diff --git a/pkgs/default.nix b/pkgs/default.nix
index 975ba7f..ce2a60a 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -96,6 +96,7 @@ in {
   minisock = callPackage ./minisock { };
   nellie = callPackage ./nellie { };
   netlink-lua = callPackage ./netlink-lua { };
+  nginx-small = callPackage ./nginx-small { };
   odhcp-script = callPackage ./odhcp-script { };
   odhcp6c = callPackage ./odhcp6c { };
   openwrt = callPackage ./openwrt { };
diff --git a/pkgs/nginx-small/default.nix b/pkgs/nginx-small/default.nix
new file mode 100644
index 0000000..314fea8
--- /dev/null
+++ b/pkgs/nginx-small/default.nix
@@ -0,0 +1,118 @@
+# There is stuff in the nixpkgs nginx that's quite difficult to
+# disable if you want the smallest possible nginx for a single use, so
+# herewith a derivation that allows fine-grained control of all the
+# --with and --without options. The patches are from nixpkgs (or from
+# openwrt via nixpkgs, it looks like) and at least one of them is
+# essential for making the package cross-compilable
+
+{
+  stdenv
+, openssl
+, fetchzip
+, fetchpatch
+, pcre
+, zlib
+, lib
+, options ? []
+}:
+let
+  # nginx configure script does not accept a with-foo_module flag for
+  # a foo_module that's already included, nor a without-foo_module
+  # for a module that isn't. Ho hum
+  #  grep -E 'without.+\)' auto/options | sed -e 's/).*$//g' -e 's/.*--without-//g'
+  defaultEnabled = [
+    "select_module"
+    "poll_module"
+    "quic_bpf_module"
+    "http"
+    "http-cache"
+    "http_charset_module"
+    "http_gzip_module"
+    "http_ssi_module"
+    "http_userid_module"
+    "http_access_module"
+    "http_auth_basic_module"
+    "http_mirror_module"
+    "http_autoindex_module"
+    "http_status_module"
+    "http_geo_module"
+    "http_map_module"
+    "http_split_clients_module"
+    "http_referer_module"
+    "http_rewrite_module"
+    "http_proxy_module"
+    "http_fastcgi_module"
+    "http_uwsgi_module"
+    "http_scgi_module"
+    "http_grpc_module"
+    "http_memcached_module"
+    "http_limit_conn_module"
+    "http_limit_req_module"
+    "http_empty_gif_module"
+    "http_browser_module"
+    "http_upstream_hash_module"
+    "http_upstream_ip_hash_module"
+    "http_upstream_least_conn_module"
+    "http_upstream_random_module"
+    "http_upstream_keepalive_module"
+    "http_upstream_zone_module"
+    "mail_pop3_module"
+    "mail_imap_module"
+    "mail_smtp_module"
+    "stream_limit_conn_module"
+    "stream_access_module"
+    "stream_geo_module"
+    "stream_map_module"
+    "stream_split_clients_module"
+    "stream_return_module"
+    "stream_pass_module"
+    "stream_set_module"
+    "stream_upstream_hash_module"
+    "stream_upstream_least_conn_module"
+    "stream_upstream_random_module"
+    "stream_upstream_zone_module"
+    "pcre"
+    "pcre2"
+  ];
+  # for each in defaultEnabled that are not in withFlags,
+  # add a --without option
+  # for each in withFlags that are not in defaultEnabled,
+  # add a --with option
+  withouts = lib.subtractLists options defaultEnabled;
+  withs = lib.subtractLists defaultEnabled options;
+
+in stdenv.mkDerivation {
+  pname = "nginx-small";
+  version  = "";
+  buildInputs = [ openssl pcre zlib ];
+  configureFlags =
+    (map (f: "--with-${f}") withs)
+    ++ (map (f: "--without-${f}") withouts)
+    ++ lib.optional (pcre == null)
+      "--without-http_rewrite_module"
+    ++ lib.optional (zlib == null)
+      "--without-http_gzip_module";
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; # musl
+
+  configurePlatforms = [];
+  patches = [
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/102-sizeof_test_fix.patch";
+      sha256 = "0i2k30ac8d7inj9l6bl0684kjglam2f68z8lf3xggcc2i5wzhh8a";
+    })
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/101-feature_test_fix.patch";
+      sha256 = "0v6890a85aqmw60pgj3mm7g8nkaphgq65dj4v9c6h58wdsrc6f0y";
+    })
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/103-sys_nerr.patch";
+      sha256 = "0s497x6mkz947aw29wdy073k8dyjq8j99lax1a1mzpikzr4rxlmd";
+    })
+  ];
+
+  src = fetchzip {
+    url = "https://nginx.org/download/nginx-1.26.2.tar.gz";
+    hash = "sha256-CQbvqISgca+LBpmTUuF8IuJZC9GNn8kT0hQwzfz+wH8=";
+  };
+}