diff --git a/ansible/adhoc/lock_unlock_instances.yml b/ansible/adhoc/lock_unlock_instances.yml
new file mode 100644
index 000000000..81ec547ab
--- /dev/null
+++ b/ansible/adhoc/lock_unlock_instances.yml
@@ -0,0 +1,10 @@
+---
+
+- hosts: "{{ target_hosts | default('all') }}"
+  gather_facts: no
+  become: no
+  tasks:
+    - name: Lock/Unlock instances
+      openstack.cloud.server_action:
+        action: "{{ server_action | default('lock') }}"
+        server: "{{ inventory_hostname }}"
\ No newline at end of file
diff --git a/ansible/adhoc/rebuild-via-slurm.yml b/ansible/adhoc/rebuild-via-slurm.yml
index 33cbe5cc7..bf26e0323 100644
--- a/ansible/adhoc/rebuild-via-slurm.yml
+++ b/ansible/adhoc/rebuild-via-slurm.yml
@@ -8,6 +8,16 @@
 
 # See docs/slurm-controlled-rebuild.md.
 
+- hosts: localhost
+  gather_facts: false
+  vars:
+    server_action: unlock
+    target_hosts: compute
+  tasks:
+    - name: Unlock compute instances for rebuild
+      ansible.builtin.include_playbook:
+        file: adhoc/lock_unlock_instances.yml
+
 - hosts: login
   run_once: true
   gather_facts: false
diff --git a/ansible/site.yml b/ansible/site.yml
index 79b71e10a..fa229800a 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -1,4 +1,10 @@
 ---
+- name: Lock all instances
+  vars:
+    server_action: lock
+    target_hosts: all
+  ansible.builtin.import_playbook: adhoc/lock_unlock_instances.yml
+
 - name: Run pre.yml hook
   vars:
     # hostvars not available here, so have to recalculate environment root:
diff --git a/environments/site/hooks/pre.yml b/environments/site/hooks/pre.yml
new file mode 100644
index 000000000..cc0a6c6a9
--- /dev/null
+++ b/environments/site/hooks/pre.yml
@@ -0,0 +1,23 @@
+---
+
+- hosts: localhost
+  gather_facts: no
+  become: no
+  vars:
+    protected_environments:
+      - prd
+  tasks:
+    - name: Confirm continuing if using production environment
+      ansible.builtin.pause:
+        prompt: |
+          *************************************
+          *  WARNING: PROTECTED ENVIRONMENT!  *
+          *************************************
+
+          Current environment: {{ appliances_environment_name }}
+          Do you really want to continue (yes/no)?
+      register: env_confirm_safe
+      when:
+        - appliances_environment_name in protected_environments
+        - not (prd_continue | default(false) | bool)
+      failed_when: not (env_confirm_safe.user_input | bool)
\ No newline at end of file