diff --git a/contrib/ci/minimal-site/image-customization b/contrib/ci/minimal-site/image-customization
new file mode 100644
index 0000000000000000000000000000000000000000..c11ce242c6d0544f050a9cd53eadfaaecdaa9a9c
--- /dev/null
+++ b/contrib/ci/minimal-site/image-customization
@@ -0,0 +1,16 @@
+features {
+	'autoupdater',
+	'ebtables-filter-multicast',
+	'ebtables-filter-ra-dhcp',
+	'ebtables-limit-arp',
+	'mesh-batman-adv-15',
+	'mesh-vpn-fastd',
+	'respondd',
+	'status-page',
+	'web-advanced',
+	'web-wizard',
+}
+
+if not device_class('tiny') then
+	features {'wireless-encryption-wpa3'}
+end
diff --git a/contrib/ci/olsr-site/image-customization b/contrib/ci/olsr-site/image-customization
new file mode 100644
index 0000000000000000000000000000000000000000..96b2ec426040e8d6c9ce2df9a11c02c2cd32a0ca
--- /dev/null
+++ b/contrib/ci/olsr-site/image-customization
@@ -0,0 +1,20 @@
+features {
+	'autoupdater',
+	'ebtables-filter-multicast',
+	'ebtables-filter-ra-dhcp',
+	'ebtables-limit-arp',
+	'mesh-olsrd',
+	'mesh-vpn-fastd',
+	'respondd',
+	'status-page',
+	'web-advanced',
+	'web-wizard',
+}
+
+packages {
+	'iwinfo',
+}
+
+if not device_class('tiny') then
+	features {'wireless-encryption-wpa3'}
+end
diff --git a/contrib/ci/olsr-site/site.mk b/contrib/ci/olsr-site/site.mk
index 8b4a5a434a5f8415c03dfaef8239d03f3686f103..e50d404dae2d6c4b27135348488d8ffb4b38b9d6 100644
--- a/contrib/ci/olsr-site/site.mk
+++ b/contrib/ci/olsr-site/site.mk
@@ -1,33 +1,5 @@
 ##	gluon site.mk makefile example
 
-##	GLUON_FEATURES
-#		Specify Gluon features/packages to enable;
-#		Gluon will automatically enable a set of packages
-#		depending on the combination of features listed
-
-GLUON_FEATURES := \
-	autoupdater \
-	ebtables-filter-multicast \
-	ebtables-filter-ra-dhcp \
-	ebtables-limit-arp \
-	mesh-olsrd \
-	mesh-vpn-fastd \
-	respondd \
-	status-page \
-	web-advanced \
-	web-wizard
-
-GLUON_FEATURES_standard := \
-  wireless-encryption-wpa3
-
-##	GLUON_SITE_PACKAGES
-#		Specify additional Gluon/OpenWrt packages to include here;
-#		A minus sign may be prepended to remove a packages from the
-#		selection that would be enabled by default or due to the
-#		chosen feature flags
-
-GLUON_SITE_PACKAGES := iwinfo
-
 ##	DEFAULT_GLUON_RELEASE
 #		version string to use for images
 #		gluon relies on
diff --git a/docs/dev/packages.rst b/docs/dev/packages.rst
index 5bd1f0e3300f3702d67224da353529e2e7ab672e..656f63019ffca643e71000ac023827e9f21b56c4 100644
--- a/docs/dev/packages.rst
+++ b/docs/dev/packages.rst
@@ -154,7 +154,8 @@ Feature flags
 
 Feature flags provide a convenient way to define package selections without
 making it necessary to list each package explicitly. The list of features to
-enable for a Gluon build is set by the *GLUON_FEATURES* variable in *site.mk*.
+enable for a Gluon build is determined by the evaluated image-customization file
+in the root-directory of the Site repository.
 
 The main feature flag definition file is ``package/features``, but each package
 feed can provide additional definitions in a file called ``features`` at the root
@@ -207,7 +208,7 @@ Example::
 This will
 
 * disable the inclusion of the (non-existent) packages *gluon-web-wizard* and *gluon-no-radvd* when their
-  corresponding feature flags appear in *GLUON_FEATURES*
+  corresponding feature flags are evaluated as selected in the image-customization file
 * enable four additional config mode packages when the *web-wizard* feature is enabled
 * enable *gluon-config-mode-mesh-vpn* when both *web-wizard* and one
   of *mesh-vpn-fastd* and *mesh-vpn-tunneldigger* are enabled
diff --git a/docs/features/multidomain.rst b/docs/features/multidomain.rst
index 43f343bbb604959691caa5ea8275ef3dcd0a671a..a0dc4020a42325a9fd96383609525c8f9151bc48 100644
--- a/docs/features/multidomain.rst
+++ b/docs/features/multidomain.rst
@@ -106,7 +106,7 @@ Via config mode
 ^^^^^^^^^^^^^^^
 
 To allow switching the domain via config mode, add ``config-mode-domain-select``
-to GLUON_FEATURES in site.mk.
+to the enabled features in the image-customization file.
 
 |image0|
 
diff --git a/docs/features/private-wlan.rst b/docs/features/private-wlan.rst
index 41664b73b0704b70b7e54feeea8d22b3e5e4dd3c..be4aaa125600d03cbf6851b0171d646b11e0732a 100644
--- a/docs/features/private-wlan.rst
+++ b/docs/features/private-wlan.rst
@@ -6,7 +6,7 @@ Please note that you should not enable Wired Mesh on the uplink port at the same
 
 The private WLAN is encrypted using WPA2 by default. On devices with enough flash and a supported radio,
 WPA3 or WPA2/WPA3 mixed-mode can be used instead of WPA2. For this to work, the ``wireless-encryption-wpa3``
-feature has to be added to ``GLUON_FEATURES``.
+feature has to be enabled as a feature.
 
 It is recommended to enable IEEE 802.11w management frame protection for WPA2/WPA3 networks, however this
 can lead to connectivity problems for older clients. In this case, management frame protection can be
diff --git a/docs/features/vpn.rst b/docs/features/vpn.rst
index 7a5ba77487618b157d8be017a685c47cac25e951..4636869d65af3815be34aac12773389bef05dd9b 100644
--- a/docs/features/vpn.rst
+++ b/docs/features/vpn.rst
@@ -8,7 +8,7 @@ Protocol handlers
 ^^^^^^^^^^^^^^^^^
 
 There are currently three protocol handlers which can be selected
-via ``GLUON_FEATURES`` in ``site.mk``:
+as a feature:
 
 mesh-vpn-fastd
 """"""""""""""
diff --git a/docs/multidomain-site-example/image-customization b/docs/multidomain-site-example/image-customization
new file mode 100644
index 0000000000000000000000000000000000000000..5e4cf476cdf6b16e7df57c090b0258c8524a62b4
--- /dev/null
+++ b/docs/multidomain-site-example/image-customization
@@ -0,0 +1,20 @@
+features {
+	'autoupdater',
+	'ebtables-filter-multicast',
+	'ebtables-filter-ra-dhcp',
+	'ebtables-limit-arp',
+	'mesh-batman-adv-15',
+	'mesh-vpn-fastd',
+	'respondd',
+	'status-page',
+	'web-advanced',
+	'web-wizard',
+}
+
+packages{
+	'iwinfo',
+}
+
+if not device_class('tiny') then
+	features {'wireless-encryption-wpa3'}
+end
diff --git a/docs/multidomain-site-example/site.mk b/docs/multidomain-site-example/site.mk
index 3ae794d22a64425d2c1545255c8084b1dcc24356..50931c338007a0f26c4994dde1ec3e40d3cc41c6 100644
--- a/docs/multidomain-site-example/site.mk
+++ b/docs/multidomain-site-example/site.mk
@@ -1,38 +1,10 @@
 ##	gluon site.mk makefile example
 
-##	GLUON_FEATURES
-#		Specify Gluon features/packages to enable;
-#		Gluon will automatically enable a set of packages
-#		depending on the combination of features listed
-
-GLUON_FEATURES := \
-	autoupdater \
-	ebtables-filter-multicast \
-	ebtables-filter-ra-dhcp \
-	ebtables-limit-arp \
-	mesh-batman-adv-15 \
-	mesh-vpn-fastd \
-	respondd \
-	status-page \
-	web-advanced \
-	web-wizard
-
-GLUON_FEATURES_standard := \
-	wireless-encryption-wpa3
-
 ##	GLUON_MULTIDOMAIN
 #		Build gluon with multidomain support.
 
 GLUON_MULTIDOMAIN=1
 
-##	GLUON_SITE_PACKAGES
-#		Specify additional Gluon/OpenWrt packages to include here;
-#		A minus sign may be prepended to remove a packages from the
-#		selection that would be enabled by default or due to the
-#		chosen feature flags
-
-GLUON_SITE_PACKAGES := iwinfo
-
 ##	DEFAULT_GLUON_RELEASE
 #		version string to use for images
 #		gluon relies on
diff --git a/docs/package/gluon-ebtables-limit-arp.rst b/docs/package/gluon-ebtables-limit-arp.rst
index 9431f0046ac2891c7a798c58347731652fa78bd0..f5b0301301f846ad66e1141ca0bd778366b731be 100644
--- a/docs/package/gluon-ebtables-limit-arp.rst
+++ b/docs/package/gluon-ebtables-limit-arp.rst
@@ -25,5 +25,6 @@ This package is installed by default if the selected routing
 feature is *mesh-batman-adv-15*.
 It can be unselected via::
 
-    GLUON_SITE_PACKAGES := \
-      -gluon-ebtables-limit-arp
+    packages {
+      '-gluon-ebtables-limit-arp',
+    }
diff --git a/docs/site-example/image-customization b/docs/site-example/image-customization
index 7099873529a927f181904f7895006a20a83d8135..3ecafe3cd1fb39f0f213c30ca6984e2e44d208fe 100644
--- a/docs/site-example/image-customization
+++ b/docs/site-example/image-customization
@@ -1,6 +1,6 @@
-packages({'iwinfo'})
+packages {'iwinfo'}
 
-features({
+features {
 	'autoupdater',
 	'ebtables-filter-multicast',
 	'ebtables-filter-ra-dhcp',
@@ -11,10 +11,10 @@ features({
 	'status-page',
 	'web-advanced',
 	'web-wizard'
-})
+}
 
 if not device_class('tiny') then
-	features({
+	features {
 		'wireless-encryption-wpa3'
-	})
+	}
 end
diff --git a/docs/user/site.rst b/docs/user/site.rst
index efaf96a17a0f0d4aeb26a5004be78310b2c16c8c..ff880fe29ef7736ec8241040c7b48b17fd8beb05 100644
--- a/docs/user/site.rst
+++ b/docs/user/site.rst
@@ -134,8 +134,8 @@ wifi24 \: optional
   For an OWE secured network, the ``owe_ssid`` string has to be set. It sets the
   SSID for the opportunistically encrypted wireless network, to which compatible
   clients can connect to.
-  For OWE to work, the ``wireless-encryption-wpa3`` has to be enabled (usually by
-  adding it to ``GLUON_FEATURES_standard``) in your ``site.mk``.
+  For OWE to work, the ``wireless-encryption-wpa3`` has to be enabled as a feature
+  in your site.
   To utilize the OWE transition mode, ``owe_transition_mode`` has to be set to true.
   When ``owe_transition_mode`` is enabled, the OWE secured SSID will be hidden.
   Compatible devices will automatically connect to the OWE secured SSID when selecting
@@ -611,33 +611,6 @@ GLUON_DEPRECATED
   and ``upgrade`` for existing configurations (where upgrades for existing
   deployments of low-flash devices are required). Defaults to ``0``.
 
-GLUON_FEATURES
-  Defines a list of features to include. Depending on the device, the feature list
-  defined from this value is combined with the feature list for either the standard
-  or the tiny device-class. The resulting feature list is used to generate the default
-  package set.
-
-GLUON_FEATURES_standard
-  Defines a list of additional features to include or exclude for devices of
-  the standard device-class.
-
-GLUON_FEATURES_tiny
-  Defines a list of additional features to include or exclude for devices of
-  the tiny device-class.
-
-GLUON_SITE_PACKAGES
-  Defines a list of packages which should be installed in addition to the
-  default package set. It is also possible to remove packages from the
-  default set by prepending a minus sign to the package name.
-
-GLUON_SITE_PACKAGES_standard
-  Defines a list of additional packages to include or exclude for devices of
-  the standard device-class.
-
-GLUON_SITE_PACKAGES_tiny
-  Defines a list of additional packages to include or exclude for devices of
-  the tiny device-class.
-
 GLUON_RELEASE
   The current release version Gluon should use.
 
@@ -674,8 +647,8 @@ leading to entangled package names like *gluon-mesh-vpn-fastd-respondd* or
 *gluon-status-page-mesh-batman-adv-i18n-de*.
 
 For this reason, we have introduced *feature flags*, which can be specified
-in the *GLUON_FEATURES* variable. These flags allow to specify a set of features
-on a higher level than individual package names.
+in the using the image-customization framework. These flags allow to specify
+a set of features on a higher level than individual package names.
 
 Most Gluon packages can simply be specified as feature flags by removing the ``gluon-``
 prefix: The feature flag corresponding to the package *gluon-mesh-batman-adv-15* is
@@ -697,9 +670,10 @@ flags using a flexible ruleset defined in the Gluon repo or site package feeds.
 To some extent, it will even allow us to further modularize existing Gluon packages,
 without necessitating changes to existing site configurations.
 
-It is still possible to override such automatic rules using *GLUON_SITE_PACKAGES*
-(e.g., ``-gluon-status-page-mesh-batman-adv`` to remove the automatically added
-package *gluon-status-page-mesh-batman-adv*).
+It is still possible to override such automatic rules by removing them using 
+*packages* in the image-customization file
+(e.g., ``features { '-gluon-status-page-mesh-batman-adv' }`` to remove
+the automatically added package *gluon-status-page-mesh-batman-adv*).
 
 For convenience, there are two feature flags that do not directly correspond to a Gluon
 package:
@@ -707,17 +681,17 @@ package:
 * web-wizard
 
   Includes the *gluon-config-mode-...* base packages (hostname, geolocation and contact info),
-  as well as the *gluon-config-mode-autoupdater* (when *autoupdater* is in *GLUON_FEATURES*),
-  and *gluon-config-mode-mesh-vpn* (when *mesh-vpn-fastd* or *mesh-vpn-tunneldigger* are in
-  *GLUON_FEATURES*)
+  as well as the *gluon-config-mode-autoupdater* (when *autoupdater* is an enabled feature),
+  and *gluon-config-mode-mesh-vpn* (when *mesh-vpn-fastd* or *mesh-vpn-tunneldigger* are
+  enabled features)
 
 * web-advanced
 
   Includes the *gluon-web-...* base packages (admin, network, WiFi config),
-  as well as the *gluon-web-autoupdater* (when *autoupdater* is in *GLUON_FEATURES*)
+  as well as the *gluon-web-autoupdater* (when *autoupdater* is an enabled feature),
 
-We recommend to use *GLUON_SITE_PACKAGES* for non-Gluon OpenWrt packages only and
-completely rely on *GLUON_FEATURES* for Gluon packages, as it is shown in the
+We recommend to include packages for non-Gluon OpenWrt packages only and
+completely rely on features for Gluon packages, as it is shown in the
 example *site.mk*.
 
 .. _site-image-customization: