diff --git a/puppet/zulip_ops/files/teleport_app.yaml b/puppet/zulip_ops/files/teleport_app.yaml
new file mode 100644
index 0000000000..9aa11fc71b
--- /dev/null
+++ b/puppet/zulip_ops/files/teleport_app.yaml
@@ -0,0 +1,3 @@
+app_service:
+  enabled: yes
+  apps:
diff --git a/puppet/zulip_ops/files/teleport_node.yaml b/puppet/zulip_ops/files/teleport_node.yaml
index 87955f0df3..b5df2b2dde 100644
--- a/puppet/zulip_ops/files/teleport_node.yaml
+++ b/puppet/zulip_ops/files/teleport_node.yaml
@@ -32,9 +32,3 @@ proxy_service:
   enabled: no
 auth_service:
   enabled: no
-
-# We intentionally end with `app_service` so we can append services under
-# `apps:` via puppet.
-app_service:
-  enabled: yes
-  apps:
diff --git a/puppet/zulip_ops/manifests/teleport/application.pp b/puppet/zulip_ops/manifests/teleport/application.pp
index d24f1688c1..a94328bbe9 100644
--- a/puppet/zulip_ops/manifests/teleport/application.pp
+++ b/puppet/zulip_ops/manifests/teleport/application.pp
@@ -6,6 +6,7 @@ define zulip_ops::teleport::application (
   $description = '',
   $order = '50',
 ) {
+  include zulip_ops::teleport::application_top
   concat::fragment { "teleport_app_${name}":
     target  => '/etc/teleport_node.yaml',
     order   => $order,
diff --git a/puppet/zulip_ops/manifests/teleport/application_top.pp b/puppet/zulip_ops/manifests/teleport/application_top.pp
new file mode 100644
index 0000000000..cd87908363
--- /dev/null
+++ b/puppet/zulip_ops/manifests/teleport/application_top.pp
@@ -0,0 +1,10 @@
+# @summary Enables application support on the node; include once.
+#
+# See https://goteleport.com/docs/application-access/
+class zulip_ops::teleport::application_top {
+  concat::fragment { 'teleport_app':
+    target => '/etc/teleport_node.yaml',
+    order  => '10',
+    source => 'puppet:///modules/zulip_ops/teleport_app.yaml',
+  }
+}