diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix
index 41d50dc73084..815d0778ae74 100644
--- a/nixos/modules/virtualisation/podman.nix
+++ b/nixos/modules/virtualisation/podman.nix
@@ -4,18 +4,20 @@ let
 
   inherit (lib) mkOption types;
 
+  podmanPackage = (pkgs.podman.override { inherit (cfg) extraPackages; });
+
   # Provides a fake "docker" binary mapping to podman
-  dockerCompat = pkgs.runCommandNoCC "${pkgs.podman.pname}-docker-compat-${pkgs.podman.version}" {
+  dockerCompat = pkgs.runCommandNoCC "${podmanPackage.pname}-docker-compat-${podmanPackage.version}" {
     outputs = [ "out" "bin" "man" ];
-    inherit (pkgs.podman) meta;
+    inherit (podmanPackage) meta;
   } ''
     mkdir $out
 
     mkdir -p $bin/bin
-    ln -s ${pkgs.podman.bin}/bin/podman $bin/bin/docker
+    ln -s ${podmanPackage.bin}/bin/podman $bin/bin/docker
 
     mkdir -p $man/share/man/man1
-    for f in ${pkgs.podman.man}/share/man/man1/*; do
+    for f in ${podmanPackage.man}/share/man/man1/*; do
       basename=$(basename $f | sed s/podman/docker/g)
       ln -s $f $man/share/man/man1/$basename
     done
@@ -54,6 +56,19 @@ in
       '';
     };
 
+    extraPackages = mkOption {
+      type = with types; listOf package;
+      default = [ ];
+      example = lib.literalExample ''
+        [
+          pkgs.gvisor
+        ]
+      '';
+      description = ''
+        Extra packages to be installed in the Podman wrapper.
+      '';
+    };
+
     libpod = mkOption {
       default = {};
       description = "Libpod configuration";
@@ -77,25 +92,15 @@ in
 
   config = lib.mkIf cfg.enable {
 
-    environment.systemPackages = [
-      pkgs.podman # Docker compat
-      pkgs.runc # Default container runtime
-      pkgs.crun # Default container runtime (cgroups v2)
-      pkgs.conmon # Container runtime monitor
-      pkgs.slirp4netns # User-mode networking for unprivileged namespaces
-      pkgs.fuse-overlayfs # CoW for images, much faster than default vfs
-      pkgs.utillinux # nsenter
-      pkgs.iptables
-    ]
-    ++ lib.optional cfg.dockerCompat dockerCompat;
+    environment.systemPackages = [ podmanPackage ]
+      ++ lib.optional cfg.dockerCompat dockerCompat;
 
     environment.etc."containers/libpod.conf".text = ''
       cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"]
-      cni_config_dir = "/etc/cni/net.d/"
 
     '' + cfg.libpod.extraConfig;
 
-    environment.etc."cni/net.d/87-podman-bridge.conflist".source = copyFile "${pkgs.podman.src}/cni/87-podman-bridge.conflist";
+    environment.etc."cni/net.d/87-podman-bridge.conflist".source = copyFile "${pkgs.podman-unwrapped.src}/cni/87-podman-bridge.conflist";
 
     # Enable common /etc/containers configuration
     virtualisation.containers.enable = true;
diff --git a/pkgs/applications/virtualization/podman/wrapper.nix b/pkgs/applications/virtualization/podman/wrapper.nix
new file mode 100644
index 000000000000..0b905c0c709e
--- /dev/null
+++ b/pkgs/applications/virtualization/podman/wrapper.nix
@@ -0,0 +1,48 @@
+{ podman-unwrapped
+, runCommand
+, makeWrapper
+, lib
+, extraPackages ? []
+, podman # Docker compat
+, runc # Default container runtime
+, crun # Default container runtime (cgroups v2)
+, conmon # Container runtime monitor
+, slirp4netns # User-mode networking for unprivileged namespaces
+, fuse-overlayfs # CoW for images, much faster than default vfs
+, utillinux # nsenter
+, cni-plugins
+, iptables
+}:
+
+let
+  podman = podman-unwrapped;
+
+  binPath = lib.makeBinPath ([
+    runc
+    crun
+    conmon
+    slirp4netns
+    fuse-overlayfs
+    utillinux
+    iptables
+  ] ++ extraPackages);
+
+in runCommand podman.name {
+  inherit (podman) name pname version meta outputs;
+  nativeBuildInputs = [
+    makeWrapper
+  ];
+
+} ''
+  # Symlink everything but $bin from podman-unwrapped
+  ${
+    lib.concatMapStringsSep "\n"
+    (o: "ln -s ${podman.${o}} ${placeholder o}")
+    (builtins.filter (o: o != "bin")
+    podman.outputs)}
+
+  mkdir -p $bin/bin
+  ln -s ${podman-unwrapped}/share $bin/share
+  makeWrapper ${podman-unwrapped}/bin/podman $bin/bin/podman \
+    --prefix PATH : ${binPath}
+''
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index a4a88ffc1c2d..51f1a6a1db66 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5966,7 +5966,8 @@ in
 
   podiff = callPackage ../tools/text/podiff { };
 
-  podman = callPackage ../applications/virtualization/podman { };
+  podman = callPackage ../applications/virtualization/podman/wrapper.nix { };
+  podman-unwrapped = callPackage ../applications/virtualization/podman { };
 
   podman-compose = python3Packages.callPackage ../applications/virtualization/podman-compose {};