diff --git a/flake.nix b/flake.nix
index 4cb9db7..04ef44a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -27,9 +27,12 @@
           jdk = final.openjdk19;
         };
         piped-proxy = final.callPackage ./packages/proxy {};
-        piped-proxy-openssl = piped-proxy.override { withOpenSSL = true; };
-        piped-proxy-minimal = piped-proxy.override { withAVIF = false; withWebP = false; };
-        piped-proxy-minimal-openssl = piped-proxy-minimal.override { withOpenSSL = true; };
+        piped-proxy-openssl = piped-proxy.override {withOpenSSL = true;};
+        piped-proxy-minimal = piped-proxy.override {
+          withAVIF = false;
+          withWebP = false;
+        };
+        piped-proxy-minimal-openssl = piped-proxy-minimal.override {withOpenSSL = true;};
         piped-backend-deps = final.callPackage ./packages/backend/deps.nix {
           jdk = final.openjdk19;
         };
diff --git a/module/default.nix b/module/default.nix
index 16cf1f5..bff22e4 100644
--- a/module/default.nix
+++ b/module/default.nix
@@ -274,6 +274,12 @@ in {
         default = 3002;
       };
 
+      disallowImageTranscoding = mkOption {
+        type = types.bool;
+        default = false;
+        description = "turns off transcoding thumbnails/other to webp/avif if client adds those to allowed mime types on image requests; may use a lot of CPU depending on how many users";
+      };
+
       nginx = {
         disableNginx = mkOption {
           type = types.bool;
diff --git a/module/proxy.nix b/module/proxy.nix
index f823802..3bb08bc 100644
--- a/module/proxy.nix
+++ b/module/proxy.nix
@@ -35,6 +35,7 @@ in {
       wantedBy = ["multi-user.target"];
       environment.BIND = "0.0.0.0:${toString proxyConfig.internalPort}";
       environment.IPV4_ONLY = mkIf proxyConfig.proxyIPv4Only "1";
+      environment.DISALLOW_IMAGE_TRANSCODING = mkIf proxyConfig.disallowImageTranscoding "1";
       serviceConfig = {
         ExecStart = "${proxyConfig.package}/bin/piped-proxy";
 
diff --git a/packages/proxy/default.nix b/packages/proxy/default.nix
index 2d4f434..cf8f66a 100644
--- a/packages/proxy/default.nix
+++ b/packages/proxy/default.nix
@@ -34,7 +34,7 @@ in
       ++ (optional withMimalloc "mimalloc")
       ++ (optional withMimalloc "avif")
       ++ (optional withMimalloc "webp");
-  
+
     buildInputs = optional withOpenSSL openssl;
     nativeBuildInputs = [] ++ (optional withAVIF nasm) ++ (optional withOpenSSL pkg-config);