diff --git a/infra/common/resource.nix b/infra/common/resource.nix
index d1f8f3f6..8bd99bb3 100644
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@@ -13,48 +13,45 @@ let
   secretsPrefix = ../../secrets;
   secrets = import (secretsPrefix + "/secrets.nix");
   keys = import ../../keys;
+  hostPublicKey = keys.systems.${config.procolixVm.name};
 
 in
 {
   imports = [ ./options.nix ];
 
-  config =
-    let
-      hostPublicKey = keys.systems.${config.procolixVm.name};
+  ssh = {
+    host = config.procolixVm.host;
+    hostPublicKey = hostPublicKey;
+  };
 
-    in
-    {
-      ssh = {
-        host = config.procolixVm.host;
-        hostPublicKey = hostPublicKey;
-      };
+  nixpkgs = inputs.nixpkgs;
 
-      nixpkgs = inputs.nixpkgs;
+  ## The configuration of the machine. We strive to keep in this file only the
+  ## options that really need to be injected from the resource. Everything else
+  ## should go into the `./nixos` subdirectory.
+  nixos.module = {
+    imports = [
+      inputs.agenix.nixosModules.default
+      ./options.nix
+      ./nixos
+    ];
 
-      nixos.module = {
-        imports = [
-          inputs.agenix.nixosModules.default
-          ./options.nix
-          ./nixos
-        ];
+    ## Inject the shared options from the resource's `config` into the NixOS
+    ## configuration.
+    procolixVm = config.procolixVm;
 
-        ## Inject the shared options from the resource's `config` into the NixOS
-        ## configuration.
-        procolixVm = config.procolixVm;
+    ## Read all the secrets, filter the ones that are supposed to be readable
+    ## with this host's public key, and add them correctly to the configuration
+    ## as `age.secrets.<name>.file`.
+    age.secrets = concatMapAttrs (
+      name: secret:
+      optionalAttrs (elem hostPublicKey secret.publicKeys) ({
+        ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+      })
+    ) secrets;
 
-        ## Read all the secrets, filter the ones that are supposed to be
-        ## readable with this host's public key, and add them correctly to the
-        ## configuration as `age.secrets.<name>.file`.
-        age.secrets = concatMapAttrs (
-          name: secret:
-          optionalAttrs (elem hostPublicKey secret.publicKeys) ({
-            ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
-          })
-        ) secrets;
-
-        ## FIXME: Remove direct root authentication once the NixOps4 NixOS
-        ## provider supports users with password-less sudo.
-        users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
-      };
-    };
+    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
+    ## supports users with password-less sudo.
+    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+  };
 }