Skip to content
MZPanel MZPanel

Architecture

MZPanel has three core pieces: the control plane (cloud), the agent (on the customer VPS), and the mz CLI (the execution engine on the VPS).

Connection model — agent dial-out

Section titled “Connection model — agent dial-out”

The agent dials outbound to wss://ws.mzpanel.com:443. The customer VPS opens no inbound ports, needs no domain, and is unaffected by NAT. Each VPS holds one persistent WebSocket carrying:

  • A heartbeat every 30s
  • Status/metrics push (CPU, RAM, disk, site count)
  • Commands from the web → exec → stdout/stderr streamed back
  • Events pushed up (backup done, SSL renewed, …)
[web]  app.mzpanel.com  ──►  api.mzpanel.com  ──ws──►  agent  ──►  mz CLI  ──►  VPS
                                    ▲                     │
                                    └────── stream ◄──────┘

Source of truth

Section titled “Source of truth”
  • On the customer VPS: /etc/mz/*.conf — the CLI’s registry. MZPanel reads and writes through mz; it does not keep its own state on the VPS.
  • On the control plane: Postgres stores users, orgs, servers (metadata + last-seen), licenses, and the audit log. It does not mirror full VPS state.

Why the public site is separate from the dashboard

Section titled “Why the public site is separate from the dashboard”

This public site (mzpanel.com) is a static Astro build for fast loads, good SEO, and AI/MCP-readable content. The dashboard (app.mzpanel.com) is a separate SPA. See /llms.txt for the machine-readable docs map.