diff --git a/bootc-base-imagectl b/bootc-base-imagectl
index 446d931..b20077b 100755
--- a/bootc-base-imagectl
+++ b/bootc-base-imagectl
@@ -50,8 +50,8 @@ def run_build_rootfs(args):
         override_manifest['documentation'] = False
     if args.sysusers:
         override_manifest['sysusers'] = 'compose-forced'
-        override_manifest['check-passwd'] = {'type': 'none'}
-        override_manifest['check-groups'] = {'type': 'none'}
+        passwd_mode = 'nobody' if args.nobody_99 else 'none'
+        override_manifest['variables'] = {'passwd_mode': passwd_mode}
 
     tmp_manifest = None
     if override_manifest:
@@ -153,6 +153,7 @@ if __name__ == "__main__":
     build_rootfs.add_argument("--add-dir", help='Copy dir contents into the target', action='append', default=[], metavar='DIR')
     build_rootfs.add_argument("--no-docs", help="Don't install documentation", action='store_true')
     build_rootfs.add_argument("--sysusers", help="Run systemd-sysusers instead of injecting hardcoded passwd/group entries", action='store_true')
+    build_rootfs.add_argument("--nobody-99", help=argparse.SUPPRESS, action='store_true')
     build_rootfs.add_argument("source_root", help="Path to the source root directory used for dnf configuration (default=/)", nargs='?', default='/')
     build_rootfs.add_argument("target", help="Path to the target root directory that will be generated.")
     build_rootfs.set_defaults(func=run_build_rootfs)
diff --git a/minimal/check-passwd-nobody.yaml b/minimal/check-passwd-nobody.yaml
new file mode 100644
index 0000000..b7d3ba3
--- /dev/null
+++ b/minimal/check-passwd-nobody.yaml
@@ -0,0 +1,6 @@
+check-passwd:
+  type: "file"
+  filename: "passwd-nobody"
+check-groups:
+  type: "file"
+  filename: "group-nobody"
diff --git a/minimal/check-passwd.yaml b/minimal/check-passwd.yaml
new file mode 100644
index 0000000..3af2114
--- /dev/null
+++ b/minimal/check-passwd.yaml
@@ -0,0 +1,6 @@
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
diff --git a/minimal/group-nobody b/minimal/group-nobody
new file mode 100644
index 0000000..f2d71b6
--- /dev/null
+++ b/minimal/group-nobody
@@ -0,0 +1,4 @@
+# this is used with the --nobody-99 option for backwards compatibility with
+# systems that had nobody set to 99
+nobody:x:99:
+nfsnobody:x:65534:
diff --git a/minimal/manifest.yaml b/minimal/manifest.yaml
index 544447b..646dc26 100644
--- a/minimal/manifest.yaml
+++ b/minimal/manifest.yaml
@@ -3,6 +3,9 @@ metadata:
 
 edition: "2024"
 
+variables:
+  passwd_mode: full
+
 # Be minimal
 recommends: false
 
diff --git a/minimal/passwd-nobody b/minimal/passwd-nobody
new file mode 100644
index 0000000..44d2866
--- /dev/null
+++ b/minimal/passwd-nobody
@@ -0,0 +1,4 @@
+# this is used with the --nobody-99 option for backwards compatibility with
+# systems that had nobody set to 99
+nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin
+nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin
diff --git a/minimal/postprocess-conf.yaml b/minimal/postprocess-conf.yaml
index b1f6f95..6c3894a 100644
--- a/minimal/postprocess-conf.yaml
+++ b/minimal/postprocess-conf.yaml
@@ -24,9 +24,14 @@ etc-group-members:
   - tss # https://issues.redhat.com/browse/BIFROST-618
   - adm
 
-check-passwd:
-  type: "file"
-  filename: "passwd"
-check-groups:
-  type: "file"
-  filename: "group"
+conditional-include:
+  - if: passwd_mode == "full"
+    include: check-passwd.yaml
+  - if: passwd_mode == "nobody"
+    include: check-passwd-nobody.yaml
+  - if: passwd_mode == "none"
+    include:
+      check-passwd:
+        type: "none"
+      check-groups:
+        type: "none"