Clarify README scope and Terraform role; explain the boma name

Broaden the intro beyond Ansible (Terraform + Ansible), state the
infrastructure-not-personal-devices scope, and explain the Swahili name.
Also replace the stale .vault_pass quick-start step with 'rbw unlock'.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

README.md

@@ -1,7 +1,19 @@
-# Ansible homelab
+# boma
 
-Infrastructure automation for a Proxmox-based homelab running primarily Debian 13 VMs
-with Docker services. Stable, secure, and fully managed via Ansible.
+Infrastructure-as-code for a self-hosted homelab: a Proxmox cluster of Debian 13 VMs
+running Docker services, provisioned with **Terraform** and configured with
+**Ansible**. Stable, secure, reproducible, and fully version-controlled.
+
+**Scope** — this repo manages *infrastructure*: the cluster's VMs, their hardened
+base OS, and the containerised services they run. It does **not** manage personal
+machines (laptops, desktops, phones). Terraform owns VM existence; Ansible owns
+everything inside a VM. See `STATUS.md` for what's built vs planned and
+`docs/decisions/` for the design rationale.
+
+**The name** — *boma* is Swahili for a fortified homestead enclosure (a stockade
+guarding what's within) — fitting for a hardened, self-contained home setup. It
+keeps company with the project's other Swahili names: `askari` (the external
+sentinel) and `nyumbani` ("home").
 
 ## Quick start (control node)
 
@@ -13,9 +25,9 @@ cd ~/ansible
 make setup
 make collections
 
-# Place vault password (obtain via secure channel)
-echo "your-vault-password" > .vault_pass
-chmod 600 .vault_pass
+# Unlock the vault password from Vaultwarden via rbw
+# (one-time rbw setup: docs/runbooks/rotate-secrets.md)
+rbw unlock
 
 # Verify setup
 make lint