diff --git a/deployment/run/ssh-single-host/run.sh b/deployment/run/ssh-single-host/run.sh
index 5c809015..84c3f7cb 100755
--- a/deployment/run/ssh-single-host/run.sh
+++ b/deployment/run/ssh-single-host/run.sh
@@ -1,23 +1,33 @@
 #! /usr/bin/env bash
 set -xeuo pipefail
 declare username host key_file ssh_opts nixos_conf
-IFS=" " read -r -a ssh_opts <<< "$( (echo "$ssh_opts" | jq -r '@sh') | tr -d \'\")"
+readarray -t ssh_opts < <(echo "$ssh_opts" | jq -r '.[]')
 
 # DEPLOY
-sshOpts=(
+sshOptsInit=(
   -o BatchMode=yes
   -o StrictHostKeyChecking=no
 )
-for ssh_opt in "${ssh_opts[@]}"; do
-  sshOpts+=(
-    -o "$ssh_opt"
-  )
-done
 if [[ -n "$key_file" ]]; then
-  sshOpts+=(
+  sshOptsInit+=(
     -i "$key_file"
   )
 fi
+# [@] will quote variables containing spaces itself
+sshOptsAt=("${sshOptsInit[@]}")
+for ssh_opt in "${ssh_opts[@]}"; do
+  sshOptsAt+=(
+    -o "${ssh_opt}"
+  )
+done
+# [*] needs manual quoting
+sshOptsAsterisk=("${sshOptsInit[@]}")
+for ssh_opt in "${ssh_opts[@]}"; do
+  sshOptsAsterisk+=(
+    -o "\"${ssh_opt}\""
+  )
+done
+
 destination="$username@$host"
 
 command=(nix-instantiate --show-trace "${nixos_conf}")
@@ -32,9 +42,9 @@ command=(nix-instantiate --show-trace "${nixos_conf}")
 # FIXME explore import/readFile as ways to instantiate the derivation, potentially allowing to realize the store path up-front from Nix?
 outPath=$(nix-store --realize "$("${command[@]}" -A config.system.build.toplevel.drvPath --eval --strict --json | jq -r '.')")
 # deploy the config by nix-copy-closure
-NIX_SSHOPTS="${sshOpts[*]}" nix-copy-closure --to "$destination" "$outPath" --gzip --use-substitutes
+NIX_SSHOPTS="${sshOptsAsterisk[*]}" nix-copy-closure --to "$destination" "$outPath" --gzip --use-substitutes
 # switch the remote host to the config
 # shellcheck disable=SC2029
-ssh "${sshOpts[@]}" "$destination" "nix-env --profile /nix/var/nix/profiles/system --set $outPath"
+ssh "${sshOptsAt[@]}" "$destination" "nix-env --profile /nix/var/nix/profiles/system --set $outPath"
 # shellcheck disable=SC2029
-ssh -o "ConnectTimeout=1" -o "ServerAliveInterval=1" "${sshOpts[@]}" "$destination" "nohup $outPath/bin/switch-to-configuration switch &" 2>&1
+ssh -o "ConnectTimeout=5" -o "ServerAliveInterval=1" "${sshOptsAt[@]}" "$destination" "nohup env $outPath/bin/switch-to-configuration switch &" 2>&1