diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 3a5a10a..020b33a 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -210,7 +210,7 @@ in {
         processedFiles=()
         ${
           concatStrings (mapAttrsToList (n: v: ''
-            setupSecret ${n} ${v.user} ${v.group} ${v.permissions} }
+            setupSecret ${n} ${v.user} ${v.group} ${v.permissions}
           '') cfg.secrets)
         }
 
@@ -220,7 +220,9 @@ in {
         )
         if [[ $unprocessedFiles ]]; then
           IFS=$'\n'
+          # shellcheck disable=SC2086
           chown root: $unprocessedFiles
+          # shellcheck disable=SC2086
           chmod 0440 $unprocessedFiles
         fi
 
diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix
index adf6c87..ab0f5cb 100644
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@@ -51,14 +51,14 @@ let
   torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.nix-bitcoin.torClientAddressWithPort}";
   startScript = ''
     ${optionalString (cfg.getPublicAddressCmd != "") ''
-      publicURL="--public-url http://$(${cfg.getPublicAddressCmd})"
+      publicURL=(--public-url "http://$(${cfg.getPublicAddressCmd})")
     ''}
     exec ${config.nix-bitcoin.pkgs.spark-wallet}/bin/spark-wallet \
       --ln-path '${clightning.networkDir}'  \
       --host ${cfg.address} --port ${toString cfg.port} \
       --config '${config.nix-bitcoin.secretsDir}/spark-wallet-login' \
       ${optionalString cfg.tor.proxy torRateProvider} \
-      $publicURL \
+      ${optionalString (cfg.getPublicAddressCmd != "") ''"''${publicURL[@]}"''} \
       --pairing-qr --print-key ${cfg.extraArgs}
   '';
 in {