From af2799170ce208ed2a55ae490d42dfb86af95639 Mon Sep 17 00:00:00 2001
From: Pieter <pieter@kolabnow.com>
Date: Thu, 15 Jan 2026 11:27:43 +0100
Subject: [PATCH] fix: Change enrollment flow to invitation-only (not public)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Set continue_flow_without_invitation: false
- Enrollment now requires a valid invitation token
- Users cannot self-register without an invitation
- Renamed metadata to reflect invitation-only nature

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 ansible/roles/authentik/files/enrollment-flow.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/authentik/files/enrollment-flow.yaml b/ansible/roles/authentik/files/enrollment-flow.yaml
index 6e6e2c8..c865741 100644
--- a/ansible/roles/authentik/files/enrollment-flow.yaml
+++ b/ansible/roles/authentik/files/enrollment-flow.yaml
@@ -1,8 +1,8 @@
 version: 1
 metadata:
-  name: public-enrollment-flow
+  name: invitation-enrollment-flow
   labels:
-    blueprints.goauthentik.io/description: "Public enrollment flow with invitation support"
+    blueprints.goauthentik.io/description: "Invitation-only enrollment flow"
     blueprints.goauthentik.io/instantiate: "true"
 
 entries:
@@ -20,7 +20,7 @@ entries:
 
   # 2. CREATE INVITATION STAGE
   - attrs:
-      continue_flow_without_invitation: true
+      continue_flow_without_invitation: false
     identifiers:
       name: default-enrollment-invitation
     id: invitation-stage