diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml
index 2bf0350..7e25ec2 100644
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@@ -3,7 +3,6 @@ on:
   workflow_dispatch:
   push:
   pull_request:
-
 env:
   ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
   NIX_CONFIG: |
@@ -17,7 +16,6 @@ env:
   TERM: ansi
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }}
-
 jobs:
   build-machines:
     strategy:
@@ -29,7 +27,6 @@ jobs:
         os:
           - ubuntu-latest
     runs-on: ${{ matrix.os }}
-
     steps:
       - name: Maximize build disk space
         uses: easimon/maximize-build-space@v10
@@ -42,49 +39,23 @@ jobs:
           remove-codeql: 'true'
           remove-docker-images: 'true'
           build-mount-path: /nix
-
       - name: setup binary cache key
         run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
-
       - name: Install Nix
         uses: cachix/install-nix-action@v30
-
-      - name: Install Lix
-        run: |
-          sudo --preserve-env=PATH $(which nix) run \
-          --experimental-features "nix-command flakes" \
-          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" \
-          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
-          upgrade-nix \
-          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
-          nix --version
-
       - name: Sync repository
         uses: actions/checkout@v4
         with:
           persist-credentials: false
-
       - name: build
         run: |
           package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
           nix build -L "$package"
-
       - name: cache
-        # https://stackoverflow.com/a/58859404
-        if: '!cancelled()'
+        if: always()
         run: |
-          package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
-          derivations=()
-          while IFS=$'\n' read derivation; do
-              derivations+=("$derivation")
-          done < <(nix path-info --derivation "$package")
-
-          for derivation in "${derivations[@]}"; do
-              nix copy -j8 \
-                --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem' \
-                $(nix-store --query --requisites --include-outputs "$derivation")
-          done
-
+          nix copy --all --to 's3://nixcache?endpoint=s3.cy7.sh' --verbose
+          nix store sign --store 's3://nixcache?endpoint=s3.cy7.sh' -k /home/runner/cache-priv-key.pem --all
   build-homes:
     strategy:
       fail-fast: false
@@ -96,7 +67,6 @@ jobs:
           - ubuntu-latest
           # - macos-latest
     runs-on: ${{ matrix.os }}
-
     steps:
       - name: Maximize build disk space
         uses: easimon/maximize-build-space@v10
@@ -109,45 +79,20 @@ jobs:
           remove-codeql: 'true'
           remove-docker-images: 'true'
           build-mount-path: /nix
-
       - name: setup binary cache key
         run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
-
       - name: Install Nix
         uses: cachix/install-nix-action@v30
-
-      - name: Install Lix
-        run: |
-          sudo --preserve-env=PATH $(which nix) run \
-          --experimental-features "nix-command flakes" \
-          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" \
-          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
-          upgrade-nix \
-          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
-          nix --version
-
       - name: Sync repository
         uses: actions/checkout@v4
         with:
           persist-credentials: false
-
       - name: build
         run: |
           package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
           nix build -L "$package"
-
       - name: cache
-        # https://stackoverflow.com/a/58859404
-        if: '!cancelled()'
+        if: always()
         run: |
-          package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
-          derivations=()
-          while IFS=$'\n' read derivation; do
-              derivations+=("$derivation")
-          done < <(nix path-info --derivation "$package")
-
-          for derivation in "${derivations[@]}"; do
-              nix copy -j8 \
-                --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem' \
-                $(nix-store --query --requisites --include-outputs "$derivation")
-          done
+          nix copy --all --to 's3://nixcache?endpoint=s3.cy7.sh' --verbose
+          nix store sign --store 's3://nixcache?endpoint=s3.cy7.sh' -k /home/runner/cache-priv-key.pem --all
diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
index 1118650..5e779ac 100644
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@@ -6,7 +6,6 @@ on:
         description: "package to build"
         required: false
         type: string
-
 env:
   ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
   NIX_CONFIG: |
@@ -19,7 +18,6 @@ env:
   TERM: ansi
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }}
-
 jobs:
   build-packages:
     strategy:
@@ -33,42 +31,23 @@ jobs:
           # - macos-latest
           # - macos-13
     runs-on: ${{ matrix.os }}
-
     steps:
       - name: setup binary cache key
         run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
-
       - name: Install Nix
         uses: cachix/install-nix-action@v30
-
-      - name: Install Lix
-        run: |
-          sudo --preserve-env=PATH $(which nix) run \
-          --experimental-features "nix-command flakes" \
-          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" \
-          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
-          upgrade-nix \
-          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
-          nix --version
-
       - name: Sync repository
         uses: actions/checkout@v4
         with:
           persist-credentials: false
-
       - run: nix build -L ${{ matrix.package }}
-
       - name: cache result
-        # https://stackoverflow.com/a/58859404
-        if: '!cancelled()'
+        if: always()
         run: |
-          nix copy -j8 \
-            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem' \
-            $(nix path-info --recursive --derivation "${{ matrix.package }}" |sed 's/\.drv$/.drv^*/')
-
+          nix copy --all --to 's3://nixcache?endpoint=s3.cy7.sh' --verbose
+          nix store sign --store 's3://nixcache?endpoint=s3.cy7.sh' -k /home/runner/cache-priv-key.pem --all
       - name: prepare tarball to upload
         run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result
-
       - name: upload result
         uses: actions/upload-artifact@v4
         with:
diff --git a/justfile b/justfile
index 9f6236c..68b7e5c 100644
--- a/justfile
+++ b/justfile
@@ -1,7 +1,9 @@
 update:
     git branch -D update || true
     git switch -c update
-    nix flake update --commit-lock-file
+    nix flake update
+    git add flake.lock
+    git commit -s -m "flake update"
     git push -f
     git switch main