diff --git a/Dockerfile b/Dockerfile
index f9f18c0ff..9a97ac485 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,94 +4,122 @@
 
 ARG TOOLS
 ARG PKGS
-ARG PKG_KERNEL
 ARG EXTRAS
 ARG INSTALLER_ARCH
+
 ARG PKGS_PREFIX
+ARG PKG_FHS
+ARG PKG_CA_CERTIFICATES
+ARG PKG_CRYPTSETUP
+ARG PKG_CONTAINERD
+ARG PKG_DOSFSTOOLS
+ARG PKG_EUDEV
+ARG PKG_GRUB
+ARG PKG_SD_BOOT
+ARG PKG_IPTABLES
+ARG PKG_IPXE
+ARG PKG_LIBINIH
+ARG PKG_LIBJSON_C
+ARG PKG_LIBPOPT
+ARG PKG_LIBURCU
+ARG PKG_OPENSSL
+ARG PKG_LIBSECCOMP
+ARG PKG_LINUX_FIRMWARE
+ARG PKG_LVM2
+ARG PKG_LIBAIO
+ARG PKG_MUSL
+ARG PKG_RUNC
+ARG PKG_XFSPROGS
+ARG PKG_UTIL_LINUX
+ARG PKG_KMOD
+ARG PKG_U_BOOT
+ARG PKG_RASPBERYPI_FIRMWARE
+ARG PKG_KERNEL
+ARG PKG_TALOSCTL_CNI_BUNDLE_INSTALL
 
 # Resolve package images using ${PKGS} to be used later in COPY --from=.
 
-FROM ${PKGS_PREFIX}/fhs:${PKGS} AS pkg-fhs
-FROM ${PKGS_PREFIX}/ca-certificates:${PKGS} AS pkg-ca-certificates
+FROM ${PKG_FHS} AS pkg-fhs
+FROM ${PKG_CA_CERTIFICATES} AS pkg-ca-certificates
 
-FROM --platform=amd64 ${PKGS_PREFIX}/cryptsetup:${PKGS} AS pkg-cryptsetup-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/cryptsetup:${PKGS} AS pkg-cryptsetup-arm64
+FROM --platform=amd64 ${PKG_CRYPTSETUP} AS pkg-cryptsetup-amd64
+FROM --platform=arm64 ${PKG_CRYPTSETUP} AS pkg-cryptsetup-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/containerd:${PKGS} AS pkg-containerd-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/containerd:${PKGS} AS pkg-containerd-arm64
+FROM --platform=amd64 ${PKG_CONTAINERD} AS pkg-containerd-amd64
+FROM --platform=arm64 ${PKG_CONTAINERD} AS pkg-containerd-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/dosfstools:${PKGS} AS pkg-dosfstools-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/dosfstools:${PKGS} AS pkg-dosfstools-arm64
+FROM --platform=amd64 ${PKG_DOSFSTOOLS} AS pkg-dosfstools-amd64
+FROM --platform=arm64 ${PKG_DOSFSTOOLS} AS pkg-dosfstools-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/eudev:${PKGS} AS pkg-eudev-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/eudev:${PKGS} AS pkg-eudev-arm64
+FROM --platform=amd64 ${PKG_EUDEV} AS pkg-eudev-amd64
+FROM --platform=arm64 ${PKG_EUDEV} AS pkg-eudev-arm64
 
-FROM ${PKGS_PREFIX}/grub:${PKGS} AS pkg-grub
-FROM --platform=amd64 ${PKGS_PREFIX}/grub:${PKGS} AS pkg-grub-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/grub:${PKGS} AS pkg-grub-arm64
+FROM ${PKG_GRUB} AS pkg-grub
+FROM --platform=amd64 ${PKG_GRUB} AS pkg-grub-amd64
+FROM --platform=arm64 ${PKG_GRUB} AS pkg-grub-arm64
 
-FROM ${PKGS_PREFIX}/sd-boot:${PKGS} AS pkg-sd-boot
-FROM --platform=amd64 ${PKGS_PREFIX}/sd-boot:${PKGS} AS pkg-sd-boot-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/sd-boot:${PKGS} AS pkg-sd-boot-arm64
+FROM ${PKG_SD_BOOT} AS pkg-sd-boot
+FROM --platform=amd64 ${PKG_SD_BOOT} AS pkg-sd-boot-amd64
+FROM --platform=arm64 ${PKG_SD_BOOT} AS pkg-sd-boot-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/iptables:${PKGS} AS pkg-iptables-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/iptables:${PKGS} AS pkg-iptables-arm64
+FROM --platform=amd64 ${PKG_IPTABLES} AS pkg-iptables-amd64
+FROM --platform=arm64 ${PKG_IPTABLES} AS pkg-iptables-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/ipxe:${PKGS} AS pkg-ipxe-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/ipxe:${PKGS} AS pkg-ipxe-arm64
+FROM --platform=amd64 ${PKG_IPXE} AS pkg-ipxe-amd64
+FROM --platform=arm64 ${PKG_IPXE} AS pkg-ipxe-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/libinih:${PKGS} AS pkg-libinih-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/libinih:${PKGS} AS pkg-libinih-arm64
+FROM --platform=amd64 ${PKG_LIBINIH} AS pkg-libinih-amd64
+FROM --platform=arm64 ${PKG_LIBINIH} AS pkg-libinih-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/libjson-c:${PKGS} AS pkg-libjson-c-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/libjson-c:${PKGS} AS pkg-libjson-c-arm64
+FROM --platform=amd64 ${PKG_LIBJSON_C} AS pkg-libjson-c-amd64
+FROM --platform=arm64 ${PKG_LIBJSON_C} AS pkg-libjson-c-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/libpopt:${PKGS} AS pkg-libpopt-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/libpopt:${PKGS} AS pkg-libpopt-arm64
+FROM --platform=amd64 ${PKG_LIBPOPT} AS pkg-libpopt-amd64
+FROM --platform=arm64 ${PKG_LIBPOPT} AS pkg-libpopt-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/liburcu:${PKGS} AS pkg-liburcu-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/liburcu:${PKGS} AS pkg-liburcu-arm64
+FROM --platform=amd64 ${PKG_LIBURCU} AS pkg-liburcu-amd64
+FROM --platform=arm64 ${PKG_LIBURCU} AS pkg-liburcu-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/openssl:${PKGS} AS pkg-openssl-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/openssl:${PKGS} AS pkg-openssl-arm64
+FROM --platform=amd64 ${PKG_OPENSSL} AS pkg-openssl-amd64
+FROM --platform=arm64 ${PKG_OPENSSL} AS pkg-openssl-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/libseccomp:${PKGS} AS pkg-libseccomp-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/libseccomp:${PKGS} AS pkg-libseccomp-arm64
+FROM --platform=amd64 ${PKG_LIBSECCOMP} AS pkg-libseccomp-amd64
+FROM --platform=arm64 ${PKG_LIBSECCOMP} AS pkg-libseccomp-arm64
 
 # linux-firmware is not arch-specific
-FROM --platform=amd64 ${PKGS_PREFIX}/linux-firmware:${PKGS} AS pkg-linux-firmware
+FROM --platform=amd64 ${PKG_LINUX_FIRMWARE} AS pkg-linux-firmware
 
-FROM --platform=amd64 ${PKGS_PREFIX}/lvm2:${PKGS} AS pkg-lvm2-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/lvm2:${PKGS} AS pkg-lvm2-arm64
+FROM --platform=amd64 ${PKG_LVM2} AS pkg-lvm2-amd64
+FROM --platform=arm64 ${PKG_LVM2} AS pkg-lvm2-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/libaio:${PKGS} AS pkg-libaio-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/libaio:${PKGS} AS pkg-libaio-arm64
+FROM --platform=amd64 ${PKG_LIBAIO} AS pkg-libaio-amd64
+FROM --platform=arm64 ${PKG_LIBAIO} AS pkg-libaio-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/musl:${PKGS} AS pkg-musl-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/musl:${PKGS} AS pkg-musl-arm64
+FROM --platform=amd64 ${PKG_MUSL} AS pkg-musl-amd64
+FROM --platform=arm64 ${PKG_MUSL} AS pkg-musl-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/runc:${PKGS} AS pkg-runc-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/runc:${PKGS} AS pkg-runc-arm64
+FROM --platform=amd64 ${PKG_RUNC} AS pkg-runc-amd64
+FROM --platform=arm64 ${PKG_RUNC} AS pkg-runc-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/xfsprogs:${PKGS} AS pkg-xfsprogs-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/xfsprogs:${PKGS} AS pkg-xfsprogs-arm64
+FROM --platform=amd64 ${PKG_XFSPROGS} AS pkg-xfsprogs-amd64
+FROM --platform=arm64 ${PKG_XFSPROGS} AS pkg-xfsprogs-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/util-linux:${PKGS} AS pkg-util-linux-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/util-linux:${PKGS} AS pkg-util-linux-arm64
+FROM --platform=amd64 ${PKG_UTIL_LINUX} AS pkg-util-linux-amd64
+FROM --platform=arm64 ${PKG_UTIL_LINUX} AS pkg-util-linux-arm64
 
-FROM --platform=amd64 ${PKGS_PREFIX}/kmod:${PKGS} AS pkg-kmod-amd64
-FROM --platform=arm64 ${PKGS_PREFIX}/kmod:${PKGS} AS pkg-kmod-arm64
+FROM --platform=amd64 ${PKG_KMOD} AS pkg-kmod-amd64
+FROM --platform=arm64 ${PKG_KMOD} AS pkg-kmod-arm64
 
 FROM ${PKG_KERNEL} AS pkg-kernel
 FROM --platform=amd64 ${PKG_KERNEL} AS pkg-kernel-amd64
 FROM --platform=arm64 ${PKG_KERNEL} AS pkg-kernel-arm64
 
-FROM --platform=arm64 ${PKGS_PREFIX}/u-boot:${PKGS} AS pkg-u-boot-arm64
-FROM --platform=arm64 ${PKGS_PREFIX}/raspberrypi-firmware:${PKGS} AS pkg-raspberrypi-firmware-arm64
+FROM --platform=arm64 ${PKG_U_BOOT} AS pkg-u-boot-arm64
+FROM --platform=arm64 ${PKG_RASPBERYPI_FIRMWARE} AS pkg-raspberrypi-firmware-arm64
 
 # Resolve package images using ${EXTRAS} to be used later in COPY --from=.
 
-FROM ${PKGS_PREFIX}/talosctl-cni-bundle-install:${EXTRAS} AS extras-talosctl-cni-bundle-install
+FROM ${PKG_TALOSCTL_CNI_BUNDLE_INSTALL} AS extras-talosctl-cni-bundle-install
 
 # The tools target provides base toolchain for the build.
 
diff --git a/Makefile b/Makefile
index b5e71f98d..6c64f4de8 100644
--- a/Makefile
+++ b/Makefile
@@ -16,10 +16,40 @@ CLOUD_IMAGES_EXTRA_ARGS ?= ""
 
 ARTIFACTS := _out
 TOOLS ?= ghcr.io/siderolabs/tools:v1.7.0-alpha.0-5-gf4b41d1
+
 PKGS_PREFIX ?= ghcr.io/siderolabs
 PKGS ?= v1.7.0-alpha.0-19-g96cc841
-PKG_KERNEL ?= $(PKGS_PREFIX)/kernel:$(PKGS)
 EXTRAS ?= v1.7.0-alpha.0
+
+PKG_FHS ?= $(PKGS_PREFIX)/fhs:$(PKGS)
+PKG_CA_CERTIFICATES ?= $(PKGS_PREFIX)/ca-certificates:$(PKGS)
+PKG_CRYPTSETUP ?= $(PKGS_PREFIX)/cryptsetup:$(PKGS)
+PKG_CONTAINERD ?= $(PKGS_PREFIX)/containerd:$(PKGS)
+PKG_DOSFSTOOLS ?= $(PKGS_PREFIX)/dosfstools:$(PKGS)
+PKG_EUDEV ?= $(PKGS_PREFIX)/eudev:$(PKGS)
+PKG_GRUB ?= $(PKGS_PREFIX)/grub:$(PKGS)
+PKG_SD_BOOT ?= $(PKGS_PREFIX)/sd-boot:$(PKGS)
+PKG_IPTABLES ?= $(PKGS_PREFIX)/iptables:$(PKGS)
+PKG_IPXE ?= $(PKGS_PREFIX)/ipxe:$(PKGS)
+PKG_LIBINIH ?= $(PKGS_PREFIX)/libinih:$(PKGS)
+PKG_LIBJSON_C ?= $(PKGS_PREFIX)/libjson-c:$(PKGS)
+PKG_LIBPOPT ?= $(PKGS_PREFIX)/libpopt:$(PKGS)
+PKG_LIBURCU ?= $(PKGS_PREFIX)/liburcu:$(PKGS)
+PKG_OPENSSL ?= $(PKGS_PREFIX)/openssl:$(PKGS)
+PKG_LIBSECCOMP ?= $(PKGS_PREFIX)/libseccomp:$(PKGS)
+PKG_LINUX_FIRMWARE ?= $(PKGS_PREFIX)/linux-firmware:$(PKGS)
+PKG_LVM2 ?= $(PKGS_PREFIX)/lvm2:$(PKGS)
+PKG_LIBAIO ?= $(PKGS_PREFIX)/libaio:$(PKGS)
+PKG_MUSL ?= $(PKGS_PREFIX)/musl:$(PKGS)
+PKG_RUNC ?= $(PKGS_PREFIX)/runc:$(PKGS)
+PKG_XFSPROGS ?= $(PKGS_PREFIX)/xfsprogs:$(PKGS)
+PKG_UTIL_LINUX ?= $(PKGS_PREFIX)/util-linux:$(PKGS)
+PKG_KMOD ?= $(PKGS_PREFIX)/kmod:$(PKGS)
+PKG_U_BOOT ?= $(PKGS_PREFIX)/u-boot:$(PKGS)
+PKG_RASPBERYPI_FIRMWARE ?= $(PKGS_PREFIX)/raspberrypi-firmware:$(PKGS)
+PKG_KERNEL ?= $(PKGS_PREFIX)/kernel:$(PKGS)
+PKG_TALOSCTL_CNI_BUNDLE_INSTALL ?= $(PKGS_PREFIX)/talosctl-cni-bundle-install:$(EXTRAS)
+
 # renovate: datasource=github-tags depName=golang/go
 GO_VERSION ?= 1.21
 # renovate: datasource=go depName=golang.org/x/tools
@@ -115,7 +145,6 @@ COMMON_ARGS += --platform=$(PLATFORM)
 COMMON_ARGS += --push=$(PUSH)
 COMMON_ARGS += --build-arg=TOOLS=$(TOOLS)
 COMMON_ARGS += --build-arg=PKGS=$(PKGS)
-COMMON_ARGS += --build-arg=PKG_KERNEL=$(PKG_KERNEL)
 COMMON_ARGS += --build-arg=EXTRAS=$(EXTRAS)
 COMMON_ARGS += --build-arg=GOFUMPT_VERSION=$(GOFUMPT_VERSION)
 COMMON_ARGS += --build-arg=GOIMPORTS_VERSION=$(GOIMPORTS_VERSION)
@@ -146,6 +175,34 @@ COMMON_ARGS += --build-arg=SHA=$(SHA)
 COMMON_ARGS += --build-arg=USERNAME=$(USERNAME)
 COMMON_ARGS += --build-arg=REGISTRY=$(REGISTRY)
 COMMON_ARGS += --build-arg=PKGS_PREFIX=$(PKGS_PREFIX)
+COMMON_ARGS += --build-arg=PKG_FHS=$(PKG_FHS)
+COMMON_ARGS += --build-arg=PKG_CA_CERTIFICATES=$(PKG_CA_CERTIFICATES)
+COMMON_ARGS += --build-arg=PKG_CRYPTSETUP=$(PKG_CRYPTSETUP)
+COMMON_ARGS += --build-arg=PKG_CONTAINERD=$(PKG_CONTAINERD)
+COMMON_ARGS += --build-arg=PKG_DOSFSTOOLS=$(PKG_DOSFSTOOLS)
+COMMON_ARGS += --build-arg=PKG_EUDEV=$(PKG_EUDEV)
+COMMON_ARGS += --build-arg=PKG_GRUB=$(PKG_GRUB)
+COMMON_ARGS += --build-arg=PKG_SD_BOOT=$(PKG_SD_BOOT)
+COMMON_ARGS += --build-arg=PKG_IPTABLES=$(PKG_IPTABLES)
+COMMON_ARGS += --build-arg=PKG_IPXE=$(PKG_IPXE)
+COMMON_ARGS += --build-arg=PKG_LIBINIH=$(PKG_LIBINIH)
+COMMON_ARGS += --build-arg=PKG_LIBJSON_C=$(PKG_LIBJSON_C)
+COMMON_ARGS += --build-arg=PKG_LIBPOPT=$(PKG_LIBPOPT)
+COMMON_ARGS += --build-arg=PKG_LIBURCU=$(PKG_LIBURCU)
+COMMON_ARGS += --build-arg=PKG_OPENSSL=$(PKG_OPENSSL)
+COMMON_ARGS += --build-arg=PKG_LIBSECCOMP=$(PKG_LIBSECCOMP)
+COMMON_ARGS += --build-arg=PKG_LINUX_FIRMWARE=$(PKG_LINUX_FIRMWARE)
+COMMON_ARGS += --build-arg=PKG_LVM2=$(PKG_LVM2)
+COMMON_ARGS += --build-arg=PKG_LIBAIO=$(PKG_LIBAIO)
+COMMON_ARGS += --build-arg=PKG_MUSL=$(PKG_MUSL)
+COMMON_ARGS += --build-arg=PKG_RUNC=$(PKG_RUNC)
+COMMON_ARGS += --build-arg=PKG_XFSPROGS=$(PKG_XFSPROGS)
+COMMON_ARGS += --build-arg=PKG_UTIL_LINUX=$(PKG_UTIL_LINUX)
+COMMON_ARGS += --build-arg=PKG_KMOD=$(PKG_KMOD)
+COMMON_ARGS += --build-arg=PKG_U_BOOT=$(PKG_U_BOOT)
+COMMON_ARGS += --build-arg=PKG_RASPBERYPI_FIRMWARE=$(PKG_RASPBERYPI_FIRMWARE)
+COMMON_ARGS += --build-arg=PKG_KERNEL=$(PKG_KERNEL)
+COMMON_ARGS += --build-arg=PKG_TALOSCTL_CNI_BUNDLE_INSTALL=$(PKG_TALOSCTL_CNI_BUNDLE_INSTALL)
 COMMON_ARGS += --build-arg=ABBREV_TAG=$(ABBREV_TAG)
 
 CI_ARGS ?=
diff --git a/website/content/v1.7/advanced/building-images.md b/website/content/v1.7/advanced/building-images.md
index beabf0e18..c215fb812 100644
--- a/website/content/v1.7/advanced/building-images.md
+++ b/website/content/v1.7/advanced/building-images.md
@@ -39,6 +39,7 @@ When [customizing Linux kernel]({{< relref "customizing-the-kernel" >}}), the so
 be overridden with:
 
 * if you built and pushed only a custom `kernel` package, the reference can be overridden with `PKG_KERNEL` variable: `make <target> PKG_KERNEL=<registry>/<username>/kernel:<tag>`
+* if any other single package was customized, the reference can be overridden with `PKG_<pkg>` (e.g. `PKG_IPTABLES`) variable: `make <target> PKG_<pkg>=<registry>/<username>/<pkg>:<tag>`
 * if the full `pkgs` repository was built and pushed, the references can be overridden with `PKGS_PREFIX` and `PKGS` variables: `make <target> PKG_PREFIX=<registry>/<username> PKGS=<tag>`
 
 ## Customizations