Expand rubix-deploy README for Debian 13, profiles, and tenancy

- Note install flow is tested on Debian 13 (Trixie) in VPS setup steps
- Document COMPOSE_PROFILES default and optional metabase/mailcow stacks
- Explain Metabase auto sign-in and group-scoped analytics
- Add multi-company layout: shared server via work groups vs one VPS per tenant

README.md

@@ -1,12 +1,14 @@
 # rubix-deploy
 
-New Rubix server — full install flow.
+New Rubix server — full install flow. **Tested on Debian 13.**
 
 **Repository:** https://gitea.dialer.work/swissdatabase/rubix-deploy  
 App releases: https://gitea.dialer.work/swissdatabase/rubix/releases
 
 ## 0) SSH on a new VPS (from your PC)
 
+Tested on **Debian 13** (Trixie).
+
 ```bash
 wget -O bootstrap-vps-ssh.sh https://gitea.dialer.work/swissdatabase/rubix-deploy/raw/branch/main/bootstrap-vps-ssh.sh
 ```
@@ -25,6 +27,8 @@ ssh <your-host-alias>
 
 ## 1) Download Rubix (on the VPS)
 
+Debian 13 VPS (see step 0).
+
 ```bash
 wget -O install-rubix.sh https://gitea.dialer.work/swissdatabase/rubix-deploy/raw/branch/main/install-rubix.sh
 ```
@@ -64,6 +68,33 @@ nano .env
 
 Set at least: `GITEA_REGISTRY_PULL_TOKEN` (same token as step 1), `GITEA_REGISTRY_PULL_USER`, `MYSQL_ROOT_PASSWORD`, DB users/passwords, `COMPOSE_PROFILES`, domains, `RUBIX_STORAGE_ROOT`.
 
+**`COMPOSE_PROFILES`** — comma-separated list of Docker stacks that `sudo ./up.sh` installs and keeps running. Default:
+
+```env
+COMPOSE_PROFILES=cms,mysql,phpmyadmin,asterisk
+```
+
+| Profile | Container role |
+|---------|----------------|
+| `cms` | Rubix call center web app (Apache/PHP) |
+| `mysql` | Percona/MySQL database |
+| `phpmyadmin` | DB admin UI (`db.*` vhost) |
+| `asterisk` | Dialer / SIP |
+
+Optional profiles (add to the same line when needed):
+
+| Profile | Container role |
+|---------|----------------|
+| `metabase` | Enhanced analytics at `/callcenter/admin/analytics` — while logged into Rubix, opening analytics in a new tab signs you into Metabase automatically (no second login). Dashboards respect work groups and permissions so each group admin sees only their data |
+| `mailcow` | Full mail server stack (Mailcow); set `MAILCOW_HOSTNAME` and `mail.*` DNS |
+
+Examples:
+
+```env
+COMPOSE_PROFILES=cms,mysql,phpmyadmin,asterisk,metabase
+COMPOSE_PROFILES=cms,mysql,phpmyadmin,asterisk,metabase,mailcow
+```
+
 Start:
 
 ```bash
@@ -173,3 +204,19 @@ cd /home/www/callcenter/deploy
 # or
 cd /home/www/callcenter/deploy/docker && sudo ./up.sh   # panel “Trigger reload”
 ```
+
+## Multi-company / multi-branch layout
+
+Rubix is built around **work groups** so you can separate companies, branches, or teams on one platform.
+
+**One server, several tenants** — run a single Rubix stack and assign users, campaigns, permissions, and data to different groups. Each group admin and their agents see only what their group is allowed to access.
+
+**One server per tenant** — install a full Rubix stack on a separate VPS for each company or branch when you want hard isolation (own database, domains, and ops).
+
+Choose based on scale, compliance, and how much sharing you want on the same host.
+
+### Metabase analytics and groups
+
+With the `metabase` profile enabled, analytics at `/callcenter/admin/analytics` is tied to the same Rubix session (auto sign-in when you open it from Rubix).
+
+Metabase questions and SQL are adjusted so results respect **allowed work groups**: a group admin sees dashboards and query output for their groups only, not the whole server. Superadmins retain broader visibility according to Rubix permissions.