diff --git a/.github/workflows/push-based-deploy.yml b/.github/workflows/push-based-deploy.yml
index a937107..05d2f63 100644
--- a/.github/workflows/push-based-deploy.yml
+++ b/.github/workflows/push-based-deploy.yml
@@ -26,21 +26,20 @@ jobs:
           sudo aws configure set aws_secret_access_key ${{ steps.aws.outputs.aws-secret-access-key }}
           sudo aws configure set aws_session_token ${{ steps.aws.outputs.aws-session-token }}
           sudo aws configure set region eu-central-1
+      - id: get-cache-secret-key
+        name: Get cache secret key
+        run: echo "${{ secrets.CACHE_SECRET_KEY }}" > cache-secret-key
       - id: build
         name: Build
         run: |
-          nix build .#nixosConfigurations.web-push.config.system.build.toplevel --extra-substituters '${{ vars.CACHE_BUCKET }}' --extra-trusted-public-keys '${{ vars.CACHE_PUBLIC_KEY }}'
+          nix build \
+            --extra-substituters '${{ vars.CACHE_BUCKET }}' \
+            --extra-trusted-public-keys '${{ vars.CACHE_PUBLIC_KEY }}' \
+            --store "${{ vars.CACHE_BUCKET }}&secret-key=$(realpath ./cache-secret-key)" \
+            --builders 'auto' \
+            .#nixosConfigurations.web-push.config.system.build.toplevel 
           out_path=$(readlink ./result)
           echo "out_path=$out_path" >> "$GITHUB_OUTPUT"
-      - id: sign
-        name: Sign
-        run: |
-          echo "${{ secrets.CACHE_SECRET_KEY }}" > cache-secret-key
-          nix store sign --recursive --key-file cache-secret-key ${{ steps.build.outputs.out_path }}
-      - id: copy
-        name: Copy
-        run: |
-          nix copy --to "${{ vars.CACHE_BUCKET }}" ${{ steps.build.outputs.out_path }}
       - id: deploy
         name: Deploy
         run: |