diff --git a/securedrop_salt/sd-base-template-files.sls b/securedrop_salt/sd-base-template-packages.sls
similarity index 70%
rename from securedrop_salt/sd-base-template-files.sls
rename to securedrop_salt/sd-base-template-packages.sls
index a9e72967..fdca85df 100644
--- a/securedrop_salt/sd-base-template-files.sls
+++ b/securedrop_salt/sd-base-template-packages.sls
@@ -21,3 +21,13 @@ sd-base-template-install-securedrop-packages:
       - securedrop-workstation-grsec
     - require:
       - sls: securedrop_salt.fpf-apt-repo
+
+# Ensure that paxctld starts immediately. For AppVMs,
+# use qvm.features.enabled = ["paxctld"] to ensure service start.
+sd-workstation-template-enable-paxctld:
+  service.running:
+    - name: paxctld
+    - enable: True
+    - reload: True
+    - require:
+      - pkg: sd-base-template-install-securedrop-packages
\ No newline at end of file
diff --git a/securedrop_salt/sd-workstation-template-files.sls b/securedrop_salt/sd-workstation-template-files.sls
deleted file mode 100644
index c700f3b0..00000000
--- a/securedrop_salt/sd-workstation-template-files.sls
+++ /dev/null
@@ -1,22 +0,0 @@
-# -*- coding: utf-8 -*-
-# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
-include:
-  - securedrop_salt.fpf-apt-repo
-
-sd-workstation-template-install-kernel-config-packages:
-  pkg.installed:
-    - pkgs:
-      - securedrop-workstation-config
-      - securedrop-workstation-grsec
-    - require:
-      - sls: securedrop_salt.fpf-apt-repo
-
-# Ensure that paxctld starts immediately. For AppVMs,
-# use qvm.features.enabled = ["paxctld"] to ensure service start.
-sd-workstation-template-enable-paxctld:
-  service.running:
-    - name: paxctld
-    - enable: True
-    - reload: True
-    - require:
-      - pkg: sd-workstation-template-install-kernel-config-packages
diff --git a/securedrop_salt/sd-workstation.top b/securedrop_salt/sd-workstation.top
index 3ef12d51..10f4d689 100644
--- a/securedrop_salt/sd-workstation.top
+++ b/securedrop_salt/sd-workstation.top
@@ -20,16 +20,13 @@ base:
     - securedrop_salt.sd-remove-unused-templates
 
   sd-base-bookworm-template:
-    - securedrop_salt.sd-base-template-files
-    - securedrop_salt.sd-workstation-template-files
+    - securedrop_salt.sd-base-template-packages
   sd-small-bookworm-template:
     - securedrop_salt.sd-logging-setup
-    - securedrop_salt.sd-workstation-template-files
     - securedrop_salt.sd-app-files
     - securedrop_salt.sd-proxy-template-files
   sd-large-bookworm-template:
     - securedrop_salt.sd-logging-setup
-    - securedrop_salt.sd-workstation-template-files
     - securedrop_salt.sd-devices-files
     - securedrop_salt.sd-viewer-files
   sd-gpg: