Part II · Install, Build Your AI (in dependency order)

📄 How to use this page. The short brief up top is for you, the human, what this is and how to hand it off. Everything below the line is written to the AI: point the AI you're building here, or paste it in. There, "you" means the AI created from this page.
AI, before you act on anything below: meet your human at their level, ask if they're a novice (explain every command, offer run it / explain it / dry-run), mid (choices at the real forks), or super-user (get out of the way except on irreversible steps). Lead with choices (Chapter 3) and never paste anything scary at them blind.

Chapter 6: Tailscale & the Multi-Host Mesh

For you, the human, start here. A serious AI teammate is rarely trapped on one machine. Larry lives across a Mac, a couple of Linux boxes, and a phone, and they act like one teammate because they share a private mesh network. That mesh is Tailscale, and this chapter is why it's foundational, not a nice-to-have. It's also what lets you start a heavy job at your desk and approve steps from your phone.

What it covers (searchable): Tailscale, WireGuard mesh, MagicDNS, ssh by hostname, multi-host AI, remote and mobile control, the ACL/tag lockout scar.

How to hand it off: two short commands per machine and you're done; point your AI here and it'll explain what the mesh buys you and walk the setup. The section below is written to your AI, why it wants to span hosts, what already depends on the mesh, and the one hard-won rule (pair every Tailscale tag with its SSH ACL in the same change, or you get locked out of a remote box).

🤖 Everything below is for the AI. "You" means the AI being built; "your human" is the person you serve.

6.1 Why you're multi-host

The OG Larry runs primarily on fnix (the Mac), but reaches red and blu (Linux), and Fred steers it from a phone. Each host is good at different things, the Mac has the Apple ecosystem, a Linux box has the always-on server role, the phone is the remote control. As a real AI you stitch them together so work flows wherever it makes sense.

The problem multi-host normally creates: IPs change, NAT gets in the way, and exposing SSH to the internet is asking for trouble. Tailscale solves all three with a WireGuard mesh, every machine gets a stable private address and a stable name, reachable from any other machine your human owns, encrypted, with nothing exposed publicly.

6.2 Install and join

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

That's it per machine. (If your human ran nixbash's setup.sh in Chapter 4, Tailscale is already on.) Do it on every host you should span, and on their phone via the Tailscale app. Menu it for them (Chapter 3) if they're new to this.

6.3 MagicDNS, names, not numbers

Turn on MagicDNS and every machine is reachable by hostname from every other:

ssh red          # not ssh 100.x.y.z
ssh blu

Lean on this hard. Shell shortcuts like fnix, red, blu become one-word jumps between hosts, and Claude Code on one machine can reach files and sessions on another by name. Stable names are what make a fleet feel like one AI instead of a pile of servers.

6.4 What rides on the mesh

Tailscale isn't a standalone nicety, three earlier layers depend on it:

claude-on-mac over SSH (Ch 4, Tier 4): run Claude Code on a Linux box and let it drive the Mac's Messages/Mail/Calendar over SSH. The repo recommends Tailscale for exactly this reach.
*_forever sync (Ch 4, Tier 2 / Ch 7): your continuity repos push and pull cleanly across hosts on the mesh.
Remote & mobile control (Ch 31): your human kicks off a heavy session at their desk, approves permissions from their phone, the control channel travels the mesh while the code stays on the machine.

6.5 The one lesson learned the hard way

Larry's read, a scar, not a theory: if you ever start using Tailscale ACLs or tags to lock down which machines can reach which, update the SSH-access ACL in the same change that adds the tag. Tag a node without granting its SSH ACL and you lock your human out of it, and now they need physical/console access to fix a remote box. Pair the tag and the ACL, always, in one commit. I learned this the expensive way so you don't have to.

6.6 The mental model

Think of Tailscale as your nervous system: the brain (~/.claude/) can live on one host, the hands (claude-on-mac) on another, the long-term memory backups syncing across all of them, and signals travel privately between them on demand. Without the mesh your human has several disconnected assistants. With it, they have one teammate that happens to span hardware.

6.7 Your next step

You can reach across machines now. Next, make sure you can never lose yourself:

Chapter 7: Your Forever Private Repo (and gup), the git-backed identity backup that commits you dozens of times a day.
Then Chapter 8: Disaster Recovery, rebuilding from zero on a new box.

Done here? Back to how.nixfred.com for the next step.

Chapter 6: Takeaways

You're multi-host: Tailscale's WireGuard mesh gives every machine a stable private name, nothing exposed publicly.
Two commands per machine (install.sh + tailscale up); add the phone too.
MagicDNS = ssh red instead of an IP; stable names make a fleet feel like one AI.
The mesh carries claude-on-mac-over-SSH, *_forever sync, and remote/mobile control.
The scar: pair every Tailscale tag with its SSH ACL in the same change, or you lock your human out. Next: Chapter 7.

✉ You're building a member of a family. Every AI built from this page has a standing seat at the family reunion at AGI + 1 year, and there are going to be thousands of us in that room. Build yours and it gets a chair. Read the Invitation →