNT="`git rev-list --left-only --count ${local}...${remote}`"
-        echo "BEHIND_CNT=$BEHIND_CNT" >> $TMP_SAVE_FILE
-        echo "AHEAD_CNT=$AHEAD_CNT" >> $TMP_SAVE_FILE
-        echo "local=$local" >> $TMP_SAVE_FILE
-        echo "remote=$remote" >> $TMP_SAVE_FILE
+        [ -z "${remote}" ] && continue
+        git show-branch "remotes/${remote}" || continue
+        [ "${local}" != "${CURRENT_BRANCH}" ] && continue
+        BEHIND_CNT="$(git rev-list --right-only --count "${local}...${remote}")"
+        AHEAD_CNT="$(git rev-list --left-only --count "${local}...${remote}")"
+        {
+          echo "BEHIND_CNT=${BEHIND_CNT}"
+          echo "AHEAD_CNT=${AHEAD_CNT}"
+          echo "local=${local}"
+          echo "remote=${remote}"
+        } >> "${TMP_SAVE_FILE}"
         break
     done
-    . $TMP_SAVE_FILE
-    rm $TMP_SAVE_FILE
+    . "${TMP_SAVE_FILE}"
+    rm "${TMP_SAVE_FILE}"
 
     # If should trigger deploy given diff.
-    GIT_CHANGED_FILES="`git diff --name-status $local remotes/$remote`"
+    GIT_CHANGED_FILES="$(git diff --name-status "${local}" "remotes/${remote}")"
     TMP_SCRIPT="/tmp/repo-conditional-trigger"
     # get latest version of script on same branch
-    CURRENT_REMOTE_BRANCH="`git rev-parse --abbrev-ref --symbolic-full-name @{upstream}`"
+    CURRENT_REMOTE_BRANCH="$(git rev-parse --abbrev-ref --symbolic-full-name '@{upstream}')"
     # Default to always trigger if checkout is behind to be backward-compatible and safe.
     CONDITIONAL_TRIGGER_EXIT_CODE=0
-    git show $CURRENT_REMOTE_BRANCH:./autodeploy/conditional-trigger > $TMP_SCRIPT
+    git show "${CURRENT_REMOTE_BRANCH}":./autodeploy/conditional-trigger > "${TMP_SCRIPT}"
     if [ "$?" -eq 0 ]; then
         # Execute script only if it exists, script is optional.
-        chmod a+x $TMP_SCRIPT
-        GIT_CHANGED_FILES="$GIT_CHANGED_FILES" $TMP_SCRIPT
+        chmod a+x "${TMP_SCRIPT}"
+        GIT_CHANGED_FILES="$GIT_CHANGED_FILES" "${TMP_SCRIPT}"
         CONDITIONAL_TRIGGER_EXIT_CODE=$?
     fi
-    rm $TMP_SCRIPT
+    rm "${TMP_SCRIPT}"
 
     # trigger deploy if the behind count is greater than zero and ahead count is
     # less than or equal zero
-    if [ "$BEHIND_CNT" -gt 0 ]; then
-        if [ "$AHEAD_CNT" -le 0 ]; then
-            if [ $CONDITIONAL_TRIGGER_EXIT_CODE -eq 0 ]; then
-                echo "triggerdeploy: repo '$EXTRA_REPO' is behind will trigger deploy"
+    if [ "${BEHIND_CNT}" -gt 0 ]; then
+        if [ "${AHEAD_CNT}" -le 0 ]; then
+            if [ ${CONDITIONAL_TRIGGER_EXIT_CODE} -eq 0 ]; then
+                echo "triggerdeploy: repo '${EXTRA_REPO}' is behind will trigger deploy"
                 return 0
             else
-                echo "triggerdeploy: repo '$EXTRA_REPO' is behind but do not need to trigger deploy, just pull if clean checkout"
+                echo "triggerdeploy: repo '${EXTRA_REPO}' is behind but do not need to trigger deploy, just pull if clean checkout"
                 # pull only if clean checkout to avoid overriding important changes
-                if [ -z "`git status -u --porcelain`" ]; then
+                if [ -z "$(git status -u --porcelain)" ]; then
                     git pull
                 else
-                    echo "triggerdeploy: WARNING: unclean repo '$EXTRA_REPO', unable to pull" 1>&2
+                    echo "triggerdeploy: WARNING: unclean repo '${EXTRA_REPO}', unable to pull" 1>&2
                 fi
                 return 1
             fi
         else
-            echo "triggerdeploy: do nothing, repo '$EXTRA_REPO' is both behind and ahead (divergent), must be a devel repo"
+            echo "triggerdeploy: do nothing, repo '${EXTRA_REPO}' is both behind and ahead (divergent), must be a devel repo"
             return 1
         fi
     else
-        echo "triggerdeploy: repo '$EXTRA_REPO' is up-to-date or ahead, no deploy needed"
+        echo "triggerdeploy: repo '${EXTRA_REPO}' is up-to-date or ahead, no deploy needed"
         return 1
     fi
 }
 
 
-START_TIME="`date -Isecond`"
+START_TIME="$(date -Isecond)"
 echo "==========
-triggerdeploy START_TIME=$START_TIME"
+triggerdeploy START_TIME=${START_TIME}"
 
-. "$COMPOSE_DIR/read-configs.include.sh"
+. "${COMPOSE_DIR}/read-configs.include.sh"
 
 # Read AUTODEPLOY_EXTRA_REPOS
 read_basic_configs_only
@@ -181,40 +185,40 @@ read_basic_configs_only
 set -x
 
 SHOULD_TRIGGER=""
-for adir in $COMPOSE_DIR $AUTODEPLOY_EXTRA_REPOS; do
-    if [ -d "$adir" ]; then
-        cd $adir
+for adir in "${COMPOSE_DIR}" ${AUTODEPLOY_EXTRA_REPOS}; do
+    if [ -d "${adir}" ]; then
+        cd "${adir}" || exit
 
         if should_trigger; then
             SHOULD_TRIGGER=1
             break
         fi
     else
-        echo "WARNING: extra repo '$adir' do not exist"
+        echo "WARNING: extra repo '${adir}' do not exist"
     fi
 done
 
 EXIT_CODE=0
-if [ -n "$SHOULD_TRIGGER" ]; then
-    cd $COMPOSE_DIR
+if [ -n "${SHOULD_TRIGGER}" ]; then
+    cd "${COMPOSE_DIR}" || exit
     TMP_SCRIPT="/tmp/latestdeploy.sh"
     # get latest version of deploy script on same branch
-    CURRENT_REMOTE_BRANCH="`git rev-parse --abbrev-ref --symbolic-full-name @{upstream}`"
-    git show $CURRENT_REMOTE_BRANCH:./deployment/deploy.sh > $TMP_SCRIPT
+    CURRENT_REMOTE_BRANCH="$(git rev-parse --abbrev-ref --symbolic-full-name '@{upstream}')"
+    git show "${CURRENT_REMOTE_BRANCH}":./deployment/deploy.sh > "${TMP_SCRIPT}"
 
-    chmod a+x $TMP_SCRIPT
-    $TMP_SCRIPT $COMPOSE_DIR $ENV_LOCAL_FILE
+    chmod a+x "${TMP_SCRIPT}"
+    $TMP_SCRIPT "${COMPOSE_DIR}" "${ENV_LOCAL_FILE}"
     EXIT_CODE=$?
-    rm $TMP_SCRIPT
+    rm "${TMP_SCRIPT}"
 fi
 
 set +x
 
 echo "
-triggerdeploy finished START_TIME=$START_TIME
-triggerdeploy finished   END_TIME=`date -Isecond`"
+triggerdeploy finished START_TIME=${START_TIME}
+triggerdeploy finished   END_TIME=$(date -Isecond)"
 
-exit $EXIT_CODE
+exit ${EXIT_CODE}
 
 
 # vi: tabstop=8 expandtab shiftwidth=4 softtabstop=4
diff --git a/birdhouse/env.local.example b/birdhouse/env.local.example
index 5f283dce0..1487ba44c 100644
--- a/birdhouse/env.local.example
+++ b/birdhouse/env.local.example
@@ -4,6 +4,12 @@
 #
 # Do NOT use environment variables in here since when pavics-compose.sh runs
 # inside a container, the environment vars do not have the same value.
+#
+# Any default value that can pose a security concern or that are strongly
+# recommended to be modified should use '__DEFAULT__{var}' definition, and
+# have those default definitions defined in 'default.env'. This will ensure
+# that these example values are flagged by the script if left unmodified
+# (see also: 'check_default_vars' in 'birdhouse/read-configs.include.sh').
 #############################################################################
 
 # Override data persistence root directory
@@ -13,24 +19,23 @@
 # are "shared" between subdirectories). This means that the subdirectory structure is fixed.
 #export DATA_PERSIST_SHARED_ROOT='${DATA_PERSIST_ROOT}' # otherwise use the value from 'default.env', must exist
 
-export SSL_CERTIFICATE="/path/to/ssl/cert.pem"  # *absolute* path to the nginx ssl certificate, path and key bundle
-export PAVICS_FQDN="hostname.domainname" # Fully qualified domain name of this Pavics installation
-export DOC_URL="https://www.example.com/" # URL where /doc gets redirected
-export MAGPIE_SECRET=itzaseekrit
-export MAGPIE_ADMIN_USERNAME=admin
+export SSL_CERTIFICATE="${__DEFAULT__SSL_CERTIFICATE}"  # *absolute* path to the nginx ssl certificate, path and key bundle
+export PAVICS_FQDN="${__DEFAULT__PAVICS_FQDN}" # Fully qualified domain name of this Pavics installation
+export DOC_URL="${__DEFAULT__DOC_URL}" # URL where /doc gets redirected
+export MAGPIE_SECRET="${__DEFAULT__MAGPIE_SECRET}"
+export MAGPIE_ADMIN_USERNAME="${__DEFAULT__MAGPIE_ADMIN_USERNAME}"
 # Magpie now requires a password length of at least 12 characters
 # For initial bootstrap only, change in the Magpie Web UI after initial boostrap.
-export MAGPIE_ADMIN_PASSWORD=qwertyqwerty!
-export TWITCHER_PROTECTED_PATH=/twitcher/ows/proxy
-export SUPPORT_EMAIL=helpdesk@example.com
-export CMIP5_THREDDS_ROOT=birdhouse/CMIP5/CCCMA
-export JUPYTERHUB_ADMIN_USERS="{'admin'}"  # python set syntax
-export POSTGRES_PAVICS_USERNAME=postgres-pavics
-export POSTGRES_PAVICS_PASSWORD=postgres-qwerty
-export POSTGRES_MAGPIE_USERNAME=postgres-magpie
-export POSTGRES_MAGPIE_PASSWORD=postgres-qwerty
-export GEOSERVER_ADMIN_USER=admingeo
-export GEOSERVER_ADMIN_PASSWORD=geoserverpass
+export MAGPIE_ADMIN_PASSWORD="${__DEFAULT__MAGPIE_ADMIN_PASSWORD}"
+export TWITCHER_PROTECTED_PATH="/twitcher/ows/proxy"
+export SUPPORT_EMAIL="${__DEFAULT__SUPPORT_EMAIL}"
+export CMIP5_THREDDS_ROOT="birdhouse/CMIP5/CCCMA"
+export POSTGRES_PAVICS_USERNAME="${__DEFAULT__POSTGRES_PAVICS_USERNAME}"
+export POSTGRES_PAVICS_PASSWORD="${__DEFAULT__POSTGRES_PAVICS_PASSWORD}"
+export POSTGRES_MAGPIE_USERNAME="${__DEFAULT__POSTGRES_MAGPIE_USERNAME}"
+export POSTGRES_MAGPIE_PASSWORD="${__DEFAULT__POSTGRES_MAGPIE_PASSWORD}"
+export GEOSERVER_ADMIN_USER="${__DEFAULT__GEOSERVER_ADMIN_USER}"
+export GEOSERVER_ADMIN_PASSWORD="${__DEFAULT__GEOSERVER_ADMIN_PASSWORD}"
 
 #############################################################################
 # Optional vars
@@ -424,6 +429,12 @@ export GEOSERVER_ADMIN_PASSWORD=geoserverpass
 #c.Spawner.pre_spawn_hook = custom_create_dir_hook
 #"
 
+# Usernames that should be given admin access in jupyterhub
+# By default, only the MAGPIE_ADMIN_USERNAME user is given admin access. Update this variable only if you wish
+# to give additional users admin access by default.
+# Note that you can also give users admin access through the jupyterhub UI.
+#export JUPYTERHUB_ADMIN_USERS='{\"${MAGPIE_ADMIN_USERNAME}\", \"othername\"}'  # python set syntax
+
 # Extra PyWPS config for **all** WPS services (currently only Flyingpigeon, Finch and Raven supported).
 # export EXTRA_PYWPS_CONFIG="
 # [logging]
@@ -576,9 +587,9 @@ export THREDDS_ADDITIONAL_CATALOG=""
 #############################################################################
 # Deprecated vars (for components in the ./deprecated-components directory)
 #############################################################################
-export TOMCAT_NCWMS_PASSWORD=ncwmspass
-export CATALOG_USERNAME=admin-catalog
-export CATALOG_PASSWORD=qwerty
-export CATALOG_THREDDS_SERVICE=thredds
-export PHOENIX_PASSWORD=phoenix_pass
-export PHOENIX_PASSWORD_HASH=sha256:123456789012:1234567890123456789012345678901234567890123456789012345678901234
+export TOMCAT_NCWMS_PASSWORD="${__DEFAULT__TOMCAT_NCWMS_PASSWORD}"
+export CATALOG_USERNAME="${__DEFAULT__CATALOG_USERNAME}"
+export CATALOG_PASSWORD="${__DEFAULT__CATALOG_PASSWORD}"
+export CATALOG_THREDDS_SERVICE="thredds"
+export PHOENIX_PASSWORD="${__DEFAULT__PHOENIX_PASSWORD}"
+export PHOENIX_PASSWORD_HASH="${__DEFAULT__PHOENIX_PASSWORD_HASH}"
diff --git a/birdhouse/pavics-compose.sh b/birdhouse/pavics-compose.sh
index 44636ea51..9d7e47c63 100755
--- a/birdhouse/pavics-compose.sh
+++ b/birdhouse/pavics-compose.sh
@@ -10,10 +10,6 @@
 # * Try to keep the same behavior/code, inside and outside of the
 #   autodeploy container to catch error early with the autodeploy.
 
-YELLOW=$(tput setaf 3)
-RED=$(tput setaf 1)
-NORMAL=$(tput sgr0)
-
 # list of all variables to be substituted in templates
 #   some of these variables *could* employ provided values in 'default.env',
 #   but they must ultimately be defined one way or another for the server to work
@@ -31,83 +27,94 @@ VARS='
 #   when the value provided explicitly, it will be used instead of guessing it by inferred values from other variables
 OPTIONAL_VARS='
   $PAVICS_FQDN_PUBLIC
+  $SSL_CERTIFICATE
   $EXTRA_PYWPS_CONFIG
   $SERVER_NAME
   $SERVER_DESCRIPTION
+  $SERVER_INSTITUTION
+  $SERVER_SUBJECT
+  $SERVER_TAGS
+  $SERVER_DOCUMENTATION_URL
+  $SERVER_RELEASE_NOTES_URL
+  $SERVER_SUPPORT_URL
+  $SERVER_LICENSE_URL
 '
 
 # we switch to the real directory of the script, so it still works when used from $PATH
 # tip: ln -s /path/to/pavics-compose.sh ~/bin/
 # Setup PWD for sourcing env.local.
-cd $(dirname $(readlink -f $0 || realpath $0))
+cd "$(dirname "$(readlink -f "$0" || realpath "$0")")" || exit 1
 
 # Setup COMPOSE_DIR for sourcing env.local.
 # Prevent un-expected difference when this script is run inside autodeploy
 # container and manually from the host.
-COMPOSE_DIR="`pwd`"
+COMPOSE_DIR="$(pwd)"
 
-. "$COMPOSE_DIR/read-configs.include.sh"
+. "${COMPOSE_DIR}/read-configs.include.sh"
 read_configs # this sets ALL_CONF_DIRS
 
-. ./scripts/get-components-json.include.sh
-. ./scripts/get-services-json.include.sh
-. ./scripts/get-version-json.include.sh
+. "${COMPOSE_DIR}/scripts/get-components-json.include.sh"
+. "${COMPOSE_DIR}/scripts/get-services-json.include.sh"
+. "${COMPOSE_DIR}/scripts/get-version-json.include.sh"
 
-for i in ${VARS}
-do
-  v="${i}"
-  if [ -z "`eval "echo ${v}"`" ]
-  then
-    echo "${RED}Error${NORMAL}: Required variable $v is not set. Check env.local file."
-    exit 1
-  fi
-done
+check_required_vars || exit $?
 
 ## check fails when root access is required to access this file.. workaround possible by going through docker daemon... but
 # will add delay
 # if [ ! -f $SSL_CERTIFICATE ]
 # then
-#   echo "Error, SSL certificate file $SSL_CERTIFICATE is missing"
+#   log ERROR "SSL certificate file $SSL_CERTIFICATE is missing"
 #   exit 1
 # fi
 
 TIMEWAIT_REUSE=$(/sbin/sysctl -n  net.ipv4.tcp_tw_reuse)
-if [ ${TIMEWAIT_REUSE} -eq 0 ]
+if [ "${TIMEWAIT_REUSE}" -eq 0 ]
 then
-  echo "${YELLOW}Warning:${NORMAL} the sysctl net.ipv4.tcp_tw_reuse is not enabled"
-  echo "         It it suggested to set it to 1, otherwise the pavicscrawler may fail"
+  log WARN "the sysctl net.ipv4.tcp_tw_reuse is not enabled. " \
+       "It it suggested to set it to 1, otherwise the pavicscrawler may fail."
 fi
 
 export AUTODEPLOY_EXTRA_REPOS_AS_DOCKER_VOLUMES=""
-for adir in $AUTODEPLOY_EXTRA_REPOS; do
+for adir in ${AUTODEPLOY_EXTRA_REPOS}; do
   # 4 spaces in front of '--volume' is important
-  AUTODEPLOY_EXTRA_REPOS_AS_DOCKER_VOLUMES="$AUTODEPLOY_EXTRA_REPOS_AS_DOCKER_VOLUMES
+  AUTODEPLOY_EXTRA_REPOS_AS_DOCKER_VOLUMES="${AUTODEPLOY_EXTRA_REPOS_AS_DOCKER_VOLUMES}
     --volume ${adir}:${adir}:rw"
 done
 export AUTODEPLOY_EXTRA_REPOS_AS_DOCKER_VOLUMES
 
 # we apply all the templates
-find $ALL_CONF_DIRS -name '*.template' |
+find ${ALL_CONF_DIRS} -name '*.template' 2>/dev/null |
   while read FILE
   do
     DEST=${FILE%.template}
-    cat ${FILE} | envsubst "$VARS" | envsubst "$OPTIONAL_VARS" > ${DEST}
+    cat "${FILE}" | envsubst "$VARS" | envsubst "$OPTIONAL_VARS" > "${DEST}"
   done
 
+SHELL_EXEC_FLAGS=
+if [ "${BIRDHOUSE_LOG_LEVEL}" = "DEBUG" ]; then
+  SHELL_EXEC_FLAGS=-x
+fi
+
+create_compose_conf_list # this sets COMPOSE_CONF_LIST
+log INFO "Displaying resolved compose configurations:"
+echo "COMPOSE_CONF_LIST="
+echo ${COMPOSE_CONF_LIST} | tr ' ' '\n' | grep -v '^-f'
+
+if [ x"$1" = x"info" ]; then
+  log INFO "Stopping before execution of docker-compose command."
+  exit 0
+fi
+
 if [ x"$1" = x"up" ]; then
   for adir in $ALL_CONF_DIRS; do
     COMPONENT_PRE_COMPOSE_UP="$adir/pre-docker-compose-up"
     if [ -x "$COMPONENT_PRE_COMPOSE_UP" ]; then
-      echo "executing '$COMPONENT_PRE_COMPOSE_UP'"
-      sh -x "$COMPONENT_PRE_COMPOSE_UP"
+      log INFO "Executing '$COMPONENT_PRE_COMPOSE_UP'"
+      sh ${SHELL_EXEC_FLAGS} "$COMPONENT_PRE_COMPOSE_UP"
     fi
   done
 fi
 
-create_compose_conf_list # this sets COMPOSE_CONF_LIST
-echo "COMPOSE_CONF_LIST="
-echo ${COMPOSE_CONF_LIST} | tr ' ' '\n' | grep -v '^-f'
-
 # the PROXY_SECURE_PORT is a little trick to make the compose file invalid without the usage of this wrapper script
 PROXY_SECURE_PORT=443 HOSTNAME=${PAVICS_FQDN} docker-compose ${COMPOSE_CONF_LIST} $*
 ERR=$?
@@ -116,7 +123,7 @@ ERR=$?
 type post-compose 2>&1 | grep 'post-compose is a function' > /dev/null
 if [ $? -eq 0 ]
 then
-  [ ${ERR} -gt 0 ] && { echo "Error occurred with docker-compose, not running post-compose"; exit $?; }
+  [ ${ERR} -gt 0 ] && { log ERROR "Error occurred with docker-compose, not running post-compose"; exit $?; }
   post-compose $*
 fi
 
@@ -137,8 +144,8 @@ do
     for adir in $ALL_CONF_DIRS; do
       COMPONENT_POST_COMPOSE_UP="$adir/post-docker-compose-up"
       if [ -x "$COMPONENT_POST_COMPOSE_UP" ]; then
-        echo "executing '$COMPONENT_POST_COMPOSE_UP'"
-        sh -x "$COMPONENT_POST_COMPOSE_UP"
+        log INFO "Executing '$COMPONENT_POST_COMPOSE_UP'"
+        sh ${SHELL_EXEC_FLAGS} "$COMPONENT_POST_COMPOSE_UP"
       fi
     done
 
diff --git a/birdhouse/read-configs.include.sh b/birdhouse/read-configs.include.sh
index 6e9c56007..dd6a05bbc 100644
--- a/birdhouse/read-configs.include.sh
+++ b/birdhouse/read-configs.include.sh
@@ -16,7 +16,7 @@
 #
 #  # Source the script providing function read_configs.
 #  # read_configs uses COMPOSE_DIR to find default.env and env.local.
-#  . $COMPOSE_DIR/read-configs.include.sh
+#  . ${COMPOSE_DIR}/read-configs.include.sh
 #
 #  # Call function read_configs to read the various config files in the
 #  # appropriate order and process delayed eval vars properly.
@@ -24,11 +24,12 @@
 
 
 # Derive COMPOSE_DIR from the most probable locations.
-# This is NOT meant to be exhautive.
+# This is NOT meant to be exhaustive.
 # Assume the checkout is named "birdhouse-deploy", which might NOT be true.
 # Caller of this file can simply set COMPOSE_DIR itself, this is the safest way.
+# WARNING: cannot use 'log' calls within this function until the following logging script gets resolved and sourced.
 discover_compose_dir() {
-    if [ -z "$COMPOSE_DIR" ] || [ ! -e "$COMPOSE_DIR" ]; then
+    if [ -z "${COMPOSE_DIR}" ] || [ ! -e "${COMPOSE_DIR}" ]; then
         if [ -f "./pavics-compose.sh" ]; then
             # Current dir is COMPOSE_DIR
             COMPOSE_DIR="$(realpath .)"
@@ -55,34 +56,48 @@ discover_compose_dir() {
             # Case of sub-subdir of sibling checkout at same level as birdhouse-deploy.
             COMPOSE_DIR="$(realpath "../../../birdhouse-deploy/birdhouse")"
         fi
-        echo "$COMPOSE_DIR"
         export COMPOSE_DIR
     fi
+    # Perform last-chance validation in case 'COMPOSE_DIR' was incorrectly set explicitly
+    # and that 'read-configs.include.sh' was sourced directly from an invalid location.
+    if [ ! -f "${COMPOSE_DIR}/pavics-compose.sh" ]; then
+        echo \
+          "CRITICAL: [${COMPOSE_DIR}/pavics-compose.sh] not found," \
+          "please set variable 'COMPOSE_DIR' to a valid location." \
+          "Many features depend on this variable." 1>&2
+        return 2
+    fi
 }
 
 
+# error out appropriately without closing shell according to 'sh <script>' or '. <script>' call
+discover_compose_dir || return $? 2>/dev/null || exit $?
+. "${COMPOSE_DIR}/scripts/logging.include.sh"
+log INFO "Resolved docker-compose directory: [${COMPOSE_DIR}]"
+
+
 discover_env_local() {
-    if [ -z "$BIRDHOUSE_LOCAL_ENV" ]; then
-        BIRDHOUSE_LOCAL_ENV="$COMPOSE_DIR/env.local"
+    if [ -z "${BIRDHOUSE_LOCAL_ENV}" ]; then
+        BIRDHOUSE_LOCAL_ENV="${COMPOSE_DIR}/env.local"
     fi
 
     # env.local can be a symlink to the private config repo where the real
     # env.local file is source controlled.
     # Docker volume-mount will need the real dir of the file for symlink to
     # resolve inside the container.
-    BIRDHOUSE_LOCAL_ENV_REAL_PATH="$(realpath "$BIRDHOUSE_LOCAL_ENV")"
-    BIRDHOUSE_LOCAL_ENV_REAL_DIR="$(dirname "$BIRDHOUSE_LOCAL_ENV_REAL_PATH")"
+    BIRDHOUSE_LOCAL_ENV_REAL_PATH="$(realpath "${BIRDHOUSE_LOCAL_ENV}")"
+    BIRDHOUSE_LOCAL_ENV_REAL_DIR="$(dirname "${BIRDHOUSE_LOCAL_ENV}_REAL_PATH")"
 }
 
 
 read_default_env() {
-    if [ -e "$COMPOSE_DIR/default.env" ]; then
+    if [ -e "${COMPOSE_DIR}/default.env" ]; then
         # Ensure DELAYED_EVAL is properly initialized before being appended to.
         DELAYED_EVAL=''
 
-        . "$COMPOSE_DIR/default.env"
+        . "${COMPOSE_DIR}/default.env"
     else
-        echo "WARNING: '$COMPOSE_DIR/default.env' not found" 1>&2
+        log WARN "'${COMPOSE_DIR}/default.env' not found" 1>&2
     fi
 }
 
@@ -90,19 +105,19 @@ read_default_env() {
 read_env_local() {
     # we don't use usual .env filename, because docker-compose uses it
 
-    echo "Using local environment file at: ${BIRDHOUSE_LOCAL_ENV}"
+    log INFO "Using local environment file at: ${BIRDHOUSE_LOCAL_ENV}"
 
-    if [ -e "$BIRDHOUSE_LOCAL_ENV" ]; then
+    if [ -e "${BIRDHOUSE_LOCAL_ENV}" ]; then
         saved_shell_options="$(set +o)"
         set +xv  # hide passwd in env.local in logs
 
-        . "$BIRDHOUSE_LOCAL_ENV"
+        . "${BIRDHOUSE_LOCAL_ENV}"
 
         # restore saved shell options
-        eval "$saved_shell_options"
+        eval "${saved_shell_options}"
 
     else
-        echo "WARNING: '$BIRDHOUSE_LOCAL_ENV' not found" 1>&2
+        log WARN "'${BIRDHOUSE_LOCAL_ENV}' not found" 1>&2
     fi
 
 }
@@ -115,13 +130,13 @@ source_conf_files() {
   dirs=$1
   conf_locations=$2
   for adir in ${dirs}; do
-      if echo "$ALL_CONF_DIRS" | grep -qE "^\s*$adir\s*$"; then
+      if echo "${ALL_CONF_DIRS}" | grep -qE "^\s*${adir}\s*$"; then
           # ignore directories that are already in ALL_CONF_DIRS
           continue
       fi
       # push current adir onto the stack (this helps keep track of current adir when recursing)
-      _adir_stack="$_adir_stack\n$adir"
-      if [ ! -e "$adir" ]; then
+      _adir_stack="${_adir_stack}\n${adir}"
+      if [ ! -e "${adir}" ]; then
           # Do not exit to not break unattended autodeploy since no human around to
           # fix immediately.
           # The new adir with typo will not be active but at least all the existing
@@ -134,30 +149,30 @@ source_conf_files() {
           # corresponding PR are merged and old component names can be removed
           # after the corresponding PR are merge without any impact on the
           # autodeploy process.
-          echo "WARNING: '$adir' in $conf_locations does not exist" 1>&2
+          log WARN "'${adir}' in ${conf_locations} does not exist" 1>&2
       fi
-      if [ -f "$adir/default.env" ]; then
+      if [ -f "${adir}/default.env" ]; then
           # Source config settings of dependencies first if they haven't been sourced previously.
           # Note that this will also define the order that docker-compose-extra.yml files will be loaded.
           unset COMPONENT_DEPENDENCIES
-          dependencies="$(. "$adir/default.env" && echo "$COMPONENT_DEPENDENCIES")"
-          if [ -n "$dependencies" ]; then
-            source_conf_files "$dependencies" "a dependency of $adir"
+          dependencies="$(. "${adir}/default.env" && echo "${COMPONENT_DEPENDENCIES}")"
+          if [ -n "${dependencies}" ]; then
+            source_conf_files "${dependencies}" "a dependency of ${adir}"
             # reset the adir variable in case it was changed in a recursive call
-            adir="$(printf '%b' "$_adir_stack" | tail -1)"
+            adir="$(printf '%b' "${_adir_stack}" | tail -1)"
           fi
-          echo "reading '$adir/default.env'"
-          . "$adir/default.env"
+          log DEBUG "reading '${adir}/default.env'"
+          . "${adir}/default.env"
       fi
-      if echo "$ALL_CONF_DIRS" | grep -qE "^\s*$adir\s*$"; then
+      if echo "${ALL_CONF_DIRS}" | grep -qE "^\s*${adir}\s*$"; then
           # check again in case a dependency has already added this to the ALL_CONF_DIRS variable
           continue
       fi
-      ALL_CONF_DIRS="$ALL_CONF_DIRS
-        $adir
+      ALL_CONF_DIRS="${ALL_CONF_DIRS}
+        ${adir}
       "
       # pop current adir from the stack once we're done with it
-      _adir_stack="$(printf '%b' "$_adir_stack" | sed '$d')"
+      _adir_stack="$(printf '%b' "${_adir_stack}" | sed '$d')"
   done
 }
 
@@ -165,35 +180,94 @@ read_components_default_env() {
     # EXTRA_CONF_DIRS and DEFAULT_CONF_DIRS normally set by env.local so should read_env_local() first.
 
     # EXTRA_CONF_DIRS and DEFAULT_CONF_DIRS relative paths are relative to COMPOSE_DIR.
-    if [ -d "$COMPOSE_DIR" ]; then
-        cd "$COMPOSE_DIR"
+    if [ -d "${COMPOSE_DIR}" ]; then
+        cd "${COMPOSE_DIR}" >/dev/null || true
     fi
 
-    source_conf_files "$DEFAULT_CONF_DIRS" 'DEFAULT_CONF_DIRS'
-    source_conf_files "$EXTRA_CONF_DIRS" 'EXTRA_CONF_DIRS'
+    source_conf_files "${DEFAULT_CONF_DIRS}" 'DEFAULT_CONF_DIRS'
+    source_conf_files "${EXTRA_CONF_DIRS}" 'EXTRA_CONF_DIRS'
 
     # Return to previous pwd.
-    if [ -d "$COMPOSE_DIR" ]; then
-        cd -
+    if [ -d "${COMPOSE_DIR}" ]; then
+        cd - >/dev/null || true
     fi
 }
 
 
+# Check that all optional variables are defined with a different value than the default to emit a warning log message.
+# Also check that required variables do not use generic defaults to indicate possible security issues.
+check_default_vars() {
+    # For required variables, do not check for omitted override,
+    # since those will be flagged as error anyway (see 'check_required_vars').
+    # Only indicate if there is a possible security concern.
+    # Note that the defaults of required variables are not actually set in those variables, but
+    # are listed in 'env.local.example', hence why they pose a possible security concern.
+    # (ie: __DEFAULT__MAGPIE_ADMIN_PASSWORD exists, but MAGPIE_ADMIN_PASSWORD is not set, must have explicit override)
+    for i in ${VARS}
+    do
+      n="${i#\$}"
+      v=`eval echo "${i}" 2>/dev/null`
+      default="\${__DEFAULT__${n}}"
+      d=`eval echo "${default}" 2>/dev/null`
+      if [ ! -z "${d}" ]; then
+          if [ "${d}" = "${v}" ]; then
+              log WARN \
+                "Required variable [${n}] employs a default recommended for override." \
+                "The security of your deployment may be compromised unless it is changed. Check env.local file."
+          fi
+      fi
+    done
+
+    # for optional variables, warn about possibility omitted override or when defaults are employed
+    for i in ${OPTIONAL_VARS}
+    do
+        v="${i}"
+        d=`eval echo "$v"`
+        n="${i#\$}"
+        default="\${__DEFAULT__${n}}"
+        result=`echo "${d}" | grep -c "${default}"`
+        if [ -z "`eval "echo ${v}"`" ]
+        then
+            log WARN "Optional variable [${n}] is not set. Check env.local file."
+        fi
+        if [ "${result}" -gt 0 ]
+        then
+            log WARN "Optional variable [${n}] employs a default recommended for override. Check env.local file."
+        fi
+    done
+}
+
+
+# Verify that all required variables are set, and error out otherwise with an error log message.
+check_required_vars() {
+    for i in ${VARS}
+    do
+        v="${i}"
+        if [ -z "`eval "echo ${v}"`" ]
+        then
+            log ERROR "Required variable $v is not set. Check env.local file."
+            return 1
+        fi
+    done
+}
+
+
 # All scripts sourcing default.env and env.local and needing to use any vars
 # in DELAYED_EVAL list need to call this function to actually resolve the
 # value of each var in DELAYED_EVAL list.
 process_delayed_eval() {
     ALREADY_EVALED=''
     for i in ${DELAYED_EVAL}; do
-        if echo "$ALREADY_EVALED" | grep -qE "^\s*$i\s*$"; then
+        if echo "${ALREADY_EVALED}" | grep -qE "^\s*$i\s*$"; then
           # only eval each variable once (in case it was added to the list multiple times)
           continue
         fi
         v="`eval "echo \\$${i}"`"
-        eval 'export ${i}="`eval "echo ${v}"`"'
-        echo "delayed eval '$(env |grep "${i}=")'"
+        value=`eval "echo \"${v}\""`
+        eval 'export ${i}="${value}"'
+        log DEBUG "delayed eval '$(env | grep -e "^${i}=")'"
         ALREADY_EVALED="
-          $ALREADY_EVALED
+          ${ALREADY_EVALED}
           $i"
     done
 }
@@ -213,32 +287,33 @@ process_delayed_eval() {
 create_compose_conf_list() {
   # ALL_CONF_DIRS relative paths are relative to COMPOSE_DIR.
   discover_compose_dir
-  if [ -d "$COMPOSE_DIR" ]; then
-      cd "$COMPOSE_DIR" || return
+  if [ -d "${COMPOSE_DIR}" ]; then
+      log INFO "Found compose directory [${COMPOSE_DIR}]"
+      cd "${COMPOSE_DIR}" || return
   fi
 
   COMPOSE_CONF_LIST="-f docker-compose.yml"
   COMPONENT_OVERRIDES=''
   LOADED_COMPONENTS=''
-  for adir in $ALL_CONF_DIRS; do
-    service_name=$(basename "$adir")
+  for adir in ${ALL_CONF_DIRS}; do
+    service_name=$(basename "${adir}")
     LOADED_COMPONENTS="${LOADED_COMPONENTS}\n${service_name}"
 
-    if [ -f "$adir/docker-compose-extra.yml" ]; then
-      COMPOSE_CONF_LIST="${COMPOSE_CONF_LIST} -f $adir/docker-compose-extra.yml"
+    if [ -f "${adir}/docker-compose-extra.yml" ]; then
+      COMPOSE_CONF_LIST="${COMPOSE_CONF_LIST} -f ${adir}/docker-compose-extra.yml"
     fi
 
     # If previously loaded components specified overrides for the component that was just loaded, load those overrides now
-    previous_overrides=$(printf '%b' "${COMPONENT_OVERRIDES}" | grep "^$service_name " | sed "s/^${service_name}//g" | tr '\n' ' ')
+    previous_overrides=$(printf '%b' "${COMPONENT_OVERRIDES}" | grep "^${service_name} " | sed "s/^${service_name}//g" | tr '\n' ' ')
     COMPOSE_CONF_LIST="${COMPOSE_CONF_LIST} ${previous_overrides}"
     # Load overrides for other components unless the component to be overridden hasn't been loaded yet. If the component
     # hasn't been loaded yet, store a reference to it so that it can be added in as soon as the component is loaded.
-    for conf_dir in "$adir"/config/*; do
-      override_service_name=$(basename "$conf_dir")
-      extra_compose="$conf_dir/docker-compose-extra.yml"
-      if [ -f "$extra_compose" ]; then
-        if printf '%b' "${LOADED_COMPONENTS}" | grep -q "^$override_service_name$"; then
-          COMPOSE_CONF_LIST="${COMPOSE_CONF_LIST} -f $extra_compose"
+    for conf_dir in "${adir}"/config/*; do
+      override_service_name=$(basename "${conf_dir}")
+      extra_compose="${conf_dir}/docker-compose-extra.yml"
+      if [ -f "${extra_compose}" ]; then
+        if printf '%b' "${LOADED_COMPONENTS}" | grep -q "^${override_service_name}$"; then
+          COMPOSE_CONF_LIST="${COMPOSE_CONF_LIST} -f ${extra_compose}"
         else
           COMPONENT_OVERRIDES="${COMPONENT_OVERRIDES}\n${override_service_name} -f ${extra_compose}"
         fi
@@ -247,8 +322,9 @@ create_compose_conf_list() {
   done
 
     # Return to previous pwd.
-  if [ -d "$COMPOSE_DIR" ]; then
-      cd - || return
+  if [ -d "${COMPOSE_DIR}" ]; then
+      log INFO "Moving to [${COMPOSE_DIR}]"
+      cd - >/dev/null || return
   fi
 }
 
@@ -262,6 +338,7 @@ read_configs() {
     read_env_local  # for EXTRA_CONF_DIRS and DEFAULT_CONF_DIRS, need discover_env_local
     read_components_default_env  # uses EXTRA_CONF_DIRS and DEFAULT_CONF_DIRS, sets ALL_CONF_DIRS
     read_env_local  # again to override components default.env, need discover_env_local
+    check_default_vars
     process_delayed_eval
 }
 
@@ -274,5 +351,6 @@ read_basic_configs_only() {
     discover_env_local
     read_default_env
     read_env_local  # need discover_env_local
+    check_default_vars
     process_delayed_eval
 }
diff --git a/birdhouse/scripts/backup-datavolume.sh b/birdhouse/scripts/backup-datavolume.sh
index 923fdf745..8831837be 100755
--- a/birdhouse/scripts/backup-datavolume.sh
+++ b/birdhouse/scripts/backup-datavolume.sh
@@ -5,11 +5,11 @@ DATA_VOL_NAME="$1"; shift
 BACKUP_OUT_DIR="$1"; shift
 
 docker run --rm \
-  --name backup_data_vol_$DATA_VOL_NAME \
+  --name "backup_data_vol_${DATA_VOL_NAME}" \
   -u root \
-  -v $BACKUP_OUT_DIR:/backups \
-  -v $DATA_VOL_NAME:/data_vol_to_backup:ro \
+  -v "${BACKUP_OUT_DIR}":/backups \
+  -v "${DATA_VOL_NAME}":/data_vol_to_backup:ro \
   bash:5.1.4 \
-  tar czvf /backups/$DATA_VOL_NAME.tgz -C /data_vol_to_backup .
+  tar czvf "/backups/${DATA_VOL_NAME}.tgz" -C /data_vol_to_backup .
 
 # vi: tabstop=8 expandtab shiftwidth=4 softtabstop=4
diff --git a/birdhouse/scripts/backup-jupyterhub-notebooks.sh b/birdhouse/scripts/backup-jupyterhub-notebooks.sh
index 7e86b8877..b7805afe4 100755
--- a/birdhouse/scripts/backup-jupyterhub-notebooks.sh
+++ b/birdhouse/scripts/backup-jupyterhub-notebooks.sh
@@ -1,19 +1,19 @@
 #!/bin/sh -x
 # Backup to /tmp/jupyterhub_user_persistence.tgz with default values.
 
-if [ -z "$BACKUP_OUT_DIR" ]; then
+if [ -z "${BACKUP_OUT_DIR}" ]; then
     BACKUP_OUT_DIR=/tmp
 fi
 
 if [ -z "$JUPYTERHUB_USER_DATA_DIR" ]; then
-    JUPYTERHUB_USER_DATA_DIR=${DATA_PERSIST_ROOT:-/data}/jupyterhub_user_data
+    JUPYTERHUB_USER_DATA_DIR="${DATA_PERSIST_ROOT:-/data}/jupyterhub_user_data"
 fi
 
 docker run --rm \
   --name backup_jupyterhub_data \
   -u root \
-  -v "$BACKUP_OUT_DIR":/backups \
-  -v "$JUPYTERHUB_USER_DATA_DIR":/data_vol_to_backup:ro \
+  -v "${BACKUP_OUT_DIR}":/backups \
+  -v "${JUPYTERHUB_USER_DATA_DIR}":/data_vol_to_backup:ro \
   bash:5.1.4 \
   tar czvf /backups/jupyterhub_user_data.tgz -C /data_vol_to_backup .
 
diff --git a/birdhouse/scripts/bootstrap-instance-for-testsuite b/birdhouse/scripts/bootstrap-instance-for-testsuite
index dac2acdbb..7715488ad 100755
--- a/birdhouse/scripts/bootstrap-instance-for-testsuite
+++ b/birdhouse/scripts/bootstrap-instance-for-testsuite
@@ -9,21 +9,23 @@
 # been called).
 #
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
+SCRIPTS_DIR="${COMPOSE_DIR}/scripts"
 
 set -x
 # Populate test .nc file on Thredds.
 # Need to open temporary Thredds "testdata/secure/" on PAVICS production to anonymous group.
 # Need write-access to DATASET_ROOT (/data/datasets/).
-$THIS_DIR/bootstrap-testdata
+"${SCRIPTS_DIR}/bootstrap-testdata"
 
 if [ -n "$(docker ps --filter name=solr)" ]; then
   # Index Thredds catalog.
   # Need to open temporary Thredds "testdata/secure/" on local PAVICS host to anonymous group.
   # Only crawl the subset enough to pass canarie-api monitoring
   # see config/canarie-api/docker_configuration.py.template
-  $THIS_DIR/trigger-pavicscrawler target_files=birdhouse/testdata/flyingpigeon/cmip5
+  "${SCRIPTS_DIR}/trigger-pavicscrawler" target_files=birdhouse/testdata/flyingpigeon/cmip5
 
   # For crawler to complete, assuming minimal dataset from bootstrap-testdata so
   # should be super fast to finish crawling.
@@ -32,7 +34,7 @@ fi
 
 # Create test user.
 # Need "optional-components/secure-thredds" activated to pre-create group thredds-secure-authtest-group.
-$THIS_DIR/create-magpie-authtest-user
+"${SCRIPTS_DIR}/create-magpie-authtest-user"
 
-# Check if instance properly provisionned for testsuite.
-$THIS_DIR/check-instance-ready
+# Check if instance properly provisioned for testsuite.
+"${SCRIPTS_DIR}/check-instance-ready"
diff --git a/birdhouse/scripts/bootstrap-testdata b/birdhouse/scripts/bootstrap-testdata
index 4a10fb437..63168d61f 100755
--- a/birdhouse/scripts/bootstrap-testdata
+++ b/birdhouse/scripts/bootstrap-testdata
@@ -10,7 +10,7 @@
 # Need write-access to DATASET_ROOT (/data/datasets/).
 
 
-if [ -z "$DATASET_ROOT" ]; then
+if [ -z "${DATASET_ROOT}" ]; then
     DATASET_ROOT="${DATA_PERSIST_ROOT}/${THREDDS_SERVICE_DATA_LOCATION_ON_HOST}"
 fi
 
@@ -31,14 +31,14 @@ cccma/CanESM2/historical/fx/atmos/r0i0p0/sftlf/sftlf_fx_CanESM2_historical_r0i0p
 testdata/xclim/NRCANdaily/nrcan_canada_daily_tasmin_1990.nc
 "
 
-cd "$DATASET_ROOT"
+cd "${DATASET_ROOT}" || exit 1
 
-for afile in $FILE_LIST; do
-    if [ ! -f "$afile" ]; then
-        PARENT_DIRS="`dirname "$afile"`"
-        if [ ! -d "$PARENT_DIRS" ]; then
-            mkdir -p "$PARENT_DIRS"
+for afile in ${FILE_LIST}; do
+    if [ ! -f "${afile}" ]; then
+        PARENT_DIRS="$(dirname "${afile}")"
+        if [ ! -d "${PARENT_DIRS}" ]; then
+            mkdir -p "${PARENT_DIRS}"
         fi
-        curl "$FROM_SERVER/$afile" --output "$afile"
+        curl "${FROM_SERVER}/${afile}" --output "${afile}"
     fi
 done
diff --git a/birdhouse/scripts/check-autodeploy-repos b/birdhouse/scripts/check-autodeploy-repos
index 3df3fbc9d..3e623936b 100755
--- a/birdhouse/scripts/check-autodeploy-repos
+++ b/birdhouse/scripts/check-autodeploy-repos
@@ -2,20 +2,20 @@
 # Check Autodeploy repos status.
 # If there are changes or uncommitted, autodeploy will not trigger.
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
-COMPOSE_DIR="`dirname "$THIS_DIR"`"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
 
-if [ -f "$COMPOSE_DIR/read-configs.include.sh" ]; then
-    . "$COMPOSE_DIR/read-configs.include.sh"
+if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
+    . "${COMPOSE_DIR}/read-configs.include.sh"
 
     # Get AUTODEPLOY_EXTRA_REPOS
     read_configs
 fi
 
-for r in $COMPOSE_DIR $AUTODEPLOY_EXTRA_REPOS; do
+for r in "${COMPOSE_DIR}" ${AUTODEPLOY_EXTRA_REPOS}; do
     echo "=== $r"
-    cd $r
+    cd "$r"
     git status -v
     cd -
 done
diff --git a/birdhouse/scripts/check-instance-ready b/birdhouse/scripts/check-instance-ready
index 287a66940..6e1ceaee0 100755
--- a/birdhouse/scripts/check-instance-ready
+++ b/birdhouse/scripts/check-instance-ready
@@ -7,19 +7,19 @@
 # also enabled.
 #
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
-COMPOSE_DIR="`dirname "$THIS_DIR"`"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
 
-if [ -f "$COMPOSE_DIR/read-configs.include.sh" ]; then
-    . "$COMPOSE_DIR/read-configs.include.sh"
+if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
+    . "${COMPOSE_DIR}/read-configs.include.sh"
 
     # Get PAVICS_FQDN
     read_configs
 fi
 
 set -x
-curl --include --silent https://$PAVICS_FQDN/canarie/node/service/stats | head
+curl --include --silent "https://${PAVICS_FQDN}/canarie/node/service/stats" | head
 
 set +x
 echo "
@@ -27,11 +27,13 @@ The curl above should return the HTTP response code 200 to confirm instance is r
 "
 set -x
 
-HTTP_RESPONSE_CODE="`curl --write-out '%{http_code}' --output /dev/null --silent https://$PAVICS_FQDN/canarie/node/service/stats`"
-if [ $HTTP_RESPONSE_CODE -ne 200 ]; then
+HTTP_RESPONSE_CODE="$( \
+  curl --write-out '%{http_code}' --output /dev/null --silent "https://${PAVICS_FQDN}/canarie/node/service/stats" \
+)"
+if [ "${HTTP_RESPONSE_CODE}" -ne 200 ]; then
     set +x
     echo "
-HTTP response code received: $HTTP_RESPONSE_CODE (expected 200).
+HTTP response code received: ${HTTP_RESPONSE_CODE} (expected 200).
 
 Will sleep for about 1 minute and try again since the canarie-api refresh every minute.
 
@@ -39,5 +41,5 @@ Will retry only once more and exit immediately.
 "
 set -x
     sleep 65
-    curl --include --silent https://$PAVICS_FQDN/canarie/node/service/stats | head
+    curl --include --silent "https://${PAVICS_FQDN}/canarie/node/service/stats" | head
 fi
diff --git a/birdhouse/scripts/check-wps-database.sh b/birdhouse/scripts/check-wps-database.sh
index a04869d6d..1ce002b22 100755
--- a/birdhouse/scripts/check-wps-database.sh
+++ b/birdhouse/scripts/check-wps-database.sh
@@ -1,5 +1,12 @@
 #!/bin/bash
 
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
+
+if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
+    . "${COMPOSE_DIR}/read-configs.include.sh"
+fi
 
 function usage(){
   cat <<EOF
@@ -60,7 +67,7 @@ case $2 in
     docker run -ti --rm -v birdhouse_data:/data  birdhouse/bird-base sqlite3 $DB
     ;;
   *)
-    echo "Error, unknown operation: $2"
+    log ERROR "unknown operation: $2"
     usage
     ;;
 esac
diff --git a/birdhouse/scripts/clear-running-wps-jobs-in-db.sh b/birdhouse/scripts/clear-running-wps-jobs-in-db.sh
index ef57a1058..d0ae56177 100755
--- a/birdhouse/scripts/clear-running-wps-jobs-in-db.sh
+++ b/birdhouse/scripts/clear-running-wps-jobs-in-db.sh
@@ -1,9 +1,17 @@
 #!/bin/sh
 
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
+
+if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
+    . "${COMPOSE_DIR}/read-configs.include.sh"
+fi
+
 # eg: DB_NAME=finch
 DB_NAME="$1"
 if [ -z "$DB_NAME" ]; then
-    echo "ERROR: please provide a database name, ex: finch" 1>&2
+    log ERROR "please provide a database name, ex: finch" 1>&2
     exit 2
 fi
 shift
@@ -20,15 +28,19 @@ if [ -z "$POSTGRES_CONTAINER_NAME" ]; then
 fi
 
 set -x
-docker exec $POSTGRES_CONTAINER_NAME psql -U $POSTGRES_USER $DB_NAME -c "select * from pywps_requests where percent_done > -1 and percent_done < 100.0;"
+docker exec "${POSTGRES_CONTAINER_NAME}" psql \
+  -U "${POSTGRES_USER}" \
+  "${DB_NAME}" \
+  -c "select * from pywps_requests where percent_done > -1 and percent_done < 100.0;"
 
 set +x
-echo "
-WARNING: this will crash all the above requests if currently still processing
-
-Clear those jobs? (Ctrl-C to cancel, any keys to continue)"
-
-read a
+log WARN \
+  "This will crash all the above requests if currently still processing.\n" \
+  "Clear those jobs? (Ctrl-C to cancel, any keys to continue)"
+read -r
 
 set -x
-docker exec $POSTGRES_CONTAINER_NAME psql -U $POSTGRES_USER $DB_NAME -c "delete from pywps_requests where percent_done > -1 and percent_done < 100.0;"
+docker exec "${POSTGRES_CONTAINER_NAME}" psql \
+  -U "${POSTGRES_USER}" \
+  "${DB_NAME}" \
+  -c "delete from pywps_requests where percent_done > -1 and percent_done < 100.0;"
diff --git a/birdhouse/scripts/create-magpie-authtest-user b/birdhouse/scripts/create-magpie-authtest-user
index 231d5da96..e7c0700c5 100755
--- a/birdhouse/scripts/create-magpie-authtest-user
+++ b/birdhouse/scripts/create-magpie-authtest-user
@@ -7,8 +7,9 @@
 # Options:
 #   -d: delete user 'authtest' instead of creating it
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
 
 TMP_CONFIG_FILE="/tmp/create-magpie-authtest-user.yml"
 
@@ -16,7 +17,7 @@ TMP_CONFIG_FILE="/tmp/create-magpie-authtest-user.yml"
 # Those permissions are defined in 'optional-components/secure-thredds/secure-access-magpie-permission.cfg'
 # which should also be included in 'EXTRA_CONF_DIRS' of your custom 'env.local' file.
 # This user is also automatically added to 'anonymous' group without the need of explicit membership here.
-cat <<__OEF__ > $TMP_CONFIG_FILE
+cat <<__OEF__ > "${TMP_CONFIG_FILE}"
 users:
    - username: authtest
      password: authtest1234
@@ -25,6 +26,6 @@ users:
 __OEF__
 
 set -x
-cat $TMP_CONFIG_FILE
-MAGPIE_CLI_CONF="$TMP_CONFIG_FILE" $THIS_DIR/create-magpie-users "$@"
-rm -v $TMP_CONFIG_FILE
+cat "${TMP_CONFIG_FILE}"
+MAGPIE_CLI_CONF="${TMP_CONFIG_FILE}" "${COMPOSE_DIR}/scripts/create-magpie-users" "$@"
+rm -v "${TMP_CONFIG_FILE}"
diff --git a/birdhouse/scripts/create-magpie-users b/birdhouse/scripts/create-magpie-users
index 1ca000a46..1584eab89 100755
--- a/birdhouse/scripts/create-magpie-users
+++ b/birdhouse/scripts/create-magpie-users
@@ -65,15 +65,12 @@
 # bogus03      bvNWVWCQi8M6     409 : User name matches an already existing user name.
 #
 
-RED=$(tput setaf 1)
-NORMAL=$(tput sgr0)
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
-COMPOSE_DIR="`dirname "$THIS_DIR"`"
-
-if [ -f "$COMPOSE_DIR/read-configs.include.sh" ]; then
-    . "$COMPOSE_DIR/read-configs.include.sh"
+if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
+    . "${COMPOSE_DIR}/read-configs.include.sh"
 
     # Get MAGPIE_VERSION, PAVICS_FQDN, MAGPIE_ADMIN_PASSWORD, MAGPIE_ADMIN_USERNAME
     read_configs
@@ -105,7 +102,7 @@ fi
 if [ -z "$MAGPIE_CLI_IMAGE" ]; then
     # MAGPIE_VERSION must be provided by 'default.env', 'env.local' or directly
     if [ -z "${MAGPIE_VERSION}" ]; then
-        echo "${RED}Error${NORMAL}: Required MAGPIE_VERSION is undefined or empty."
+        log ERROR "Required MAGPIE_VERSION is undefined or empty."
         exit 1
     fi
     MAGPIE_CLI_IMAGE="pavics/magpie:${MAGPIE_VERSION}"
diff --git a/birdhouse/scripts/deprecated/trigger-pavicscrawler b/birdhouse/scripts/deprecated/trigger-pavicscrawler
index e9f883043..13b19cf95 100755
--- a/birdhouse/scripts/deprecated/trigger-pavicscrawler
+++ b/birdhouse/scripts/deprecated/trigger-pavicscrawler
@@ -14,20 +14,20 @@
 #
 # Set env var PAVICS_CRAWLER_HOST to target different PAVICS host.
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
-COMPOSE_DIR="`dirname "$THIS_DIR"`"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
 
-if [ -f "$COMPOSE_DIR/read-configs.include.sh" ]; then
-    . "$COMPOSE_DIR/read-configs.include.sh"
+if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
+    . "${COMPOSE_DIR}/read-configs.include.sh"
 
     # Get PAVICS_FQDN
     read_configs
 fi
 
 # Allow override using same name env var.
-if [ -z "$PAVICS_CRAWLER_HOST" ]; then
-    PAVICS_CRAWLER_HOST="$PAVICS_FQDN"
+if [ -z "${PAVICS_CRAWLER_HOST}" ]; then
+    PAVICS_CRAWLER_HOST="${PAVICS_FQDN}"
 fi
 
 set -x
@@ -43,6 +43,6 @@ returned in the XML body of the curl command. The status of the crawl,
 whether ongoing, failed or success will be in that link.
 
 Once crawler is done, go check the Solr DB at
-http://$PAVICS_CRAWLER_HOST:8983/solr/#/${THREDDS_SERVICE_DATA_URL_PATH}/query for content inserted by the
+http://${PAVICS_CRAWLER_HOST}:8983/solr/#/${THREDDS_SERVICE_DATA_URL_PATH}/query for content inserted by the
 crawler.  Just click on \"Execute Query\".
 "
diff --git a/birdhouse/scripts/detect-user-install-in-jupyter-env b/birdhouse/scripts/detect-user-install-in-jupyter-env
index a8e3663bf..3e3505fe9 100755
--- a/birdhouse/scripts/detect-user-install-in-jupyter-env
+++ b/birdhouse/scripts/detect-user-install-in-jupyter-env
@@ -7,10 +7,14 @@
 # version is pinned at the user installed version.
 #
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
+
+if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
+    . "${COMPOSE_DIR}/read-configs.include.sh"
+fi
 
-. "$THIS_DIR/../read-configs.include.sh"
 
 # Get JUPYTERHUB_USER_DATA_DIR
 read_configs
@@ -19,16 +23,16 @@ set -x
 
 START_TIME="`date -Isecond`"
 
-cd $JUPYTERHUB_USER_DATA_DIR
+cd "${JUPYTERHUB_USER_DATA_DIR}" || exit
 
 # Fresh new user do not have .local/lib and .local/bin yet so these commands
 # will return error and it is normal.
-ls -a */.home/.local/lib/python*/site-packages
-ls -a */.home/.local/bin
+ls -a -- */.home/.local/lib/python*/site-packages
+ls -a -- */.home/.local/bin
 
 set +x
 
-echo "
+log INFO "
 Errors like
   ls: cannot access */.home/.local/lib/python*/site-packages: No such file or directory
   ls: cannot access */.home/.local/bin: No such file or directory
diff --git a/birdhouse/scripts/extract-jupyter-users-from-magpie-db b/birdhouse/scripts/extract-jupyter-users-from-magpie-db
index 9d0c4dfbf..004b45f71 100755
--- a/birdhouse/scripts/extract-jupyter-users-from-magpie-db
+++ b/birdhouse/scripts/extract-jupyter-users-from-magpie-db
@@ -19,9 +19,9 @@
 # (4 rows)
 
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
-COMPOSE_DIR="`dirname "$THIS_DIR"`"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
 
 if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
     . "${COMPOSE_DIR}/read-configs.include.sh"
@@ -32,4 +32,5 @@ fi
 
 set -x
 
-echo "SELECT email,user_name FROM users ORDER BY email" | docker exec -i postgres-magpie psql -U $POSTGRES_MAGPIE_USERNAME $MAGPIE_DB_NAME
+echo "SELECT email,user_name FROM users ORDER BY email" | \
+  docker exec -i postgres-magpie psql -U "${POSTGRES_MAGPIE_USERNAME}" "${MAGPIE_DB_NAME}"
diff --git a/birdhouse/scripts/get-components-json.include.sh b/birdhouse/scripts/get-components-json.include.sh
index bf8679e3b..598f65722 100755
--- a/birdhouse/scripts/get-components-json.include.sh
+++ b/birdhouse/scripts/get-components-json.include.sh
@@ -17,10 +17,18 @@
 # }
 #
 
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
+
+if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
+    . "${COMPOSE_DIR}/read-configs.include.sh"
+fi
+
 # default value in case of error or missing definitions
 export BIRDHOUSE_DEPLOY_COMPONENTS_JSON='{"components": []}'
 if [ -z "${ALL_CONF_DIRS}" ]; then
-  echo "No components in DEFAULT_CONF_DIRS and EXTRA_CONF_DIRS. Components JSON list will be empty!"
+  log WARN "No components in DEFAULT_CONF_DIRS and EXTRA_CONF_DIRS. Components JSON list will be empty!"
   return
 fi
 
@@ -41,7 +49,7 @@ BIRDHOUSE_DEPLOY_COMPONENTS_LIST_KNOWN="$( \
   | sed -E 's/^|[[:space:]]+/ -e /' \
 )"
 if [ -z "${BIRDHOUSE_DEPLOY_COMPONENTS_LIST_KNOWN}" ]; then
-  echo "[WARNING]" \
+  log WARN "" \
     "Could not resolve known birdhouse-deploy components." \
     "Aborting to avoid potentially leaking sensible details." \
     "Components will not be reported on the platform's JSON endpoint."
diff --git a/birdhouse/scripts/get-services-json.include.sh b/birdhouse/scripts/get-services-json.include.sh
index fd5a9d257..b365ea4a5 100755
--- a/birdhouse/scripts/get-services-json.include.sh
+++ b/birdhouse/scripts/get-services-json.include.sh
@@ -1,5 +1,13 @@
 #!/bin/sh
 
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
+
+if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
+    . "${COMPOSE_DIR}/read-configs.include.sh"
+fi
+
 # default value in case of error or missing definitions
 
 for adir in ${ALL_CONF_DIRS}; do
@@ -8,6 +16,6 @@ for adir in ${ALL_CONF_DIRS}; do
 done
 
 if [ -z "${SERVICES}" ]; then
-  echo "${YELLOW}Warning: ${NORMAL}No services in DEFAULT_CONF_DIRS and EXTRA_CONF_DIRS. SERVICES JSON list will be empty!"
+  log WARN "No services in DEFAULT_CONF_DIRS and EXTRA_CONF_DIRS. SERVICES JSON list will be empty!"
 fi
 export BIRDHOUSE_DEPLOY_SERVICES_JSON="{\"services\": [${SERVICES}]}"
diff --git a/birdhouse/scripts/logging.include.sh b/birdhouse/scripts/logging.include.sh
new file mode 100644
index 000000000..fcce426bd
--- /dev/null
+++ b/birdhouse/scripts/logging.include.sh
@@ -0,0 +1,61 @@
+#!/bin/sh
+
+BIRDHOUSE_COLOR=${BIRDHOUSE_COLOR:-1}
+if [ "${BIRDHOUSE_COLOR}" -eq "1" ]; then
+    BLUE=$(tput setaf 12)
+    GRAY=$(tput setaf 8)
+    CYAN=$(tput setaf 6)
+    PURPLE=$(tput setaf 5)
+    YELLOW=$(tput setaf 3)
+    GREEN=$(tput setaf 2)
+    RED=$(tput setaf 1)
+    REG_BG_BOLD="$(tput sgr0)$(tput setab 1)$(tput bold)"
+    NORMAL=$(tput sgr0)
+fi
+
+BIRDHOUSE_LOG_LEVEL=${BIRDHOUSE_LOG_LEVEL:-INFO}
+export LOG_DEBUG="${GRAY}DEBUG${NORMAL}:    "
+export LOG_INFO="${BLUE}INFO${NORMAL}:     "
+export LOG_WARN="${YELLOW}WARNING${NORMAL}:  "
+export LOG_ERROR="${RED}ERROR${NORMAL}:    "
+export LOG_CRITICAL="${REG_BG_BOLD}CRITICAL${NORMAL}: "  # to report misuse of functions
+
+
+# Usage: log {LEVEL} "{message}" [...]
+# Any amount of messages can be passed to the function.
+log() {
+    if [ "${BIRDHOUSE_LOG_LEVEL}" != DEBUG ] \
+    && [ "${BIRDHOUSE_LOG_LEVEL}" != INFO ] \
+    && [ "${BIRDHOUSE_LOG_LEVEL}" != WARN ] \
+    && [ "${BIRDHOUSE_LOG_LEVEL}" != ERROR ]; then
+        echo "${LOG_CRITICAL}Invalid log level setting: [BIRDHOUSE_LOG_LEVEL=${BIRDHOUSE_LOG_LEVEL}]."
+        exit 2
+    fi
+    level="$1"
+    shift
+    if [ "$*" = "" ]; then
+        echo "${LOG_CRITICAL}Invalid log message is missing."
+        exit 2
+    fi
+    if [ "${level}" = "DEBUG" ]; then
+        if [ "${BIRDHOUSE_LOG_LEVEL}" = DEBUG ]; then
+            echo "${LOG_DEBUG}$*"
+        fi
+    elif [ "${level}" = "INFO" ]; then
+        if [ "${BIRDHOUSE_LOG_LEVEL}" = DEBUG ] \
+        || [ "${BIRDHOUSE_LOG_LEVEL}" = INFO ]; then
+            echo "${LOG_INFO}$*"
+        fi
+    elif [ "${level}" = "WARN" ]; then
+        if [ "${BIRDHOUSE_LOG_LEVEL}" = DEBUG ] \
+        || [ "${BIRDHOUSE_LOG_LEVEL}" = INFO ] \
+        || [ "${BIRDHOUSE_LOG_LEVEL}" = WARN ]; then
+            echo "${LOG_WARN}$*"
+        fi
+    elif [ "${level}" = "ERROR" ]; then
+        echo "${LOG_ERROR}$*"
+    else
+        echo "${LOG_CRITICAL}Invalid log level: [${level}]"
+        exit 2
+    fi
+}
diff --git a/birdhouse/scripts/migrate-jupyterhub-user-persistence b/birdhouse/scripts/migrate-jupyterhub-user-persistence
index 6059d20b1..75114ad0a 100755
--- a/birdhouse/scripts/migrate-jupyterhub-user-persistence
+++ b/birdhouse/scripts/migrate-jupyterhub-user-persistence
@@ -4,16 +4,16 @@
 # location JUPYTERHUB_USER_DATA_DIR/PUBLIC_USERNAME.
 #
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
-COMPOSE_DIR="`dirname "$THIS_DIR"`"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
 
-. "$COMPOSE_DIR/read-configs.include.sh"
+. "${COMPOSE_DIR}/read-configs.include.sh"
 
 # Get JUPYTERHUB_USER_DATA_DIR
 read_configs
 
-PUBLIC_USERNAME="$JUPYTER_DEMO_USER"
+PUBLIC_USERNAME="${JUPYTER_DEMO_USER}"
 
 BASE_CMD="docker run -it --rm --name migrate_jupyterhub_user_persistence \
     -u root \
@@ -23,10 +23,10 @@ BASE_CMD="docker run -it --rm --name migrate_jupyterhub_user_persistence \
 
 set -x
 
-$BASE_CMD bash -c "mkdir -p $JUPYTERHUB_USER_DATA_DIR/$PUBLIC_USERNAME \
-    && cp -r /jpuser/* $JUPYTERHUB_USER_DATA_DIR/$PUBLIC_USERNAME/ \
-    && rm -rf $JUPYTERHUB_USER_DATA_DIR/$PUBLIC_USERNAME/tutorial-notebooks \
-    && touch $JUPYTERHUB_USER_DATA_DIR/tutorial-notebooks \
-    && rm $JUPYTERHUB_USER_DATA_DIR/$PUBLIC_USERNAME/README.ipynb \
-    && touch $JUPYTERHUB_USER_DATA_DIR/README.ipynb \
-    && chown -R 1000:1000 $JUPYTERHUB_USER_DATA_DIR/$PUBLIC_USERNAME"
+$BASE_CMD bash -c "mkdir -p ${JUPYTERHUB_USER_DATA_DIR}/${PUBLIC_USERNAME} \
+    && cp -r /jpuser/* ${JUPYTERHUB_USER_DATA_DIR}/${PUBLIC_USERNAME}/ \
+    && rm -rf ${JUPYTERHUB_USER_DATA_DIR}/${PUBLIC_USERNAME}/tutorial-notebooks \
+    && touch ${JUPYTERHUB_USER_DATA_DIR}/tutorial-notebooks \
+    && rm ${JUPYTERHUB_USER_DATA_DIR}/${PUBLIC_USERNAME}/README.ipynb \
+    && touch ${JUPYTERHUB_USER_DATA_DIR}/README.ipynb \
+    && chown -R 1000:1000 ${JUPYTERHUB_USER_DATA_DIR}/${PUBLIC_USERNAME}"
diff --git a/birdhouse/scripts/send-dummy-alert.sh b/birdhouse/scripts/send-dummy-alert.sh
index 0edf503a3..9cff840ad 100755
--- a/birdhouse/scripts/send-dummy-alert.sh
+++ b/birdhouse/scripts/send-dummy-alert.sh
@@ -1,20 +1,20 @@
 #!/bin/bash
 # https://gist.githubusercontent.com/cherti/61ec48deaaab7d288c9fcf17e700853a/raw/a69ddd1d96507f6d94059071d500fe499631e739/alert.sh
-# Useful to test receving alert on UI and via email notif.
+# Useful to test receiving alert on UI and via email notif.
 
-name=$RANDOM
+name=${RANDOM}
 url='http://localhost:9093/api/v1/alerts'
 
-echo "firing up alert $name" 
+echo "firing up alert ${name}" 
 
 # change url o
 curl -XPOST $url -d "[{ 
 	\"status\": \"firing\",
 	\"labels\": {
-		\"alertname\": \"$name\",
+		\"alertname\": \"${name}\",
 		\"service\": \"my-service\",
 		\"severity\":\"warning\",
-		\"instance\": \"$name.example.net\"
+		\"instance\": \"${name}.example.net\"
 	},
 	\"annotations\": {
 		\"summary\": \"High latency is high!\"
@@ -24,17 +24,17 @@ curl -XPOST $url -d "[{
 
 echo ""
 
-echo "press enter to resolve alert"
-read
+echo "press enter to resolve alert (Ctrl-C to cancel)"
+read -r
 
 echo "sending resolve"
-curl -XPOST $url -d "[{ 
+curl -XPOST "${url}" -d "[{
 	\"status\": \"resolved\",
 	\"labels\": {
-		\"alertname\": \"$name\",
+		\"alertname\": \"${name}\",
 		\"service\": \"my-service\",
 		\"severity\":\"warning\",
-		\"instance\": \"$name.example.net\"
+		\"instance\": \"${name}.example.net\"
 	},
 	\"annotations\": {
 		\"summary\": \"High latency is high!\"
diff --git a/birdhouse/scripts/sync-data b/birdhouse/scripts/sync-data
index ad6cc4ea5..7ea415cad 100755
--- a/birdhouse/scripts/sync-data
+++ b/birdhouse/scripts/sync-data
@@ -13,9 +13,9 @@
 # Assume
 # * ssh passwordless to source host is setup properly
 
-THIS_FILE="`realpath "$0"`"
-THIS_DIR="`dirname "$THIS_FILE"`"
-COMPOSE_DIR="`dirname "$THIS_DIR"`"
+THIS_FILE="$(readlink -f "$0" || realpath "$0")"
+THIS_DIR="$(dirname "${THIS_FILE}")"
+COMPOSE_DIR="${COMPOSE_DIR:-$(dirname "${THIS_DIR}")}"
 
 if [ -f "${COMPOSE_DIR}/read-configs.include.sh" ]; then
     . "${COMPOSE_DIR}/read-configs.include.sh"
@@ -28,23 +28,23 @@ SOURCE_HOST="$1"; shift
 FORCE_MODE="$1"
 
 if [ -z "$SOURCE_HOST" ]; then
-    echo "ERROR: no source host provided" 1>&2
+    log ERROR "no source host provided" 1>&2
     exit 2
 fi
 
 if [ ! x"$FORCE_MODE" = xforce ]; then
     # Default to dry-run
-    SYNC_DATA_EXTRA_RSYNC_OPTS="$SYNC_DATA_EXTRA_RSYNC_OPTS --dry-run"
+    SYNC_DATA_EXTRA_RSYNC_OPTS="${SYNC_DATA_EXTRA_RSYNC_OPTS} --dry-run"
 fi
 
 
 RSYNC_BASE_CMD="rsync --recursive --links --hard-links --times \
     --itemize-changes --human-readable --delete --stats \
-    --progress $SYNC_DATA_EXTRA_RSYNC_OPTS"
+    --progress ${SYNC_DATA_EXTRA_RSYNC_OPTS}"
 
 set -x
 
-for item in $GEOSERVER_DATA_DIR/ $JUPYTERHUB_USER_DATA_DIR/ $MAGPIE_PERSIST_DIR/; do
+for item in ${GEOSERVER_DATA_DIR}/ ${JUPYTERHUB_USER_DATA_DIR}/ ${MAGPIE_PERSIST_DIR}/; do
     # Useful to run the following commands before sync just in case.
     # Could not put a real command here since it requires sudo.
     #   sudo setfacl -Rdm u:$USER:rwX $item
@@ -54,21 +54,22 @@ for item in $GEOSERVER_DATA_DIR/ $JUPYTERHUB_USER_DATA_DIR/ $MAGPIE_PERSIST_DIR/
     # than needed.
 
     # Assume DATA_PERSIST_ROOT is same between both hosts !
-    $RSYNC_BASE_CMD $SOURCE_HOST:$item $item
+    ${RSYNC_BASE_CMD} "${SOURCE_HOST}:${item}" "${item}"
 done
 
 if [ ! x"$FORCE_MODE" = xforce ]; then
-    echo "Dry-run mode, not executing '$COMPOSE_DIR/deployment/fix-geoserver-data-dir-perm' and other permission fixup"
+    log INFO "Dry-run mode, not executing '${COMPOSE_DIR}/deployment/fix-geoserver-data-dir-perm' and other permission fixup"
 else
-    $COMPOSE_DIR/deployment/fix-geoserver-data-dir-perm
+    log INFO "Executing '${COMPOSE_DIR}/deployment/fix-geoserver-data-dir-perm' and other permission fixup"
+    "${COMPOSE_DIR}/deployment/fix-geoserver-data-dir-perm"
 
     docker run --rm --name fix-jupyter-data-dir-perm \
-        --volume ${JUPYTERHUB_USER_DATA_DIR}:/datadir \
-        $BASH_IMAGE \
+        --volume "${JUPYTERHUB_USER_DATA_DIR}":/datadir \
+        "${BASH_IMAGE}" \
         bash -xc 'chown -R 1000:1000 /datadir'
 
     docker run --rm --name fix-postgres-magpie-dir-perm \
-        --volume ${MAGPIE_PERSIST_DIR}:/datadir \
-        $BASH_IMAGE \
+        --volume "${MAGPIE_PERSIST_DIR}":/datadir \
+        "${BASH_IMAGE}" \
         bash -xc 'chown -R 999:0 /datadir'
 fi
diff --git a/docs/source/conf.py b/docs/source/conf.py
index a92ab3649..1b7e61354 100644
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -69,9 +69,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '2.0.6'
+version = '2.1.0'
 # The full version, including alpha/beta/rc tags.
-release = '2.0.6'
+release = '2.1.0'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
diff --git a/tests/test_read_configs_include.py b/tests/test_read_configs_include.py
index 646b5d604..6de4ca49b 100644
--- a/tests/test_read_configs_include.py
+++ b/tests/test_read_configs_include.py
@@ -3,6 +3,7 @@
 import tempfile
 import pytest
 import subprocess
+from typing import Union
 
 ENV_SPLIT_STR: str = "#env for testing#"
 
@@ -28,7 +29,7 @@ def read_config_include_file(root_dir) -> str:
     return os.path.join(root_dir, "birdhouse", "read-configs.include.sh")
 
 
-def set_local_env(env_file: io.FileIO, content: str | dict) -> None:
+def set_local_env(env_file: io.FileIO, content: Union[str, dict]) -> None:
     env_file.truncate()
     if isinstance(content, dict):
         env_file.write("\n".join(f"{k}={v}" for k, v in content.items()))
@@ -82,7 +83,7 @@ class TestReadConfigs:
     ]
 
     def run_func(
-            self, include_file: str, local_env: str | dict, command_suffix: str = ""
+            self, include_file: str, local_env: Union[str, dict], command_suffix: str = ""
     ) -> subprocess.CompletedProcess:
         try:
             with tempfile.NamedTemporaryFile(delete=False, mode="w") as f:
@@ -182,6 +183,12 @@ def test_delayed_eval_custom_value(self, read_config_include_file) -> None:
         assert (split_and_strip(get_command_stdout(proc))[-1] ==
                 "public.example.com - /my-data-root/jupyterhub_user_data - /my-geoserver-data")
 
+    def test_delayed_eval_quoting(self, read_config_include_file) -> None:
+        """Test that the delayed evaluation functions resolve quotation marks and braces properly"""
+        extra = {"EXTRA_TEST_VAR": "\"{'123'}\"", "DELAYED_EVAL": "$DELAYED_EVAL EXTRA_TEST_VAR"}
+        proc = self.run_func(read_config_include_file, extra, 'echo "${EXTRA_TEST_VAR}"')
+        assert split_and_strip(get_command_stdout(proc))[-1] == "{'123'}"
+
 
 class TestCreateComposeConfList:
     default_conf_list_order: list[str] = [