diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml
index 7e25ec2..2bf0350 100644
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@@ -3,6 +3,7 @@ on:
   workflow_dispatch:
   push:
   pull_request:
+
 env:
   ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
   NIX_CONFIG: |
@@ -16,6 +17,7 @@ env:
   TERM: ansi
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }}
+
 jobs:
   build-machines:
     strategy:
@@ -27,6 +29,7 @@ jobs:
         os:
           - ubuntu-latest
     runs-on: ${{ matrix.os }}
+
     steps:
       - name: Maximize build disk space
         uses: easimon/maximize-build-space@v10
@@ -39,23 +42,49 @@ jobs:
           remove-codeql: 'true'
           remove-docker-images: 'true'
           build-mount-path: /nix
+
       - name: setup binary cache key
         run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
+
       - name: Install Nix
         uses: cachix/install-nix-action@v30
+
+      - name: Install Lix
+        run: |
+          sudo --preserve-env=PATH $(which nix) run \
+          --experimental-features "nix-command flakes" \
+          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" \
+          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
+          upgrade-nix \
+          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
+          nix --version
+
       - name: Sync repository
         uses: actions/checkout@v4
         with:
           persist-credentials: false
+
       - name: build
         run: |
           package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
           nix build -L "$package"
+
       - name: cache
-        if: always()
+        # https://stackoverflow.com/a/58859404
+        if: '!cancelled()'
         run: |
-          nix copy --all --to 's3://nixcache?endpoint=s3.cy7.sh' --verbose
-          nix store sign --store 's3://nixcache?endpoint=s3.cy7.sh' -k /home/runner/cache-priv-key.pem --all
+          package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
+          derivations=()
+          while IFS=$'\n' read derivation; do
+              derivations+=("$derivation")
+          done < <(nix path-info --derivation "$package")
+
+          for derivation in "${derivations[@]}"; do
+              nix copy -j8 \
+                --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem' \
+                $(nix-store --query --requisites --include-outputs "$derivation")
+          done
+
   build-homes:
     strategy:
       fail-fast: false
@@ -67,6 +96,7 @@ jobs:
           - ubuntu-latest
           # - macos-latest
     runs-on: ${{ matrix.os }}
+
     steps:
       - name: Maximize build disk space
         uses: easimon/maximize-build-space@v10
@@ -79,20 +109,45 @@ jobs:
           remove-codeql: 'true'
           remove-docker-images: 'true'
           build-mount-path: /nix
+
       - name: setup binary cache key
         run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
+
       - name: Install Nix
         uses: cachix/install-nix-action@v30
+
+      - name: Install Lix
+        run: |
+          sudo --preserve-env=PATH $(which nix) run \
+          --experimental-features "nix-command flakes" \
+          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" \
+          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
+          upgrade-nix \
+          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
+          nix --version
+
       - name: Sync repository
         uses: actions/checkout@v4
         with:
           persist-credentials: false
+
       - name: build
         run: |
           package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
           nix build -L "$package"
+
       - name: cache
-        if: always()
+        # https://stackoverflow.com/a/58859404
+        if: '!cancelled()'
         run: |
-          nix copy --all --to 's3://nixcache?endpoint=s3.cy7.sh' --verbose
-          nix store sign --store 's3://nixcache?endpoint=s3.cy7.sh' -k /home/runner/cache-priv-key.pem --all
+          package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
+          derivations=()
+          while IFS=$'\n' read derivation; do
+              derivations+=("$derivation")
+          done < <(nix path-info --derivation "$package")
+
+          for derivation in "${derivations[@]}"; do
+              nix copy -j8 \
+                --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem' \
+                $(nix-store --query --requisites --include-outputs "$derivation")
+          done
diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
index 5e779ac..1118650 100644
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@@ -6,6 +6,7 @@ on:
         description: "package to build"
         required: false
         type: string
+
 env:
   ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
   NIX_CONFIG: |
@@ -18,6 +19,7 @@ env:
   TERM: ansi
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets. AWS_SECRET_ACCESS_KEY }}
+
 jobs:
   build-packages:
     strategy:
@@ -31,23 +33,42 @@ jobs:
           # - macos-latest
           # - macos-13
     runs-on: ${{ matrix.os }}
+
     steps:
       - name: setup binary cache key
         run: echo "${{ secrets.NIX_CACHE_SECRET_KEY }}" >> /home/runner/cache-priv-key.pem
+
       - name: Install Nix
         uses: cachix/install-nix-action@v30
+
+      - name: Install Lix
+        run: |
+          sudo --preserve-env=PATH $(which nix) run \
+          --experimental-features "nix-command flakes" \
+          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" \
+          'git+https://git.lix.systems/lix-project/lix?ref=refs/tags/2.92.0' -- \
+          upgrade-nix \
+          --extra-substituters https://cache.lix.systems --extra-trusted-public-keys "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
+          nix --version
+
       - name: Sync repository
         uses: actions/checkout@v4
         with:
           persist-credentials: false
+
       - run: nix build -L ${{ matrix.package }}
+
       - name: cache result
-        if: always()
+        # https://stackoverflow.com/a/58859404
+        if: '!cancelled()'
         run: |
-          nix copy --all --to 's3://nixcache?endpoint=s3.cy7.sh' --verbose
-          nix store sign --store 's3://nixcache?endpoint=s3.cy7.sh' -k /home/runner/cache-priv-key.pem --all
+          nix copy -j8 \
+            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem' \
+            $(nix path-info --recursive --derivation "${{ matrix.package }}" |sed 's/\.drv$/.drv^*/')
+
       - name: prepare tarball to upload
         run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result
+
       - name: upload result
         uses: actions/upload-artifact@v4
         with:
diff --git a/justfile b/justfile
index 68b7e5c..9f6236c 100644
--- a/justfile
+++ b/justfile
@@ -1,9 +1,7 @@
 update:
     git branch -D update || true
     git switch -c update
-    nix flake update
-    git add flake.lock
-    git commit -s -m "flake update"
+    nix flake update --commit-lock-file
     git push -f
     git switch main