diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml
index 7bc68bf5..3f553ef1 100644
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@@ -56,3 +56,22 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-panel -L
+
+  ## NOTE: NixOps4 does not provide a good “dry run” mode, so we instead check
+  ## proxies for resources, namely whether their `.#vmOptions.<machine>` and
+  ## `.#nixosConfigurations.<machine>` outputs evaluate and build correctly, and
+  ## whether we can dry run `infra/proxmox-*.sh` on them. This will not catch
+  ## everything, and in particular not issues in how NixOps4 wires up the
+  ## resources, but that is still something.
+  check-resources:
+    runs-on: native
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          set -euC
+          machines=$(nix eval --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).nixosConfigurations)')
+          for machine in $machines; do
+            echo ==================== [ $machine ] ====================
+            nix eval .#vmOptions.$machine
+            nix build .#nixosConfigurations.$machine.config.system.build.toplevel
+          done
diff --git a/infra/common/proxmox-qemu-vm.nix b/infra/common/proxmox-qemu-vm.nix
index 9176d0eb..6b4970b3 100644
--- a/infra/common/proxmox-qemu-vm.nix
+++ b/infra/common/proxmox-qemu-vm.nix
@@ -1,10 +1,14 @@
-{ sources, ... }:
+{ ... }:
+
 {
   _class = "nixos";
 
-  imports = [
-    "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
-  ];
+  ## FIXME: It would be nice, but the following leads to infinite recursion
+  ## in the way we currently plug `sources` in.
+  ##
+  # imports = [
+  #   "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+  # ];
 
   boot = {
     initrd = {
diff --git a/infra/common/resource.nix b/infra/common/resource.nix
index 26b57c29..d50103da 100644
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@@ -2,7 +2,6 @@
   inputs,
   lib,
   config,
-  sources,
   keys,
   secrets,
   ...
@@ -33,8 +32,6 @@ in
   ## should go into the `./nixos` subdirectory.
   nixos.module = {
     imports = [
-      "${sources.agenix}/modules/age.nix"
-      "${sources.disko}/module.nix"
       ./options.nix
       ./nixos
     ];
diff --git a/infra/flake-part.nix b/infra/flake-part.nix
index 41a8d72d..cad2b1b3 100644
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@@ -23,19 +23,30 @@ let
   makeResourceModule =
     { vmName, isTestVm }:
     {
-      nixos.module.imports = [
-        ./common/proxmox-qemu-vm.nix
-      ];
-
-      nixos.specialArgs = {
+      # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
+      _module.args = {
         inherit
-          sources
           inputs
           keys
           secrets
+          sources
           ;
       };
 
+      nixos.module.imports = [
+        ## FIXME: It would be preferrable to have those `sources`-related
+        ## imports in the modules that use them. However, doing so triggers
+        ## infinite recursions because of the way we propagate `sources`.
+        ## `sources` must be propagated by means of `specialArgs`, but this
+        ## requires a bigger change.
+        "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+        "${sources.agenix}/modules/age.nix"
+        "${sources.disko}/module.nix"
+        "${sources.home-manager}/nixos"
+
+        ./common/proxmox-qemu-vm.nix
+      ];
+
       imports =
         [
           ./common/resource.nix
@@ -65,39 +76,17 @@ let
     vmNames:
     { providers, ... }:
     {
-      # XXX: this type merge is for adding `specialArgs` to resource modules
-      options.resources = mkOption {
-        type =
-          with lib.types;
-          lazyAttrsOf (submoduleWith {
-            class = "nixops4Resource";
-            modules = [ ];
-            # TODO(@fricklerhandwerk): we may want to pass through all of `specialArgs`
-            # once we're sure it's sane. leaving it here for better control during refactoring.
-            specialArgs = {
-              inherit
-                sources
-                inputs
-                keys
-                secrets
-
-                ;
-            };
-          });
-      };
-      config = {
-        providers.local = inputs.nixops4.modules.nixops4Provider.local;
-        resources = genAttrs vmNames (vmName: {
-          type = providers.local.exec;
-          imports = [
-            inputs.nixops4-nixos.modules.nixops4Resource.nixos
-            (makeResourceModule {
-              inherit vmName;
-              isTestVm = false;
-            })
-          ];
-        });
-      };
+      providers.local = inputs.nixops4.modules.nixops4Provider.local;
+      resources = genAttrs vmNames (vmName: {
+        type = providers.local.exec;
+        imports = [
+          inputs.nixops4-nixos.modules.nixops4Resource.nixos
+          (makeResourceModule {
+            inherit vmName;
+            isTestVm = false;
+          })
+        ];
+      });
     };
   makeDeployment' = vmName: makeDeployment [ vmName ];
 
@@ -139,7 +128,7 @@ let
     ## this is only needed to expose NixOS configurations for provisioning
     ## purposes, and eventually all of this should be handled by NixOps4.
     options = {
-      nixos.module = mkOption { }; # NOTE: not just `nixos` otherwise merging will go wrong
+      nixos.module = mkOption { type = lib.types.deferredModule; }; # NOTE: not just `nixos` otherwise merging will go wrong
       nixpkgs = mkOption { };
       ssh = mkOption { };
     };
@@ -157,13 +146,9 @@ let
   ## Given a VM name, make a NixOS configuration for this machine.
   makeConfiguration =
     isTestVm: vmName:
-    let
-      inherit (sources) nixpkgs;
-    in
-    import "${nixpkgs}/nixos" {
-      modules = [
-        (makeResourceConfig { inherit vmName isTestVm; }).nixos.module
-      ];
+    import "${sources.nixpkgs}/nixos" {
+      configuration = (makeResourceConfig { inherit vmName isTestVm; }).nixos.module;
+      system = "x86_64-linux";
     };
 
   makeVmOptions = isTestVm: vmName: {
diff --git a/machines/dev/fedi200/default.nix b/machines/dev/fedi200/default.nix
index c92c8d52..23ba6de8 100644
--- a/machines/dev/fedi200/default.nix
+++ b/machines/dev/fedi200/default.nix
@@ -16,10 +16,4 @@
       gateway = "2a00:51c0:13:1305::1";
     };
   };
-
-  nixos.module = {
-    imports = [
-      ../../../infra/common/proxmox-qemu-vm.nix
-    ];
-  };
 }
diff --git a/machines/dev/fedi201/default.nix b/machines/dev/fedi201/default.nix
index 00717597..bb5058b8 100644
--- a/machines/dev/fedi201/default.nix
+++ b/machines/dev/fedi201/default.nix
@@ -19,7 +19,6 @@
 
   nixos.module = {
     imports = [
-      ../../../infra/common/proxmox-qemu-vm.nix
       ./fedipanel.nix
     ];
   };
diff --git a/machines/dev/fedi201/fedipanel.nix b/machines/dev/fedi201/fedipanel.nix
index 96a826cf..494212de 100644
--- a/machines/dev/fedi201/fedipanel.nix
+++ b/machines/dev/fedi201/fedipanel.nix
@@ -1,6 +1,5 @@
 {
   config,
-  sources,
   ...
 }:
 let
@@ -11,7 +10,6 @@ in
 
   imports = [
     (import ../../../panel { }).module
-    "${sources.home-manager}/nixos"
   ];
 
   security.acme = {
diff --git a/machines/dev/vm02116/default.nix b/machines/dev/vm02116/default.nix
index 77253a7c..e9338028 100644
--- a/machines/dev/vm02116/default.nix
+++ b/machines/dev/vm02116/default.nix
@@ -14,7 +14,6 @@
     { lib, ... }:
     {
       imports = [
-        ../../../infra/common/proxmox-qemu-vm.nix
         ./forgejo.nix
       ];
 
diff --git a/machines/dev/vm02187/default.nix b/machines/dev/vm02187/default.nix
index ab3e5d12..2f91d753 100644
--- a/machines/dev/vm02187/default.nix
+++ b/machines/dev/vm02187/default.nix
@@ -14,7 +14,6 @@
     { lib, ... }:
     {
       imports = [
-        ../../../infra/common/proxmox-qemu-vm.nix
         ./wiki.nix
       ];