We just released a project that does exactly this. Images that only reference Nix packages but does not contain them, then the container runtime is extended in a first-class way to bind mount all the packages into the container and nothing else.
See: Nix-snapshotter: Native understanding of Nix packages for containerd