diff --git a/ansible/adhoc/lock_unlock_instances.yml b/ansible/adhoc/lock_unlock_instances.yml
new file mode 100644
index 000000000..db9464cae
--- /dev/null
+++ b/ansible/adhoc/lock_unlock_instances.yml
@@ -0,0 +1,11 @@
+---
+
+- hosts: "{{ target_hosts | default('all') }}"
+  gather_facts: no
+  become: no
+  tasks:
+    - name: Lock/Unlock instances
+      openstack.cloud.server_action:
+        action: "{{ server_action | default('lock') }}"
+        server: "{{ inventory_hostname }}"
+      delegate_to: localhost
\ No newline at end of file
diff --git a/ansible/adhoc/rebuild-via-slurm.yml b/ansible/adhoc/rebuild-via-slurm.yml
index 33cbe5cc7..fca4258a8 100644
--- a/ansible/adhoc/rebuild-via-slurm.yml
+++ b/ansible/adhoc/rebuild-via-slurm.yml
@@ -8,6 +8,12 @@
 
 # See docs/slurm-controlled-rebuild.md.
 
+- name: Unlock compute instances for rebuild
+  vars:
+    server_action: unlock
+    target_hosts: compute
+  ansible.builtin.import_playbook: lock_unlock_instances.yml
+
 - hosts: login
   run_once: true
   gather_facts: false
diff --git a/ansible/safe-env.yml b/ansible/safe-env.yml
new file mode 100644
index 000000000..8479a298b
--- /dev/null
+++ b/ansible/safe-env.yml
@@ -0,0 +1,22 @@
+---
+- hosts: localhost
+  gather_facts: no
+  become: no
+  vars:
+    protected_environments:
+      - prd
+  tasks:
+    - name: Confirm continuing if using production environment
+      ansible.builtin.pause:
+        prompt: |
+          *************************************
+          *  WARNING: PROTECTED ENVIRONMENT!  *
+          *************************************
+
+          Current environment: {{ appliances_environment_name }}
+          Do you really want to continue (yes/no)?
+      register: env_confirm_safe
+      when:
+        - appliances_environment_name in protected_environments
+        - not (prd_continue | default(false) | bool)
+      failed_when: not (env_confirm_safe.user_input | bool)
\ No newline at end of file
diff --git a/ansible/site.yml b/ansible/site.yml
index 79b71e10a..4cafa71c2 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -1,4 +1,13 @@
 ---
+
+- ansible.builtin.import_playbook: safe-env.yml
+
+- name: Lock all instances
+  vars:
+    server_action: lock
+    target_hosts: all
+  ansible.builtin.import_playbook: adhoc/lock_unlock_instances.yml
+
 - name: Run pre.yml hook
   vars:
     # hostvars not available here, so have to recalculate environment root: