diff --git a/TODO.text b/TODO.text
index 750aad6..c12b2aa 100644
--- a/TODO.text
+++ b/TODO.text
@@ -1,2 +1,4 @@
 - OAuth2 -> support refresh tokens
 - Localize all the things
+- Setup wizard
+- Logins as jobs
\ No newline at end of file
diff --git a/a.out b/a.out
deleted file mode 100644
index e69de29..0000000
diff --git a/app/controllers/api/v1/Auth.controller.js b/app/controllers/api/v1/Auth.controller.js
index c31eead..418b955 100644
--- a/app/controllers/api/v1/Auth.controller.js
+++ b/app/controllers/api/v1/Auth.controller.js
@@ -76,7 +76,20 @@ class AuthController extends Controller {
             trap: 'password_reset', // Force user to reset password
         })
 
-        user.promote('base_user')
+        const Setting = this.models.get('Setting')
+        try {
+            const default_roles = await Setting.get('auth.default_roles')
+            if ( Array.isArray(default_roles) ) {
+                for ( const role of default_roles ) user.promote(role)
+            }
+        } catch (e) {
+            this.output.error('Unable to read default roles to promote registered user: ')
+            this.output.error(e)
+        }
+
+        // If this is the first user, make them root
+        if ( !(await User.findOne()) ) user.promote('root')
+
         await user.save()
 
         // Log in the user automatically
diff --git a/config/auth.config.js b/config/auth.config.js
index 2c28b82..e451063 100644
--- a/config/auth.config.js
+++ b/config/auth.config.js
@@ -192,6 +192,8 @@ const auth_config = {
             'v1:password',
         ],
 
+        root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam'],
+
     },
 
 }
diff --git a/example.env b/example.env
index 6cc61d7..ffa1726 100644
--- a/example.env
+++ b/example.env
@@ -1,26 +1,35 @@
-APP_NAME=Flitter
+APP_NAME="Starship CoreID"
 APP_URL=http://localhost:8000/
 
 SERVER_PORT=8000
-LOGGING_LEVEL=1
+LOGGING_LEVEL=2
+LOGGING_TIMESTAMP=false
 
 DATABASE_HOST=127.0.0.1
 DATABASE_PORT=27017
-DATABASE_NAME=flitter
+DATABASE_NAME=starship_coreid
 DATABASE_AUTH=false
 
-SECRET=changeme
+SECRET="Replace this with something randomly generated!"
 ENVIRONMENT=production
 
 SSL_ENABLE=false
-SSL_CERT_FILE=cert.pem
-SSL_CERT_KEY=cert.key
+SSL_CERT_FILE=cert.crt
+SSL_KEY_FILE=cert.key
+
+LDAP_SERVER_PORT=389
+
+# Every LDAP DN is suffixed with this automatically
+LDAP_BASE_DC="dc=coreid,dc=local"
+
+SAML_CERT_FILE="/path/to/x509/public.pem"
+SAML_KEY_FILE="/path/to/x509/private.pem"
 
 REDIS_HOST=localhost
 REDIS_PORT=6379
 
-SMTP_HOST="mail.mydomain.com"
+SMTP_HOST="localhost"
 SMTP_PORT="587"
-SMTP_USER="coreid@mydomain.com"
-SMTP_DEFAULT_SENDER="coreid@mydomain.com"
-SMTP_PASS="supersecretpassword"
+SMTP_USER="coreid@localhost.localdomain"
+SMTP_DEFAULT_SENDER="coreid@localhost.localdomain"
+SMTP_PASS="something super secure"