diff --git a/home/workmac.nix b/home/workmac.nix
index 95e4aa3..c8b2bcf 100644
--- a/home/workmac.nix
+++ b/home/workmac.nix
@@ -43,10 +43,89 @@ in
     # early catchall to enforce agent socket usage. **NOT** the place for fallback defaults.
     extraOptionOverrides = {
       IdentityAgent = "\"~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock\"";
+      CanonicalizeHostname = "yes";
+      CanonicalDomains = "fcio.net gocept.net";
+      CanonicalizeFallbackLocal = "yes";
     };
 
     # ssh host config
     matchBlocks = {
+      # --- Host blocks (order matters: specific before wildcard) --------
+
+      # Hosts are only accessible via bastion host
+      #"switch1.example.com switch2.example.com" =
+      #  lib.hm.dag.entryBefore [ "*.example.com" ] {
+      #    extraOptions = {
+      #      Tag = "proxyjump";
+      #    };
+      #  };
+
+      # TODO: these site-specific information are currently also publicly available elsewhere, so having them here in plain is fine.
+      # For adding more topology-related specific rules, consider moving this into secrets like SOPS or so.
+
+      # Hostname wildcard for management network, also accessed via bastion host
+      "*.mgm.whq.fcio.net *.mgm.whq.gocept.net" =
+        lib.hm.dag.entryBefore [ "*.fcio.net *.gocept.net" ] {
+          extraOptions = {
+            Tag = "proxyjump-whq";
+          };
+        };
+
+      "*.mgm.rzob.fcio.net *.mgm.rzob.gocept.net" =
+        lib.hm.dag.entryBefore [ "*.fcio.net *.gocept.net" ] {
+          extraOptions = {
+            Tag = "proxyjump-rzob";
+          };
+        };
+
+      # Fallback for all other FCIO hosts
+      "*.fcio.net *.gocept.net" = {
+        extraOptions = {
+          Tag = "direct-rzob";
+        };
+      };
+
+      # --- Match blocks (OpenSSH 9.4+ tags) ----------------------------
+
+      # Connect to hosts directly, or if that fails (e.g. IPv4-only network)
+      # use the bastion host as a jump host.
+      "tagged-direct-rzob" =
+        lib.hm.dag.entryAfter [ "*.fcio.net *.gocept.net" ] {
+          match = ''tagged="direct-rzob"'';
+          proxyCommand = "${lib.getExe pkgs.fc-scripts.ssh-multi-proxy} -p connect -i master,direct -j vpn-rzob.services.fcio.net %h %p";
+          extraOptions = {
+            ProxyUseFdpass = "yes";
+          };
+        };
+
+      "tagged-direct-whq" =
+        lib.hm.dag.entryAfter [ "*.fcio.net *.gocept.net" ] {
+          match = ''tagged="direct-whq"'';
+          proxyCommand = "${lib.getExe pkgs.fc-scripts.ssh-multi-proxy} -p connect -i master,direct -j vpn-whq.services.fcio.net %h %p";
+          extraOptions = {
+            ProxyUseFdpass = "yes";
+          };
+        };
+
+      # Don't connect directly, always use the bastion host as a jump host.
+      "tagged-proxyjump-whq" =
+        lib.hm.dag.entryAfter [ "tagged-direct" ] {
+          match = ''tagged="proxyjump-whq"'';
+          proxyCommand = "ssh-multi-proxy -p connect -ni all -j kenny12.fe.whq.fcio.net %h %p";
+          extraOptions = {
+            ProxyUseFdpass = "yes";
+          };
+        };
+
+      "tagged-proxyjump-rzob" =
+        lib.hm.dag.entryAfter [ "tagged-direct" ] {
+          match = ''tagged="proxyjump"'';
+          proxyCommand = "ssh-multi-proxy -p connect -ni all -j kenny09.fe.rzob.fcio.net %h %p";
+          extraOptions = {
+            ProxyUseFdpass = "yes";
+          };
+        };
+
       # default, gets placed last by home-manager
       "*" = {
         serverAliveInterval = 10;