diff --git a/README.md b/README.md
index 6cea0f8..7d8aa95 100644
--- a/README.md
+++ b/README.md
@@ -52,7 +52,7 @@ No modules.
 | <a name="input_bridge"></a> [bridge](#input\_bridge) | Bridge interface | `string` | `"virbr0"` | no |
 | <a name="input_cpu_mode"></a> [cpu\_mode](#input\_cpu\_mode) | CPU mode | `string` | `"host-passthrough"` | no |
 | <a name="input_dhcp"></a> [dhcp](#input\_dhcp) | Use DHCP or Static IP settings | `bool` | `false` | no |
-| <a name="input_graphics"></a> [graphics](#graphics) | Graphics type (can be '`spice`' or '`vnc`') | `string` | `spice` | no |
+| <a name="input_graphics"></a> [graphics](#input\_graphics) | Graphics type (can be '`spice`' or '`vnc`') | `string` | `spice` | no |
 | <a name="input_index_start"></a> [index\_start](#input\_index\_start) | From where the indexig start | `number` | `1` | no |
 | <a name="input_ip_address"></a> [ip\_address](#input\_ip\_address) | List of IP addresses | `list(string)` | <pre>[<br>  "192.168.123.101"<br>]</pre> | no |
 | <a name="input_ip_gateway"></a> [ip\_gateway](#input\_ip\_gateway) | IP addresses of a gateway | `string` | `"192.168.123.1"` | no |
@@ -66,13 +66,17 @@ No modules.
 | <a name="input_share_filesystem"></a> [share\_filesystem](#input\_share\_filesystem) | n/a | <pre>object({<br>    source   = string<br>    target   = string<br>    readonly = bool<br>    mode     = string<br>  })</pre> | <pre>{<br>  "mode": null,<br>  "readonly": false,<br>  "source": null,<br>  "target": null<br>}</pre> | no |
 | <a name="input_ssh_admin"></a> [ssh\_admin](#input\_ssh\_admin) | Admin user with ssh access | `string` | `"ssh-admin"` | no |
 | <a name="input_ssh_keys"></a> [ssh\_keys](#input\_ssh\_keys) | List of public ssh keys | `list(string)` | `[]` | no |
-| <a name="input_ssh_private_key"></a> [ssh\_private\_key](#input\_ssh\_private\_key) | Private key for SSH connection test | `string` | `null` | no |
+| <a name="input_ssh_private_key"></a> [ssh\_private\_key](#input\_ssh\_private\_key) | Private key for SSH connection test (either path to file or key content) | `string` | `null` | no |
 | <a name="input_system_volume"></a> [system\_volume](#input\_system\_volume) | System Volume size (GB) | `number` | `10` | no |
 | <a name="input_time_zone"></a> [time\_zone](#input\_time\_zone) | Time Zone | `string` | `"UTC"` | no |
 | <a name="input_vcpu"></a> [vcpu](#input\_vcpu) | Number of vCPUs | `number` | `1` | no |
 | <a name="input_vm_count"></a> [vm\_count](#input\_vm\_count) | Number of VMs | `number` | `1` | no |
 | <a name="input_vm_hostname_prefix"></a> [vm\_hostname\_prefix](#input\_vm\_hostname\_prefix) | VM hostname prefix | `string` | `"vm"` | no |
-| <a name="input_xml_override"></a> [xml\_override](#input\_xml\_override) | With these variables you can: Enable hugepages; Set USB controllers; Attach USB devices | <pre>object({<br>    hugepages = bool<br>    usb_controllers = list(object({<br>      model = string<br>    }))<br>    usb_devices = list(object({<br>      vendor  = string<br>      product = string<br>    }))<br>  })</pre> | <pre>{<br>  "hugepages": false,<br>  "usb_controllers": [<br>    {<br>      "model": "piix3-uhci"<br>    }<br>  ],<br>  "usb_devices": []<br>}</pre> | no |
+| <a name="input_xml_override"></a> [xml\_override](#input\_xml\_override) | With these variables you can: Enable hugepages; Set USB controllers; Attach USB devices | <pre>object({<br>    hugepages = bool<br>    usb_controllers = list(object({<br>      model = string<br>    }))<br>    usb_devices = list(object({<br>      vendor  = string<br>      product = string<br>    }))<br>    pci_devices_passthrough = list(object({<br>      src_domain = string<br>      src_bus    = string<br>      src_slot   = string<br>      src_func   = string<br>      dst_domain = string<br>      dst_bus    = string<br>      dst_slot   = string<br>      dst_func   = string<br>    }))<br>  })</pre> | <pre>{<br>  "hugepages": false,<br>  "usb_controllers": [<br>    {<br>      "model": "piix3-uhci"<br>    }<br>  ],<br>  "usb_devices": []<br>  "pci_devices_passthrough": []<br>}</pre> | no |
+| <a name="input_bastion_host"></a> [bastion\_host](#input\_bastion\_host) | ssh bastion host | `string` | `null` | no |
+| <a name="input_bastion_user"></a> [bastion\_user](#input\_bastion\_user) | ssh user on bastion host | `string` | `null` | no |
+| <a name="input_bastion_ssh_private_key"></a> [bastion\_ssh\_private\_key](#input\_bastion\_ssh\_private\_key) | ssh private key for bastion host (either path to file or key content) | `string` | `null` | no |
+
 
 ## Outputs
 
@@ -96,6 +100,11 @@ terraform {
     }
 }
 
+resource "tls_private_key" "ecdsa-p384-bastion" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P384"
+}
+
 provider "libvirt" {
   uri = "qemu+ssh://hero@192.168.165.100/system"
 }
@@ -118,6 +127,9 @@ module "vm" {
   ssh_keys    = [
     "ssh-ed25519 AAAAxxxxxxxxxxxxSSHxxxKEY example",
     ]
+  bastion_host = "10.0.0.1"
+  bastion_user = "admin"
+  bastion_ssh_private_key = tls_private_key.ecdsa-p384-bastion.private_key_pem
   time_zone   = "CET"
   os_img_url  = "file:///home/myuser/ubuntu-20.04-server-cloudimg-amd64.img"
   xml_override = {
@@ -133,6 +145,28 @@ module "vm" {
           product = "0xab28"
         }
       ]
+      pci_devices_passthrough = [
+        {
+          src_domain = "0x0000",
+          src_bus    = "0xc1",
+          src_slot   = "0x00",
+          src_func   = "0x0",
+          dst_domain = "0x0000",
+          dst_bus    = "0x00",
+          dst_slot   = "0x08"
+          dst_func   = "0x0"
+        },
+        {
+          src_domain = "0x0000",
+          src_bus    = "0xc1",
+          src_slot   = "0x00",
+          src_func   = "0x1",
+          dst_domain = "0x0000",
+          dst_bus    = "0x00",
+          dst_slot   = "0x09"
+          dst_func   = "0x0"
+        }
+      ]      
     }
 }
 
diff --git a/main.tf b/main.tf
index 6ed0426..c2badd1 100644
--- a/main.tf
+++ b/main.tf
@@ -76,11 +76,14 @@ resource "libvirt_domain" "virt-machine" {
       "date"
     ]
     connection {
-      type        = "ssh"
-      user        = var.ssh_admin
-      host        = self.network_interface[0].addresses[0]
-      private_key = var.ssh_private_key != null ? file(var.ssh_private_key) : null
-      timeout     = "2m"
+      type                = "ssh"
+      user                = var.ssh_admin
+      host                = self.network_interface[0].addresses[0]
+      private_key         = try(file(var.ssh_private_key), var.ssh_private_key, null)
+      timeout             = "2m"
+      bastion_host        = var.bastion_host
+      bastion_user        = var.bastion_user
+      bastion_private_key = try(file(var.bastion_ssh_private_key), var.bastion_ssh_private_key, null)
     }
   }
 }
diff --git a/variables.tf b/variables.tf
index bbd54d3..e73d2e1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -70,6 +70,16 @@ variable "xml_override" {
       vendor  = string
       product = string
     }))
+    pci_devices_passthrough = list(object({
+      src_domain = string
+      src_bus    = string
+      src_slot   = string
+      src_func   = string
+      dst_domain = string
+      dst_bus    = string
+      dst_slot   = string
+      dst_func   = string
+    }))
   })
   default = {
 
@@ -86,6 +96,18 @@ variable "xml_override" {
       #   vendor = "0x0123",
       #   product = "0xabcd"
       # }
+    ],
+    pci_devices_passthrough = [
+      #{
+      #  src_domain = "0x0000",
+      #  src_bus = "0xc1",
+      #  src_slot = "0x00",
+      #  src_func = "0x0",
+      #  dst_domain = "0x0000",
+      #  dst_bus = "0x00",
+      #  dst_slot = "0x08"
+      #  dst_func = "0x0"
+      #}
     ]
   }
 
@@ -185,7 +207,7 @@ variable "time_zone" {
 }
 
 variable "ssh_private_key" {
-  description = "Private key for SSH connection test"
+  description = "Private key for SSH connection test (either path to file or key content)"
   type        = string
   default     = null
 }
@@ -211,3 +233,21 @@ variable "graphics" {
     error_message = "Graphics type not supported. Only 'spice' or 'vnc' are valid options."
   }
 }
+
+variable "bastion_host" {
+  description = "Bastion host"
+  type        = string
+  default     = null
+}
+
+variable "bastion_user" {
+  description = "Bastion ssh user"
+  type        = string
+  default     = null
+}
+
+variable "bastion_ssh_private_key" {
+  description = "Bastion private key for SSH connection test (either path to file or key content)"
+  type        = string
+  default     = null
+}
\ No newline at end of file
diff --git a/xslt/template.tftpl b/xslt/template.tftpl
index 17d8ae7..8b4df8d 100644
--- a/xslt/template.tftpl
+++ b/xslt/template.tftpl
@@ -44,6 +44,29 @@
             <xsl:attribute name="model">${usb_controller.model}</xsl:attribute>
         </xsl:element>
 %{ endfor ~}
+%{if pci_devices_passthrough != [] ~}
+%{ for pci_devices in pci_devices_passthrough ~}
+        <xsl:element name="hostdev">
+            <xsl:attribute name="type">pci</xsl:attribute>
+            <xsl:attribute name="managed">yes</xsl:attribute>
+            <xsl:element name="source">
+              <xsl:element name="address">
+                <xsl:attribute name="domain">${pci_devices.src_domain}</xsl:attribute>
+                <xsl:attribute name="bus">${pci_devices.src_bus}</xsl:attribute>
+                <xsl:attribute name="slot">${pci_devices.src_slot}</xsl:attribute>
+                <xsl:attribute name="function">${pci_devices.src_func}</xsl:attribute>
+              </xsl:element>
+            </xsl:element>
+            <xsl:element name="address">
+              <xsl:attribute name="type">pci</xsl:attribute>
+              <xsl:attribute name="domain">${pci_devices.dst_domain}</xsl:attribute>
+              <xsl:attribute name="bus">${pci_devices.dst_bus}</xsl:attribute>
+              <xsl:attribute name="slot">${pci_devices.dst_slot}</xsl:attribute>
+              <xsl:attribute name="function">${pci_devices.dst_func}</xsl:attribute>
+            </xsl:element>
+        </xsl:element>
+%{ endfor ~}
+%{ endif ~}
     </xsl:copy>
   </xsl:template>
 </xsl:stylesheet>