Self-hosted · open architecture

Give your team GPUs.
Not headaches.

nexum turns a pile of servers — bare-metal or Proxmox — into one clean, self-service compute platform. Invite people, set quotas, hand out access. No public IPs, no shared root passwords, no spreadsheet of who has what.

nexum request flow U U U nexum quotas · auth · tunnel GPU node bare-metal GPU node Proxmox GPU node bare-metal
How it works

Four steps, no networking knowledge required.

An admin sets the rules once. From then on, access is self-service — and always revocable.

01

Invite

Admin invites a person by email. They set a password and upload an SSH key — that's the only credential that ever matters.

02

Assign

Admin picks an Environment (a policy: GPU isolation mode, quotas, expiry) and hands it out — to one node or dynamically across a pool.

03

Connect

nexum generates a ready-to-use SSH config or a NetBird peer key. No public IP on the node, no manual firewall rules.

04

Enforce

The agent on each node applies the policy in real time — cgroups, MIG partitions, or full container isolation — and revokes instantly on expiry.

Why nexum

Built for labs, startups, and teams sharing real hardware.

Everything you'd otherwise stitch together yourself — user management, GPU isolation, tunneling — in one small, self-hosted binary + dashboard.

Four GPU isolation modes

From soft visibility limits to hardware-level NVIDIA MIG partitions or full per-session containers — pick the trust level per Environment.

No public exposure

Nodes stay off the internet. SSH ProxyJump or a NetBird mesh does the tunneling — pluggable, swap providers per Environment.

Invite-only by default

Admin approves every account. Access to compute is always mapped to a real, revocable identity — no shared logins.

Dynamic or fixed quotas

Assign a GPU pool and let nexum pick the free node, or pin someone to specific hardware — CPU/RAM always travel with the GPU.

Proxmox-aware

Talks directly to the Proxmox VE API — spin up per-user VMs/LXCs with GPU passthrough, or manage bare-metal SSH access, side by side.

mTLS end to end

An internal CA issues every agent its own certificate. Every heartbeat and policy push is mutually authenticated — no shared secrets.

soft

Soft visibility limits

Sets CUDA_VISIBLE_DEVICES per session. Fast to set up, best for trusted lab environments.

cgroup

Cgroup enforcement

Hard CPU/RAM limits via cgroup v2, plus GPU masking at the login session — blocks accidental overreach.

NVIDIA MIG partitions

Real hardware isolation: the GPU is split into independent instances at the silicon level.

Per-session containers

The full session runs inside Docker with GPU passthrough — isolated CPU, RAM, and filesystem too.

Architecture

One control plane. Any number of nodes.

A Python control plane holds the dashboard and policy; a tiny Go agent runs on each node and only calls home — nothing needs to be reachable from outside.

nexum architecture Control plane FastAPI · PostgreSQL · gRPC Dashboard Internal CA Tunnel providers: SSH · NetBird mTLS heartbeat nexum-agent bare-metal node nexum-agent Proxmox host nexum-agent bare-metal node GPU VM/LXC GPU
Quickstart

From zero to first GPU access in three commands.

Everything below runs on your own server. No account with us, no data leaving your infrastructure.

# download the latest release and start the stack
wget https://github.com/cikubo/nexum/releases/latest/download/nexum-release.tar.gz
tar xzf nexum-release.tar.gz && cd nexum
cp docker/.env.example docker/.env  # set DB password, JWT secret, SMTP
docker compose -f docker/docker-compose.yml up -d
# visit your domain — nexum detects there's no admin yet
# and shows a setup wizard to create the first account
open https://your-nexum-host/
# dashboard → Nodes → + Add node → copy the generated command, run it on the node
curl -fsSL https://your-nexum-host/install-agent.sh | sudo bash -s -- \
  --node-id 3afc8d3b-... --token h4nQWZ6WhM... \
  --control-plane https://your-nexum-host

Run your own instance.

Self-hosted via Docker Compose. Download the latest release — no source access needed.

wget https://nexum.cikubo.it/downloads/nexum-release.tar.gz
tar xzf nexum-release.tar.gz && cd nexum && docker compose -f docker/docker-compose.yml up -d

Download latest release ↓