diff --git a/dom0/qubesdb-config.sls b/dom0/qubesdb-config.sls
new file mode 100644
index 00000000..1eb3b9ef
--- /dev/null
+++ b/dom0/qubesdb-config.sls
@@ -0,0 +1,5 @@
+install-template-from-qubesdb:
+  file.managed:
+    - name: /usr/local/bin/template-from-qubesdb
+    - source: "salt://template-from-qubesdb.py"
+    - mode: 755
diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top
index 76b34aa5..fcc56f3f 100644
--- a/dom0/sd-workstation.top
+++ b/dom0/sd-workstation.top
@@ -20,6 +20,7 @@ base:
     - sd-remove-unused-templates
 
   sd-base-bookworm-template:
+    - qubesdb-config
     - sd-base-template-files
     - sd-workstation-template-files
   sd-small-bookworm-template:
@@ -39,6 +40,7 @@ base:
     - sd-app-config
     - sd-mime-handling
   sd-whonix:
+    - qubesdb-config
     - sd-whonix-hidserv-key
   'sd-fedora-39-dvm,sys-usb':
     - match: list
diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
index 5fbeb0bb..aa537453 100644
--- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
+++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
@@ -105,6 +105,7 @@ install -m 755 files/sdw-notify.py %{buildroot}/%{_bindir}/sdw-notify
 install -m 755 files/sdw-login.py %{buildroot}/%{_bindir}/sdw-login
 install -m 644 files/sdw-notify.service %{buildroot}/%{_userunitdir}/
 install -m 644 files/sdw-notify.timer %{buildroot}/%{_userunitdir}/
+install -m 755 files/template-from-qubesdb.py %{buildroot}/srv/salt/template-from-qubesdb.py
 
 install -m 755 -d %{buildroot}/etc/qubes/policy.d/
 install -m 644 files/31-securedrop-workstation.policy %{buildroot}/etc/qubes/policy.d/
@@ -129,7 +130,9 @@ install -m 755 -d %{buildroot}/opt/securedrop
 /srv/salt/securedrop-*
 /srv/salt/update-xfce-settings
 /srv/salt/fpf*
+/srv/salt/qubesdb-config.sls
 /srv/salt/press.freedom.SecureDropUpdater.desktop
+/srv/salt/template-from-qubesdb.py
 
 %attr(755, root, root) %{_bindir}/sdw-login
 %attr(755, root, root) %{_bindir}/sdw-notify