diff --git a/board/alix/ROOTFS b/board/alix/ROOTFS
index 702f748..33b7550 100644
--- a/board/alix/ROOTFS
+++ b/board/alix/ROOTFS
@@ -1,32 +1,9 @@
-coreutils
-bash
-bash-completion
 linux_modules
-nano
-util-linux
 kmod
-grep
-less
-xz
-gzip
-bzip2
-tar
-diffutils
-findutils
-sed
-gawk
 inetutils
 ethtool
 iproute2
-unbound
-dnsmasq
-shadow
-openrc
-procps-ng
-psmisc
-file
 iana-etc
 btrfs-progs
 dosfstools
-openssh
 nftables
diff --git a/board/rpi3/ROOTFS b/board/rpi3/ROOTFS
index 5e364ea..e91f032 100644
--- a/board/rpi3/ROOTFS
+++ b/board/rpi3/ROOTFS
@@ -1,34 +1,11 @@
-coreutils
-bash
-bash-completion
 linux_modules
-firmware-rpi3
-nano
-util-linux
 kmod
-grep
-less
-xz
-gzip
-bzip2
-tar
-diffutils
-findutils
-sed
-gawk
 inetutils
 ethtool
 iproute2
-unbound
-dnsmasq
-shadow
-openrc
-procps-ng
-psmisc
-file
 iana-etc
 btrfs-progs
 dosfstools
-kbd
-openssh
 nftables
+kbd
+firmware-rpi3
diff --git a/mk.sh b/mk.sh
index 73fd269..372ddb9 100755
--- a/mk.sh
+++ b/mk.sh
@@ -2,12 +2,13 @@
 
 set -e
 
-if [ ! $# -eq 1 ]; then
-	echo "usage: $0 <config>"
+if [ ! $# -eq 2 ]; then
+	echo "usage: $0 <board> <product>"
 	exit 1
 fi
 
 BOARD="$1"
+PRODUCT="$2"
 
 ################################ basic setup ################################
 BUILDROOT=$(pwd)
@@ -15,14 +16,31 @@ SCRIPTDIR=$(cd $(dirname "${BASH_SOURCE[0]}") && pwd)
 NUMJOBS=$(grep -e "^processor" /proc/cpuinfo | wc -l)
 HOSTTUPLE=$($SCRIPTDIR/util/config.guess)
 
-TCDIR="$BUILDROOT/$BOARD/toolchain"
-PKGBUILDDIR="$BUILDROOT/$BOARD/build"
+if [ ! -d "$SCRIPTDIR/product/$PRODUCT" ]; then
+	echo "No configuration for this product: $PRODUCT"
+	exit 1
+fi
+
+if [ ! -d "$SCRIPTDIR/board/$BOARD" ]; then
+	echo "No configuration for this board: $BOARD"
+	exit 1
+fi
+
+if [ -e "$SCRIPTDIR/product/$PRODUCT/BOARDS" ]; then
+	if ! grep -q "$BOARD" "$SCRIPTDIR/product/$PRODUCT/BOARDS"; then
+		echo "Error, $PRODUCT cannot be built for $BOARD"
+		exit 1
+	fi
+fi
+
+TCDIR="$BUILDROOT/${BOARD}-${PRODUCT}/toolchain"
+PKGBUILDDIR="$BUILDROOT/${BOARD}-${PRODUCT}/build"
 PKGSRCDIR="$BUILDROOT/src"
-PKGDEPLOYDIR="$BUILDROOT/$BOARD/deploy"
-PKGDEVDEPLOYDIR="$BUILDROOT/$BOARD/deploy-dev"
-PKGLOGDIR="$BUILDROOT/$BOARD/log"
+PKGDEPLOYDIR="$BUILDROOT/${BOARD}-${PRODUCT}/deploy"
+PKGDEVDEPLOYDIR="$BUILDROOT/${BOARD}-${PRODUCT}/deploy-dev"
+PKGLOGDIR="$BUILDROOT/${BOARD}-${PRODUCT}/log"
 PKGDOWNLOADDIR="$BUILDROOT/download"
-PACKAGELIST="$BUILDROOT/$BOARD/pkglist"
+PACKAGELIST="$BUILDROOT/${BOARD}-${PRODUCT}/pkglist"
 
 mkdir -p "$PKGDOWNLOADDIR" "$PKGSRCDIR" "$PKGLOGDIR"
 mkdir -p "$PKGDEPLOYDIR" "$PKGDEVDEPLOYDIR" "$TCDIR/bin"
diff --git a/pkg/dnsmasq/build b/pkg/dnsmasq/build
index 6059c9a..6f1f5b0 100644
--- a/pkg/dnsmasq/build
+++ b/pkg/dnsmasq/build
@@ -26,5 +26,12 @@ deploy() {
 	rm -r "$DEPLOY/share"
 
 	mkdir -p "$DEPLOY/etc"
-	cp "$SOURCE/dnsmasq.conf.example" "$DEPLOY/etc/dnsmasq.conf"
+
+	cat_file_override "dnsmasq.conf" > "$DEPLOY/etc/dnsmasq.conf"
+
+	if [ ! -s "$DEPLOY/etc/dnsmasq.conf" ]; then
+		cp "$SOURCE/dnsmasq.conf.example" "$DEPLOY/etc/dnsmasq.conf"
+	fi
+
+	mkdir -p "$DEPLOY/etc/dnsmasq.d"
 }
diff --git a/pkg/linux-rpi3/build b/pkg/linux-rpi3/build
index 3141fc8..dea2155 100755
--- a/pkg/linux-rpi3/build
+++ b/pkg/linux-rpi3/build
@@ -15,7 +15,7 @@ build() {
 	export KBUILD_OUTPUT="$PKGBUILDDIR"
 	make -C "$1" O="$PKGBUILDDIR" ARCH="arm" CROSS_COMPILE="${TARGET}-" mrproper
 
-	cp "$SCRIPTDIR/board/$BOARD/linux.config" "$PKGBUILDDIR/.config"
+	cat_file_override "linux.config" > "$PKGBUILDDIR/.config"
 	sed -i "$PKGBUILDDIR/.config" -e 's,^CONFIG_CROSS_COMPILE=.*,CONFIG_CROSS_COMPILE="'$TARGET'-",'
 	sed -i "$PKGBUILDDIR/.config" -e 's,^CONFIG_INITRAMFS_SOURCE=.*,CONFIG_INITRAMFS_SOURCE="'$INITRDLIST'",'
 	make -C "$1" O="$PKGBUILDDIR" ARCH="arm" CROSS_COMPILE="${TARGET}-" oldconfig
diff --git a/pkg/linux/build b/pkg/linux/build
index 5541250..09372f7 100755
--- a/pkg/linux/build
+++ b/pkg/linux/build
@@ -14,13 +14,12 @@ prepare() {
 }
 
 build() {
-	local CFGFILE="$SCRIPTDIR/board/$BOARD/linux.config"
 	local INITRDLIST="$PKGDEPLOYDIR/initrd/initrd.list"
 
 	export KBUILD_OUTPUT="$PKGBUILDDIR"
 
 	make -C "$1" O="$PKGBUILDDIR" ARCH="$LINUX_CPU" CROSS_COMPILE="${TARGET}-" mrproper
-	cp "$CFGFILE" "$PKGBUILDDIR/.config"
+	cat_file_override "linux.config" > "$PKGBUILDDIR/.config"
 
 	make -C "$1" O="$PKGBUILDDIR" ARCH="$LINUX_CPU" CROSS_COMPILE="${TARGET}-" oldconfig
 	sed -i "$PKGBUILDDIR/.config" -e 's,^CONFIG_CROSS_COMPILE=.*,CONFIG_CROSS_COMPILE="'$TARGET'-",'
diff --git a/pkg/linux_modules/build b/pkg/linux_modules/build
index 0cbec61..dc035f2 100755
--- a/pkg/linux_modules/build
+++ b/pkg/linux_modules/build
@@ -5,7 +5,7 @@ DEPENDS="toolchain"
 build() {
 	export KBUILD_OUTPUT="$PKGBUILDDIR"
 	make -C "$1" O="$PKGBUILDDIR" ARCH="$LINUX_CPU" CROSS_COMPILE="${TARGET}-" mrproper
-	cp "$SCRIPTDIR/board/$BOARD/linux.config" "$PKGBUILDDIR/.config"
+	cat_file_override "linux.config" > "$PKGBUILDDIR/.config"
 
 	make -C "$1" O="$PKGBUILDDIR" ARCH="$LINUX_CPU" CROSS_COMPILE="${TARGET}-" oldconfig
 	sed -i "$PKGBUILDDIR/.config" -e 's,^CONFIG_CROSS_COMPILE=.*,CONFIG_CROSS_COMPILE="'$TARGET'-",'
diff --git a/pkg/musl/build b/pkg/musl/build
index ddc460b..95b7470 100755
--- a/pkg/musl/build
+++ b/pkg/musl/build
@@ -28,11 +28,7 @@ deploy() {
 
 	mkdir -p "$DEPLOY/etc"
 
-	echo "/lib" > "$DEPLOY/etc/ld-musl-${MUSL_CPU}.path"
-
-	if [ -e "$SCRIPTDIR/board/$BOARD/LDPATH" ]; then
-		cat "$SCRIPTDIR/board/$BOARD/LDPATH" >> "$DEPLOY/etc/ld-musl-${MUSL_CPU}.path"
-	fi
+	cat_file_merge "LDPATH" > "$DEPLOY/etc/ld-musl-${MUSL_CPU}.path"
 
 	strip_files ${DEPLOY}/lib/*
 }
diff --git a/pkg/openrc/build b/pkg/openrc/build
index 9f6991d..b764576 100755
--- a/pkg/openrc/build
+++ b/pkg/openrc/build
@@ -51,7 +51,12 @@ deploy() {
 	mkdir -p ${DEPLOY}/etc/runlevels/{boot,sysinit,shutdown,default}
 	cp -R "$SCRIPTDIR/pkg/$PKGNAME/etc" "$DEPLOY"
 
-	source "$SCRIPTDIR/board/$BOARD/INIT"
+	if [ -e "$SCRIPTDIR/board/$BOARD/INIT" ]; then
+		source "$SCRIPTDIR/board/$BOARD/INIT"
+	fi
+	if [ -e "$SCRIPTDIR/product/$PRODUCT/INIT" ]; then
+		source "$SCRIPTDIR/product/$PRODUCT/INIT"
+	fi
 
 	for i in $GETTY_TTY; do
 		cat > "$DEPLOY/etc/conf.d/agetty.$i" << _EOF
diff --git a/pkg/rootfs/build b/pkg/rootfs/build
index c971936..6ce5f6b 100755
--- a/pkg/rootfs/build
+++ b/pkg/rootfs/build
@@ -1,5 +1,4 @@
-DEPENDS=$(cat "$SCRIPTDIR/board/$BOARD/ROOTFS")
-DEPENDS="$DEPENDS toolchain"
+DEPENDS=$(cat_file_merge "ROOTFS" | sort -u)
 
 build() {
 	local SOURCE="$1"
diff --git a/pkg/rootfs/etc/group b/pkg/rootfs/etc/group
index 6fa18a7..1863ac9 100644
--- a/pkg/rootfs/etc/group
+++ b/pkg/rootfs/etc/group
@@ -21,4 +21,6 @@ wheel:x:19:
 input:x:24:
 mail:x:34:
 sshd:x:50:
+dnsmasq:x:51:
+unbound:x:52:
 nogroup:x:99:
diff --git a/pkg/rootfs/etc/passwd b/pkg/rootfs/etc/passwd
index 9048da3..656ff75 100644
--- a/pkg/rootfs/etc/passwd
+++ b/pkg/rootfs/etc/passwd
@@ -3,4 +3,6 @@ bin:x:1:1:bin:/dev/null:/bin/false
 daemon:x:6:6:Daemon User:/dev/null:/bin/false
 messagebus:x:18:18:D-Bus Message Daemon User:/var/run/dbus:/bin/false
 sshd:x:50:50:sshd PrivSep:/var/lib/sshd:/bin/false
+dnsmasq:x:51:51:dnsmasq user:/dev/null:/bin/false
+unbound:x:52:52:unbound user:/dev/null:/bin/false
 nobody:x:99:99:Unprivileged User:/dev/null:/bin/false
diff --git a/pkg/rootfs/etc/shadow b/pkg/rootfs/etc/shadow
index 4ad3304..4dccbe9 100644
--- a/pkg/rootfs/etc/shadow
+++ b/pkg/rootfs/etc/shadow
@@ -2,4 +2,7 @@ root:$6$.Y7Zj/e9QeCB$XwqV/48JBr7DmicnnuB/n8LWV6uzBU.r/fYIlEpzQPvM.q59t1Yw4MJePLf
 bin:x:17569:0:99999:7:::
 daemon:x:17569:0:99999:7:::
 messagebus:x:17569:0:99999:7:::
+sshd:x:17569:0:99999:7:::
+dnsmasq:x:17569:0:99999:7:::
+unbound:x:17569:0:99999:7:::
 nobody:x:17569:0:99999:7:::
diff --git a/pkg/unbound/build b/pkg/unbound/build
index d8363cb..e8bdc9d 100644
--- a/pkg/unbound/build
+++ b/pkg/unbound/build
@@ -27,6 +27,16 @@ deploy() {
 
 	rm -r "$DEPLOY/share"
 
+	mkdir -p "$DEPLOY/etc/unbound/unbound.conf.d"
+	mkdir -p "$DEPLOY/var/lib/unbound"
+
+	cat > "$DEPLOY/etc/unbound/unbound.conf" << _EOF
+include: "/etc/unbound/unbound.conf.d/*.conf"
+_EOF
+
+	cat_file_override "unbound.conf" > \
+		"$DEPLOY/etc/unbound/unbound.conf.d/server.conf"
+
 	split_dev_deploy "$DEPLOY" "$DEVDEPLOY"
 	strip_files ${DEPLOY}/{bin,lib}/*
 }
diff --git a/product/common/LDPATH b/product/common/LDPATH
new file mode 100644
index 0000000..502167f
--- /dev/null
+++ b/product/common/LDPATH
@@ -0,0 +1 @@
+/lib
diff --git a/product/common/ROOTFS b/product/common/ROOTFS
new file mode 100644
index 0000000..ae3807c
--- /dev/null
+++ b/product/common/ROOTFS
@@ -0,0 +1,20 @@
+coreutils
+bash
+bash-completion
+nano
+util-linux
+grep
+less
+xz
+gzip
+bzip2
+tar
+diffutils
+findutils
+sed
+gawk
+shadow
+openrc
+procps-ng
+psmisc
+file
diff --git a/product/router/BOARDS b/product/router/BOARDS
new file mode 100644
index 0000000..2019f7b
--- /dev/null
+++ b/product/router/BOARDS
@@ -0,0 +1,2 @@
+rpi3
+alix
diff --git a/product/router/ROOTFS b/product/router/ROOTFS
new file mode 100644
index 0000000..39750e1
--- /dev/null
+++ b/product/router/ROOTFS
@@ -0,0 +1,3 @@
+unbound
+dnsmasq
+openssh
diff --git a/product/router/dnsmasq.conf.alix b/product/router/dnsmasq.conf.alix
new file mode 100644
index 0000000..89cd760
--- /dev/null
+++ b/product/router/dnsmasq.conf.alix
@@ -0,0 +1,27 @@
+domain-needed
+bogus-priv
+no-hosts
+no-resolv
+dhcp-lease-max=150
+dhcp-leasefile=/var/lib/dnsmasq.leases
+conf-dir=/etc/dnsmasq.d/,*.conf
+user=dnsmasq
+group=dnsmasq
+except-interface=lo
+dhcp-authoritative
+enable-ra
+
+# forward to unbound
+server=127.0.0.1#5353
+
+interface=eth0
+dhcp-range=set:if0,192.168.0.2,192.168.0.254,255.255.255.0,12h
+dhcp-option=tag:if0,option:dns-server,192.168.0.1
+
+interface=eth1
+dhcp-range=set:if1,192.168.1.2,192.168.1.254,255.255.255.0,12h
+dhcp-option=tag:if1,option:dns-server,192.168.1.1
+
+interface=eth2
+dhcp-range=set:if2,192.168.2.2,192.168.2.254,255.255.255.0,12h
+dhcp-option=tag:if2,option:dns-server,192.168.2.1
diff --git a/product/router/dnsmasq.conf.rpi3 b/product/router/dnsmasq.conf.rpi3
new file mode 100644
index 0000000..59e4e2b
--- /dev/null
+++ b/product/router/dnsmasq.conf.rpi3
@@ -0,0 +1,19 @@
+domain-needed
+bogus-priv
+no-hosts
+no-resolv
+dhcp-lease-max=150
+dhcp-leasefile=/var/lib/dnsmasq.leases
+conf-dir=/etc/dnsmasq.d/,*.conf
+user=dnsmasq
+group=dnsmasq
+except-interface=lo
+dhcp-authoritative
+enable-ra
+
+# forward to unbound
+server=127.0.0.1#5353
+
+interface=eth0
+dhcp-range=set:if0,192.168.0.2,192.168.0.254,255.255.255.0,12h
+dhcp-option=tag:if0,option:dns-server,192.168.0.1
diff --git a/product/router/unbound.conf b/product/router/unbound.conf
new file mode 100644
index 0000000..5efb4a0
--- /dev/null
+++ b/product/router/unbound.conf
@@ -0,0 +1,13 @@
+server:
+	pidfile: "/tmp/unbound.pid"
+
+	# allow only queries from local machine on port 5353
+	interface: 127.0.0.1
+	access-control: 127.0.0.0/8 allow
+	port: 5353
+
+	# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy"
+	qname-minimisation: yes
+
+	# Root trust anchor key file for DNSSEC validation.
+	auto-trust-anchor-file: "/var/lib/unbound/root.key"
diff --git a/util/misc.sh b/util/misc.sh
index 6fc398e..d6f6911 100644
--- a/util/misc.sh
+++ b/util/misc.sh
@@ -1,3 +1,40 @@
+cat_file_override() {
+	local fname="$1"
+
+	if [ -e "$SCRIPTDIR/product/$PRODUCT/${fname}.${BOARD}" ]; then
+		cat "$SCRIPTDIR/product/$PRODUCT/${fname}.${BOARD}"
+		return
+	fi
+	if [ -e "$SCRIPTDIR/product/$PRODUCT/$fname" ]; then
+		cat "$SCRIPTDIR/product/$PRODUCT/$fname"
+		return
+	fi
+	if [ -e "$SCRIPTDIR/board/$BOARD/$fname" ]; then
+		cat "$SCRIPTDIR/board/$BOARD/$fname"
+		return
+	fi
+	if [ -e "$SCRIPTDIR/product/common/$fname" ]; then
+		cat "$SCRIPTDIR/product/common/$fname"
+	fi
+}
+
+cat_file_merge() {
+	local fname="$1"
+
+	if [ -e "$SCRIPTDIR/product/$PRODUCT/${fname}.${BOARD}" ]; then
+		cat "$SCRIPTDIR/product/$PRODUCT/${fname}.${BOARD}"
+	fi
+	if [ -e "$SCRIPTDIR/product/$PRODUCT/$fname" ]; then
+		cat "$SCRIPTDIR/product/$PRODUCT/$fname"
+	fi
+	if [ -e "$SCRIPTDIR/board/$BOARD/$fname" ]; then
+		cat "$SCRIPTDIR/board/$BOARD/$fname"
+	fi
+	if [ -e "$SCRIPTDIR/product/common/$fname" ]; then
+		cat "$SCRIPTDIR/product/common/$fname"
+	fi
+}
+
 apply_patches() {
 	local PATCH