diff --git a/flake.nix b/flake.nix
index 9e508fa..c28dfba 100644
--- a/flake.nix
+++ b/flake.nix
@@ -65,8 +65,9 @@
       packages = [
         inputs.agenix.packages.${system}.agenix
 
-        pkgs.colmena
         pkgs.opentofu
+
+        (pkgs.callPackage ./lib/colmena-wrapper.nix { })
       ];
     };
 
diff --git a/lib/colmena-wrapper.nix b/lib/colmena-wrapper.nix
new file mode 100644
index 0000000..87c1f1d
--- /dev/null
+++ b/lib/colmena-wrapper.nix
@@ -0,0 +1,14 @@
+# A wrapper for colmena that prevents accidentally deploying changes without
+# having pulled.
+{ colmena, runCommandNoCC }:
+runCommandNoCC "colmena-wrapper"
+{
+  env.colmena = "${colmena}/bin/colmena";
+} ''
+  mkdir -p $out
+  ln -s ${colmena}/share $out/share
+  mkdir $out/bin
+
+  substituteAll ${./colmena-wrapper.sh.in} $out/bin/colmena
+  chmod +x $out/bin/colmena
+''
diff --git a/lib/colmena-wrapper.sh.in b/lib/colmena-wrapper.sh.in
new file mode 100755
index 0000000..cc25c92
--- /dev/null
+++ b/lib/colmena-wrapper.sh.in
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+doChecks() {
+    # creates refs in the refs/prefetch/remotes/origin namespace
+    echo "Prefetching repo changes..." >&2
+    git fetch --quiet --prefetch --no-write-fetch-head origin
+
+    diffs=$(git rev-list --left-right --count HEAD...refs/prefetch/remotes/origin/main)
+    only_in_local=$(echo "$diffs" | cut -f1)
+    only_in_main=$(echo "$diffs" | cut -f2)
+
+    if [[ $only_in_main -gt 0 && ! -v $FOOTGUN_ME_UWU ]]; then
+        echo >&2
+        echo "Attempting to deploy when main has $only_in_main commits not in your branch!" >&2
+        echo "This will probably revert someone's changes. Consider merging them." >&2
+        echo "If you really mean it, set the environment variable FOOTGUN_ME_UWU" >&2
+        exit 1
+    fi
+
+    if [[ $only_in_local -gt 0 ]]; then
+        echo "You have $only_in_local commits not yet pushed to main. Reminder to push them after :)" >&2
+    fi
+}
+
+if [[ $1 == 'apply' ]]; then
+    doChecks
+fi
+
+exec @colmena@ "$@"