diff --git a/docs/index.md b/docs/index.md
index 67d8b05..4ea45e8 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -19,6 +19,7 @@ description: |-
 
 - `address_filter` (List of String) List of network cidr's to filter addresses used to connect to nixos_instance resources
 - `address_priority` (Map of Number) Map of network cidr's with associated weight which will affect address ordering for nixos_isntance resource
+- `bastion` (Block Set, Max: 1) SSH configuration for bastion server (see [below for nested schema](#nestedblock--bastion))
 - `nix` (Block Set, Max: 1) Nix package manager configuration options (see [below for nested schema](#nestedblock--nix))
 - `retry` (Number) Amount of retries for retryable operations
 - `retry_wait` (Number) Amount of seconds to wait between retries
@@ -26,6 +27,17 @@ description: |-
 - `secrets` (Block Set, Max: 1) Describes secrets settings (see [below for nested schema](#nestedblock--secrets))
 - `ssh` (Block Set, Max: 1) SSH protocol settings (see [below for nested schema](#nestedblock--ssh))
 
+<a id="nestedblock--bastion"></a>
+### Nested Schema for `bastion`
+
+Optional:
+
+- `config` (Map of String) SSH configuration map
+- `host` (String) SSH bastion remote hostname
+- `port` (Number) SSH remote port
+- `user` (String) SSH remote user name
+
+
 <a id="nestedblock--nix"></a>
 ### Nested Schema for `nix`
 
@@ -98,17 +110,6 @@ Optional:
 
 Optional:
 
-- `bastion` (Block Set, Max: 1) SSH configuration for bastion server (see [below for nested schema](#nestedblock--ssh--bastion))
-- `config` (Map of String) SSH configuration map
-- `port` (Number) SSH remote port
-- `user` (String) SSH remote user name
-
-<a id="nestedblock--ssh--bastion"></a>
-### Nested Schema for `ssh.bastion`
-
-Optional:
-
 - `config` (Map of String) SSH configuration map
-- `host` (String) SSH remote hostname
 - `port` (Number) SSH remote port
 - `user` (String) SSH remote user name
diff --git a/docs/resources/instance.md b/docs/resources/instance.md
index 4af77ec..ecef1f6 100644
--- a/docs/resources/instance.md
+++ b/docs/resources/instance.md
@@ -22,6 +22,7 @@ NixOS instance
 
 ### Optional
 
+- `bastion` (Block Set, Max: 1) SSH configuration for bastion server (see [below for nested schema](#nestedblock--bastion))
 - `derivations` (Block List) List of derivations which is built during apply (see [below for nested schema](#nestedblock--derivations))
 - `nix` (Block Set, Max: 1) Nix package manager configuration options (see [below for nested schema](#nestedblock--nix))
 - `secret` (Block Set) Describes secret which should be transfered to host (see [below for nested schema](#nestedblock--secret))
@@ -35,6 +36,17 @@ NixOS instance
 - `id` (String) The ID of this resource.
 - `secret_fingerprint` (Map of String) Secrets state fingerprint information which is used to maintain state
 
+<a id="nestedblock--bastion"></a>
+### Nested Schema for `bastion`
+
+Optional:
+
+- `config` (Map of String) SSH configuration map
+- `host` (String) SSH bastion remote hostname
+- `port` (Number) SSH remote port
+- `user` (String) SSH remote user name
+
+
 <a id="nestedblock--derivations"></a>
 ### Nested Schema for `derivations`
 
@@ -116,18 +128,7 @@ Optional:
 
 Optional:
 
-- `bastion` (Block Set, Max: 1) SSH configuration for bastion server (see [below for nested schema](#nestedblock--ssh--bastion))
-- `config` (Map of String) SSH configuration map
-- `port` (Number) SSH remote port
-- `user` (String) SSH remote user name
-
-<a id="nestedblock--ssh--bastion"></a>
-### Nested Schema for `ssh.bastion`
-
-Optional:
-
 - `config` (Map of String) SSH configuration map
-- `host` (String) SSH remote hostname
 - `port` (Number) SSH remote port
 - `user` (String) SSH remote user name
 
diff --git a/makefile b/makefile
index 513d12c..d363202 100644
--- a/makefile
+++ b/makefile
@@ -2,6 +2,7 @@
 .ONESHELL:
 
 export TF_LOG ?= ERROR
+export SSH_AUTH_SOCK =
 
 root       = $(dir $(abspath $(firstword $(MAKEFILE_LIST))))
 result     = $(root)/result/libexec/terraform-providers
diff --git a/provider/provider.go b/provider/provider.go
index 8f52a25..b05ede3 100644
--- a/provider/provider.go
+++ b/provider/provider.go
@@ -229,8 +229,8 @@ func (p *Provider) SshSettings(resource ResourceBox) map[string]interface{} {
 	return p.settings(resource, KeySsh)
 }
 
-func (p *Provider) SshBastionSettings(resource ResourceBox) map[string]interface{} {
-	return p.settings(resource, KeySsh, KeySshBastion)
+func (p *Provider) BastionSettings(resource ResourceBox) map[string]interface{} {
+	return p.settings(resource, KeyBastion)
 }
 
 func (p *Provider) SshConfigMap(settings map[string]interface{}) *SshConfigMap {
@@ -298,7 +298,7 @@ func (p *Provider) NewSsh(resource ResourceBox) *Ssh {
 
 		settings        = p.SshSettings(resource)
 		configMap       = p.SshConfigMap(settings)
-		bastionSettings = p.SshBastionSettings(resource)
+		bastionSettings = p.BastionSettings(resource)
 	)
 
 	bastionHost, _ := bastionSettings[KeySshHost].(string)
diff --git a/provider/schema.go b/provider/schema.go
index c012647..560ec9f 100644
--- a/provider/schema.go
+++ b/provider/schema.go
@@ -50,12 +50,13 @@ const (
 
 	//
 
-	KeySsh        = "ssh"
-	KeySshHost    = "host"
-	KeySshUser    = "user"
-	KeySshPort    = "port"
-	KeySshConfig  = "config"
-	KeySshBastion = "bastion"
+	KeySsh       = "ssh"
+	KeySshHost   = "host"
+	KeySshUser   = "user"
+	KeySshPort   = "port"
+	KeySshConfig = "config"
+
+	KeyBastion = "bastion"
 
 	//
 
@@ -112,35 +113,32 @@ var (
 			DefaultFunc: DefaultSshConfig,
 		},
 	}
+	ProviderSchemaSsh = SchemaWithDefaultFuncCtr(DefaultMapFromSchema, &schema.Schema{
+		Description: "SSH protocol settings",
+		Type:        schema.TypeSet,
+		MaxItems:    1,
+		Elem: &schema.Resource{
+			Schema: ProviderSchemaSshMap,
+		},
+		Optional: true,
+	})
+
 	ProviderSchemaBastionMap = SchemaMapExtend(
 		ProviderSchemaSshMap,
 		map[string]*schema.Schema{
 			KeySshHost: {
-				Description: "SSH remote hostname",
+				Description: "SSH bastion remote hostname",
 				Type:        schema.TypeString,
 				Optional:    true,
 			},
 		},
 	)
-	ProviderSchemaSsh = SchemaWithDefaultFuncCtr(DefaultMapFromSchema, &schema.Schema{
-		Description: "SSH protocol settings",
+	ProviderSchemaBastion = SchemaWithDefaultFuncCtr(DefaultMapFromSchema, &schema.Schema{
+		Description: "SSH configuration for bastion server",
 		Type:        schema.TypeSet,
 		MaxItems:    1,
 		Elem: &schema.Resource{
-			Schema: SchemaMapExtend(
-				ProviderSchemaSshMap,
-				map[string]*schema.Schema{
-					KeySshBastion: {
-						Description: "SSH configuration for bastion server",
-						Type:        schema.TypeSet,
-						MaxItems:    1,
-						Elem: &schema.Resource{
-							Schema: ProviderSchemaBastionMap,
-						},
-						Optional: true,
-					},
-				},
-			),
+			Schema: ProviderSchemaBastionMap,
 		},
 		Optional: true,
 	})
@@ -381,6 +379,7 @@ var (
 
 		KeyNix:     ProviderSchemaNix,
 		KeySsh:     ProviderSchemaSsh,
+		KeyBastion: ProviderSchemaBastion,
 		KeySecrets: ProviderSchemaSecrets,
 		KeySecret:  ProviderSchemaSecret,
 	}
@@ -424,6 +423,7 @@ var (
 
 				KeyNix:     ProviderSchemaNix,
 				KeySsh:     ProviderSchemaSsh,
+				KeyBastion: ProviderSchemaBastion,
 				KeySecrets: ProviderSchemaSecrets,
 				KeySecret:  ProviderSchemaSecret,
 
diff --git a/provider/schema_test.go b/provider/schema_test.go
index f94a507..32093ad 100644
--- a/provider/schema_test.go
+++ b/provider/schema_test.go
@@ -56,10 +56,10 @@ resource "nixos_instance" "test2" {
       pubKeyAuthentication = "no"
       passwordAuthentication = "yes"
     }
-    bastion {
-      host = "127.0.0.1"
-      port = 2222
-    }
+  }
+  bastion {
+    host = "127.0.0.1"
+    port = 2222
   }
 }
 `
@@ -78,15 +78,15 @@ provider "nixos" {
       pubKeyAuthentication = "no"
       passwordAuthentication = "yes"
     }
-    bastion {
-      host = "127.0.0.1"
-      port = 2222
-      config = {
-        userKnownHostsFile = "/dev/null"
-        strictHostKeyChecking = "no"
-        pubKeyAuthentication = "no"
-        passwordAuthentication = "yes"
-      }
+  }
+  bastion {
+    host = "127.0.0.1"
+    port = 2222
+    config = {
+      userKnownHostsFile = "/dev/null"
+      strictHostKeyChecking = "no"
+      pubKeyAuthentication = "no"
+      passwordAuthentication = "yes"
     }
   }
   secrets {
@@ -152,8 +152,8 @@ func TestResourceNixosInstance(t *testing.T) {
 						CheckEqual(t, "nixos_instance.test2", "address.2", ""),
 						CheckEqual(t, "nixos_instance.test2", "configuration", "../test/test.nix"),
 						CheckEqual(t, "nixos_instance.test2", "ssh.0.port", "2222"),
-						CheckEqual(t, "nixos_instance.test2", "ssh.0.bastion.0.host", "127.0.0.1"),
-						CheckEqual(t, "nixos_instance.test2", "ssh.0.bastion.0.port", "2222"),
+						CheckEqual(t, "nixos_instance.test2", "bastion.0.host", "127.0.0.1"),
+						CheckEqual(t, "nixos_instance.test2", "bastion.0.port", "2222"),
 					),
 				},
 				{
diff --git a/test/main.tf b/test/main.tf
index 54b4461..9580b4e 100644
--- a/test/main.tf
+++ b/test/main.tf
@@ -19,10 +19,10 @@ provider "nixos" {
       pubKeyAuthentication = "no"
       passwordAuthentication = "yes"
     }
-    bastion {
-      host = "127.0.0.1"
-      port = 777
-    }
+  }
+  bastion {
+    host = "127.0.0.1"
+    port = 777
   }
 }
 
@@ -41,10 +41,10 @@ resource "nixos_instance" "test" {
       pubKeyAuthentication = "no"
       passwordAuthentication = "yes"
     }
-    bastion {
-      host = "127.0.0.1"
-      port = 2222
-    }
+  }
+  bastion {
+    host = "127.0.0.1"
+    port = 2222
   }
 
   secret {