diff --git a/README.md b/README.md
index e6f5f87ef90dd706b16403548f8bcc863ab8760d..21aac4174258d86ec1f1670540cb7180677e4f37 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,29 @@ configuration management system that `minicl` uses (or something else
 entirely, if you so prefer).
 
 
+## Features
+
+The base system offers a number of boring but useful features which
+were deemed necessary for the basic operation of a distributed
+service:
+
+* it offers a configuration management system to manage your services.
+  This is *Slack*, a simple and effective solution with a very low
+  barrier to entry (it's basically a glorified rsync, with pre- and
+  post-install scripts);
+
+* firewall autoconfiguration to allow simple IP-based network ACLs
+  based on your cluster config;
+
+* centralized control of users and credentials;
+
+* basic monitoring infrastructure.
+
+It is expected that the cluster will use a DNS domain that you
+control. One entry per host will need to be created under that domain,
+plus an additional entry for the special `monitor` host.
+
+
 ## Usage
 
 `minicl` uses a centralized git repository to distribute the cluster
@@ -117,6 +140,37 @@ The following top-level attributes are understood:
   * `roles`: Slack roles assigned to this host. The list should contain
     the `base` role.
 
+Here is an example of a valid, two-host cluster configuration:
+
+    {
+        "domain": "example.com",
+        "admin_email": "cluster-alerts@example.com",
+        "users": {
+            "foo": {
+                "uid": 1001,
+                "passwd": "$6$NSl9Lz3f$...",
+                "ssh_key": "ssh-rsa AAAAB3Nz..."
+            }
+        },
+        "hosts": {
+            "host1": {
+                "ip": "1.2.3.4",
+            },
+            "host2": {
+                "ip": "2.3.4.5",
+            }
+        },
+        "smtp": {
+            "relay": "smtp-relay.example.com",
+            "username": "clustersmtp",
+            "password": "..."
+        }
+    }
+
+This defines two hosts (*host1* and *host2*), and a user named *foo*
+with administrative access to all machines.
+
+
 ### Deploy key
 
 Since the primary configuration repository is supposed to be protected
@@ -158,7 +212,7 @@ Once you have those, here's the one-liner for those who like to live
 dangerously (to be run as the `root` user):
 
     $ wget --no-check-certificate -O- \
-        https://git.autistici.org/ale/minicl/install.sh | sh \
+        https://git.autistici.org/ale/minicl/raw/master/install.sh | sh \
         && minicl-bootstrap --repo=$REPO
 
 The first command will set up the `minicl` software suite, while the
diff --git a/install.sh b/install.sh
index 457529ad80cda58b908db01346bfcf023b38aa4c..0207f82947c92d597037bde4252337049f7a9fc9 100755
--- a/install.sh
+++ b/install.sh
@@ -6,6 +6,11 @@
 repo_url=https://git.autistici.org/ale/minicl.git
 ca_url=http://www.autistici.org/static/certs/ca.crt
 
+if [ `whoami` != root ]; then
+  echo "This script should be run as root!" >&2
+  exit 1
+fi
+
 set -e
 
 if [ ! -e /usr/local/share/ca-certificates/autistici.org.crt ]; then