diff --git a/.woodpecker.yml b/.woodpecker.yml
index f1d8d27..c69e605 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -29,7 +29,7 @@ steps:
           kubernetes.io/arch: amd64
     commands:
       - sh ci/setup.sh
-      - sh ci/build.sh x86_64-linux
+      - xonsh ci/build.xsh x86_64-linux
 
   - name: build-aarch64-linux
     image: git.oleks.space/oleks/nix-ci:latest
@@ -45,7 +45,7 @@ steps:
           kubernetes.io/arch: arm64
     commands:
       - sh ci/setup.sh
-      - sh ci/build.sh aarch64-linux
+      - xonsh ci/build.xsh aarch64-linux
 
   - name: build-s390x-linux
     image: git.oleks.space/oleks/nix-ci:latest
@@ -61,4 +61,4 @@ steps:
           kubernetes.io/arch: amd64
     commands:
       - sh ci/setup.sh
-      - sh ci/build.sh s390x-linux
+      - xonsh ci/build.xsh s390x-linux
diff --git a/ci/build.sh b/ci/build.sh
deleted file mode 100755
index a29754d..0000000
--- a/ci/build.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-# Build all flake-hub packages and push to attic
-set -e
-
-ARCH="$1"
-ATTIC_CACHE="attic-infra-cache-k3s-1"
-ATTIC_SERVER="https://nix-cache-upload.oleks.space"
-
-echo "=== Building flake-hub packages for ${ARCH} ==="
-
-# Setup attic
-attic=$(nix build --inputs-from . nixpkgs#attic-client --print-out-paths --no-link)/bin/attic
-"${attic}" login ci "${ATTIC_SERVER}" "${ATTIC_TOKEN}"
-
-echo "Building packages..."
-out=$(nix build ".#packages.${ARCH}.hello-world" --print-build-logs --print-out-paths --no-link)
-"${attic}" push "${ATTIC_CACHE}" "${out}"
-
-out=$(nix build ".#packages.${ARCH}.xonsh" --print-build-logs --print-out-paths --no-link)
-"${attic}" push "${ATTIC_CACHE}" "${out}"
-
-echo "✅ Build completed for ${ARCH}"
diff --git a/ci/build.xsh b/ci/build.xsh
new file mode 100644
index 0000000..d34484e
--- /dev/null
+++ b/ci/build.xsh
@@ -0,0 +1,29 @@
+#!/usr/bin/env xonsh
+"""Build all flake-hub packages and push to attic."""
+
+import sys
+
+ARCH = sys.argv[1]
+ATTIC_CACHE = "attic-infra-cache-k3s-1"
+ATTIC_SERVER = "https://nix-cache-upload.oleks.space"
+
+print(f"=== Building flake-hub packages for {ARCH} ===")
+
+# Setup attic
+attic = $(nix build --inputs-from . nixpkgs#attic-client --print-out-paths --no-link).strip() + "/bin/attic"
+@(attic) login ci @(ATTIC_SERVER) $ATTIC_TOKEN
+
+# Common packages (all arches)
+packages = ["hello-world", "geesefs", "xonsh"]
+
+# Cross-only packages
+if ARCH == "s390x-linux":
+    packages += ["attic-client"]
+
+print("Building packages...")
+for pkg in packages:
+    print(f"--- {pkg} ---")
+    out = $(nix build @(f".#packages.{ARCH}.{pkg}") --print-build-logs --print-out-paths --no-link).strip()
+    @(attic) push @(ATTIC_CACHE) @(out)
+
+print(f"Build completed for {ARCH}")
diff --git a/flake.nix b/flake.nix
index 3583c22..9cadbc4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -29,6 +29,7 @@
 
       mkPackages = pkgs: {
         hello-world = pkgs.callPackage ./packages/hello-world.nix { };
+        geesefs = pkgs.callPackage ./packages/geesefs.nix { };
         xonsh = pkgs.callPackage ./packages/xonsh.nix {
           xonsh-unwrapped = import ./packages/xonsh-unwrapped.nix {
             inherit (pkgs) lib python3Packages fetchFromGitHub;
@@ -36,6 +37,65 @@
         };
       };
 
+      # Overlays needed for s390x cross-compilation of attic-client
+      s390xOverlays = [
+        # OpenSSL s390x assembly uses z10 instructions (cijne) that the
+        # nix-bootstrapped assembler doesn't recognize
+        (final: prev: {
+          openssl = prev.openssl.overrideAttrs (old: {
+            configureFlags = (old.configureFlags or [ ]) ++ [ "no-asm" ];
+          });
+        })
+        # musl doesn't support s390x long double (IBM double-double format:
+        # LDBL_MANT_DIG=106, sizeof=16). Make musl appear unavailable so
+        # busybox-sandbox-shell uses glibc static instead.
+        (final: prev: {
+          busybox-sandbox-shell = prev.busybox-sandbox-shell.override {
+            musl = prev.musl // {
+              meta = prev.musl.meta // {
+                platforms = [ ];
+              };
+            };
+          };
+        })
+        # libarchive tests fail in k8s pod sandboxes
+        (final: prev: {
+          libarchive = prev.libarchive.overrideAttrs (_: {
+            doCheck = false;
+          });
+        })
+        # nix 2.28 is a direct dependency of attic-client — disable tests
+        # and fix missing RPATH for boost/zstd/libarchive
+        (final: prev: {
+          nixVersions = prev.nixVersions // {
+            nix_2_28 = prev.nixVersions.nix_2_28.overrideAttrs (old: {
+              doCheck = false;
+              doInstallCheck = false;
+              nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ final.patchelf ];
+              postFixup = (old.postFixup or "") + ''
+                for rpath in ${final.boost}/lib ${final.zstd.out}/lib ${final.libarchive.out}/lib; do
+                  patchelf --add-rpath "$rpath" $out/bin/nix
+                  for lib in $out/lib/lib*.so; do
+                    [ -f "$lib" ] && patchelf --add-rpath "$rpath" "$lib"
+                  done
+                done
+              '';
+            });
+          };
+        })
+        # LLVM test failures in CI pod environment — override libllvm
+        # (not llvm) so it propagates through rustc bootstrap chain
+        (final: prev: {
+          llvmPackages = prev.llvmPackages // {
+            libllvm = prev.llvmPackages.libllvm.overrideAttrs (old: {
+              doCheck = false;
+              doInstallCheck = false;
+              nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ prev.gitMinimal ];
+            });
+          };
+        })
+      ];
+
       # Native builds
       native = flake-utils.lib.eachSystem buildSystems (
         system:
@@ -69,6 +129,11 @@
         builtins.map (
           target:
           let
+            targetOverlays =
+              {
+                "s390x-linux" = s390xOverlays;
+              }
+              .${target} or [];
             pkgs = import nixpkgs {
               system = "x86_64-linux";
               crossSystem.config =
@@ -78,12 +143,20 @@
                   }
                   .${target}
                 }.config;
+              overlays = targetOverlays;
             };
             packages = mkPackages pkgs;
+            crossOnlyPackages =
+              {
+                "s390x-linux" = {
+                  inherit (pkgs) attic-client;
+                };
+              }
+              .${target} or {};
           in
           {
             name = target;
-            value = packages // {
+            value = packages // crossOnlyPackages // {
               default = packages.hello-world;
             };
           }
diff --git a/packages/geesefs.nix b/packages/geesefs.nix
new file mode 100644
index 0000000..a72fe89
--- /dev/null
+++ b/packages/geesefs.nix
@@ -0,0 +1,29 @@
+{
+  lib,
+  buildGoModule,
+  fetchFromGitHub,
+}:
+
+buildGoModule rec {
+  pname = "geesefs";
+  version = "0.43.5";
+
+  src = fetchFromGitHub {
+    owner = "yandex-cloud";
+    repo = "geesefs";
+    rev = "v${version}";
+    hash = "sha256-cfeL7fnxS+UFUlRVLiO09GHuEOvkiH5PkKcoH+jNRhY=";
+  };
+
+  proxyVendor = true;
+  vendorHash = "sha256-p+shpYrPxYLXpW6A4a/5qM90KH+pcMCqZOPoYTE77f0=";
+
+  subPackages = [ "." ];
+
+  meta = {
+    description = "FUSE FS implementation over S3";
+    homepage = "https://github.com/yandex-cloud/geesefs";
+    license = [ lib.licenses.mit ];
+    platforms = lib.platforms.unix;
+  };
+}