diff --git a/howto/puppet.md b/howto/puppet.md
index 67e1cb01baa81a06bc0e6b13f3f0776d4b3498b1..28f4b9f23e2ada1431424294197cd02711b7f4b7 100644
--- a/howto/puppet.md
+++ b/howto/puppet.md
@@ -1421,6 +1421,23 @@ this page](#proposed-solution), for details.
 
 [issue 30770]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/30770
 
+### Puppetserver gems
+
+Our Puppet Server deployment depends on two important Ruby gems: `trocla`, for
+secrets management, and `net-ldap` for LDAP data retrieval, for example via our
+`nodeinfo()` custom Puppet function.
+
+Puppet Server 7 and later rely on JRuby and an isolated Rubygems environment,
+so we can't simply install them using Debian packages. Instead, we need to
+use the `puppetserver gem` command to manually install the gems:
+
+    puppetserver gem install net-ldap trocla --no-doc
+
+Then restart `puppetserver.service`.
+
+Starting from `trixie`, the `trocla-puppetserver` package will be available to
+replace this manual deployment of the `trocla` gem.
+
 ## SLA
 
 No formal SLA is defined. Puppet runs on a fairly slow `cron` job so