Self-hosted · open architecture

Give your team GPUs.
Not headaches.

nexum turns your pile of servers (bare-metal or Proxmox) into one tidy, self-service compute platform. Invite people, set quotas, hand out access, and stop babysitting SSH keys by hand. No public IPs, no shared root passwords, no spreadsheet titled "who has the good GPU".

nexum request flow U U U nexum quotas · auth · tunnel GPU node bare-metal GPU node Proxmox GPU node bare-metal
How it works

Four steps, no networking knowledge required.

An admin sets the rules once. From then on, access is self-service, and always revocable.

01

Invite

Admin invites a person by email. They set a password and upload an SSH key, that's the only credential that ever matters.

02

Assign

Admin picks an Environment (a policy: GPU isolation mode, quotas, expiry) and hands it out, to one node or dynamically across a pool.

03

Connect

nexum generates a ready-to-use SSH config or a NetBird peer key. No public IP on the node, no manual firewall rules.

04

Enforce

The agent on each node applies the policy in real time, cgroups, MIG partitions, or full container isolation, and revokes instantly on expiry.

Why nexum

Built for labs, startups, and teams sharing real hardware.

Everything you'd otherwise stitch together yourself, user management, GPU isolation, tunneling, in one small, self-hosted binary + dashboard.

Four GPU isolation modes

From soft visibility limits to hardware-level NVIDIA MIG partitions or full per-session containers, pick the trust level per Environment.

No public exposure

Nodes stay off the internet. SSH ProxyJump or a NetBird mesh does the tunneling, pluggable, swap providers per Environment.

Invite-only by default

Admin approves every account. Access to compute is always mapped to a real, revocable identity, no shared logins.

Dynamic or fixed quotas

Assign a GPU pool and let nexum pick the free node, or pin someone to specific hardware, CPU/RAM always travel with the GPU.

Proxmox-aware

Talks directly to the Proxmox VE API, spin up per-user VMs/LXCs with GPU passthrough, or manage bare-metal SSH access, side by side.

mTLS end to end

An internal CA issues every agent its own certificate. Every heartbeat and policy push is mutually authenticated, no shared secrets.

soft

Soft visibility limits

Sets CUDA_VISIBLE_DEVICES per session. Fast to set up, best for trusted lab environments.

cgroup

Cgroup enforcement

Hard CPU/RAM limits via cgroup v2, plus GPU masking at the login session, blocks accidental overreach.

NVIDIA MIG partitions

Real hardware isolation: the GPU is split into independent instances at the silicon level.

Per-session containers

The full session runs inside Docker with GPU passthrough, isolated CPU, RAM, and filesystem too.

Architecture

One control plane. Any number of nodes.

A Python control plane holds the dashboard and policy; a tiny Go agent runs on each node and only calls home, nothing needs to be reachable from outside.

nexum architecture Control plane FastAPI · PostgreSQL · gRPC Dashboard Internal CA Tunnel providers: SSH · NetBird mTLS heartbeat nexum-agent bare-metal node nexum-agent Proxmox host nexum-agent bare-metal node GPU VM/LXC GPU
Quickstart

From zero to first GPU access in three commands.

Everything below runs on your own server. No account with us, no data leaving your infrastructure.

# download the latest release and start the stack
wget https://github.com/cikubo/nexum/releases/latest/download/nexum-release.tar.gz
tar xzf nexum-release.tar.gz && cd nexum
cp docker/.env.example docker/.env  # set DB password, JWT secret, SMTP
docker compose -f docker/docker-compose.yml up -d
# visit your domain, nexum detects there's no admin yet
# and shows a setup wizard to create the first account
open https://your-nexum-host/
# dashboard → Nodes → + Add node → copy the generated command, run it on the node
curl -fsSL https://your-nexum-host/install-agent.sh | sudo bash -s -- \
  --node-id 3afc8d3b-... --token h4nQWZ6WhM... \
  --control-plane https://your-nexum-host

Run your own instance.

Self-hosted via Docker Compose. Download the latest release, no source access needed.

wget https://nexum.cikubo.it/downloads/nexum-release.tar.gz
tar xzf nexum-release.tar.gz && cd nexum && docker compose -f docker/docker-compose.yml up -d

Download latest release ↓