nexum turns a pile of servers — bare-metal or Proxmox — into one clean, self-service compute platform. Invite people, set quotas, hand out access. No public IPs, no shared root passwords, no spreadsheet of who has what.
An admin sets the rules once. From then on, access is self-service — and always revocable.
Admin invites a person by email. They set a password and upload an SSH key — that's the only credential that ever matters.
Admin picks an Environment (a policy: GPU isolation mode, quotas, expiry) and hands it out — to one node or dynamically across a pool.
nexum generates a ready-to-use SSH config or a NetBird peer key. No public IP on the node, no manual firewall rules.
The agent on each node applies the policy in real time — cgroups, MIG partitions, or full container isolation — and revokes instantly on expiry.
Everything you'd otherwise stitch together yourself — user management, GPU isolation, tunneling — in one small, self-hosted binary + dashboard.
From soft visibility limits to hardware-level NVIDIA MIG partitions or full per-session containers — pick the trust level per Environment.
Nodes stay off the internet. SSH ProxyJump or a NetBird mesh does the tunneling — pluggable, swap providers per Environment.
Admin approves every account. Access to compute is always mapped to a real, revocable identity — no shared logins.
Assign a GPU pool and let nexum pick the free node, or pin someone to specific hardware — CPU/RAM always travel with the GPU.
Talks directly to the Proxmox VE API — spin up per-user VMs/LXCs with GPU passthrough, or manage bare-metal SSH access, side by side.
An internal CA issues every agent its own certificate. Every heartbeat and policy push is mutually authenticated — no shared secrets.
Sets CUDA_VISIBLE_DEVICES per session. Fast to set up, best for trusted lab environments.
Hard CPU/RAM limits via cgroup v2, plus GPU masking at the login session — blocks accidental overreach.
Real hardware isolation: the GPU is split into independent instances at the silicon level.
The full session runs inside Docker with GPU passthrough — isolated CPU, RAM, and filesystem too.
A Python control plane holds the dashboard and policy; a tiny Go agent runs on each node and only calls home — nothing needs to be reachable from outside.
Everything below runs on your own server. No account with us, no data leaving your infrastructure.
# download the latest release and start the stack wget https://github.com/cikubo/nexum/releases/latest/download/nexum-release.tar.gz tar xzf nexum-release.tar.gz && cd nexum cp docker/.env.example docker/.env # set DB password, JWT secret, SMTP docker compose -f docker/docker-compose.yml up -d
# the first admin is created once, from inside the backend container docker compose exec backend python -c " from nexum_control_plane.db import SessionLocal from nexum_control_plane.models.user import User from nexum_control_plane.models.enums import UserRole, UserStatus from nexum_control_plane.security.passwords import hash_password db = SessionLocal() db.add(User(email='admin@yourdomain.com', role=UserRole.admin, status=UserStatus.active, password_hash=hash_password('change-me'), first_name='Admin', last_name='Nexum', email_verified=True)) db.commit()"
# dashboard → Nodes → + Add node → copy the generated command, run it on the node curl -fsSL https://your-nexum-host/install-agent.sh | sudo bash -s -- \ --node-id 3afc8d3b-... --token h4nQWZ6WhM... \ --control-plane https://your-nexum-host
Self-hosted via Docker Compose. Download the latest release — no source access needed.