diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml
index 8cf24a228..00c3f839a 100644
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -547,8 +547,12 @@ matrix_ssl_lets_encrypt_staging: false
 # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server
 matrix_ssl_lets_encrypt_server: ''
 
-matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.28.0"
-matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
+matrix_ssl_lets_encrypt_certbot_challenge_image: 'http'
+matrix_ssl_lets_encrypt_certbot_docker_image_version: "v1.28.0"
+matrix_ssl_lets_encrypt_certbot_http_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-{{ matrix_ssl_lets_encrypt_certbot_docker_image_version }}"
+matrix_ssl_lets_encrypt_certbot_dns_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/dns-{{ matrix_ssl_lets_encrypt_certbot_official_dns_provider }}:{{ matrix_ssl_architecture }}-{{ matrix_ssl_lets_encrypt_certbot_docker_image_version }}"
+matrix_ssl_lets_encrypt_certbot_official_dns_provider: ''
+matrix_ssl_lets_encrypt_certbot_custom_docker_image: ''
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: ~
 
@@ -566,6 +570,8 @@ matrix_ssl_lets_encrypt_key_type: rsa
 matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
 matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
 matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
+# dns-config must be a folder different from matrix_ssl_config_dir_path to ensure it is mounted only when needed
+matrix_ssl_dns_config_dir_path: "{{ matrix_ssl_base_path }}/dns-config"
 
 # If you'd like to start some service before a certificate is obtained, specify it here.
 # This could be something like `matrix-dynamic-dns`, etc.
diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
index 0e5339a9a..b19a6e8cf 100644
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
@@ -17,6 +17,15 @@
 #
 
 - block:
+    - ansible.builtin.set_fact:
+        matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_ssl_lets_encrypt_certbot_custom_docker_image if matrix_ssl_lets_encrypt_certbot_challenge_image == 'custom' else matrix_ssl_lets_encrypt_certbot_dns_docker_image if matrix_ssl_lets_encrypt_certbot_challenge_image == 'dns' else matrix_ssl_lets_encrypt_certbot_http_docker_image }}"
+
+    - ansible.builtin.set_fact:
+        matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
+
+    - ansible.builtin.debug:
+        msg: "Using certbot docker image: {{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
+
     - name: Ensure certbot Docker image is pulled
       docker_image:
         name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
@@ -24,6 +33,56 @@
         force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
         force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"
 
+    - name: Ensure cerbot DNS configurations removed
+      ansible.builtin.file:
+        path: "{{ matrix_ssl_dns_config_dir_path }}"
+        state: absent
+      when: "(matrix_ssl_lets_encrypt_dns_config is not defined) or (matrix_ssl_lets_encrypt_dns_config | length == 0)"
+
+    - block:
+        - name: Ensure cerbot DNS configurations paths exists
+          ansible.builtin.file:
+            path: "{{ matrix_ssl_dns_config_dir_path }}"
+            state: directory
+            mode: 0770
+            owner: "{{ matrix_user_username }}"
+            group: "{{ matrix_user_groupname }}"
+            recurse: true
+
+        - name: List existing cerbot DNS configurations
+          ansible.builtin.shell: "ls -1 {{ matrix_ssl_dns_config_dir_path }}"
+          register: dns_config_files
+          changed_when: false
+
+        - name: Remove useless cerbot DNS configurations
+          ansible.builtin.file:
+            path: "{{ matrix_ssl_dns_config_dir_path }}/{{ item }}"
+            state: absent
+          with_items: "{{ dns_config_files.stdout_lines }}"
+          when: "item not in matrix_ssl_lets_encrypt_dns_config | map(attribute='name') | list"
+
+        - name: Set up certbot DNS provider configurations
+          ansible.builtin.template:
+            src: "{{ role_path }}/templates/dns-config/{{ dns_config.template }}.j2"
+            dest: "{{ matrix_ssl_dns_config_dir_path }}/{{ dns_config.name }}"
+            mode: 0600
+            owner: "{{ matrix_user_username }}"
+            group: "{{ matrix_user_groupname }}"
+          no_log: true
+          with_items: "{{ matrix_ssl_lets_encrypt_dns_config }}"
+          loop_control:
+            loop_var: dns_config
+
+        - name: Ensure awsconfig setup script exists
+          ansible.builtin.template:
+            src: "{{ role_path }}/templates/certbot-hook/setup-awsconfig.sh.j2"
+            dest: "{{ matrix_ssl_dns_config_dir_path }}/setup-awsconfig.sh"
+            mode: 0700
+            owner: "{{ matrix_user_username }}"
+            group: "{{ matrix_user_groupname }}"
+          with_items: "{{ dns_config_files.stdout_lines }}"
+      when: "(matrix_ssl_lets_encrypt_dns_config is defined) and (matrix_ssl_lets_encrypt_dns_config | length > 0)"
+
     - name: Obtain Let's Encrypt certificates
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
       with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
@@ -61,4 +120,9 @@
       ansible.builtin.file:
         path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
         state: absent
+
+    - name: Ensure Let's Encrypt DNS provider configurations removed
+      ansible.builtin.file:
+        path: "{{ matrix_ssl_dns_config_dir_path }}"
+        state: absent
   when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
index 18cae090e..c9a473607 100644
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
@@ -26,71 +26,129 @@
       when: "matrix_ssl_pre_obtaining_required_service_start_result.changed | bool"
   when: "domain_name_needs_cert | bool and matrix_ssl_pre_obtaining_required_service_name != ''"
 
-# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
-# We suppress the error, as we'll try another method below.
-- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
-  ansible.builtin.shell: >-
-    {{ matrix_host_command_docker }} run
-    --rm
-    --name=matrix-certbot
-    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
-    --cap-drop=ALL
-    -p {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080
-    --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
-    --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
-    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
-    certonly
-    --non-interactive
-    --work-dir=/tmp
-    --http-01-port 8080
-    {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
-    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
-    --key-type {{ matrix_ssl_lets_encrypt_key_type }}
-    --standalone
-    --preferred-challenges http
-    --agree-tos
-    --email={{ matrix_ssl_lets_encrypt_support_email }}
-    -d {{ domain_name }}
-  when: domain_name_needs_cert | bool
-  register: result_certbot_direct
-  ignore_errors: true
+# Execute certbot challenge
+- block:
+    # Decide which challenge to execute for the challenge
+    - ansible.builtin.set_fact:
+        certbot_challenge: "{{ 'dns' if domain_name in matrix_ssl_lets_encrypt_dns_challenge_domains | map(attribute='domain') | list else 'http' }}"
+
+    # Execute HTTP challenge
+    - block:
+        - ansible.builtin.debug:
+            msg: "Executing HTTP challenge"
+
+        # This will fail if there is something running on port 80 (like matrix-nginx-proxy).
+        # We suppress the error, as we'll try another method below.
+        - name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
+          ansible.builtin.shell: >-
+            {{ matrix_host_command_docker }} run
+            --rm
+            --name=matrix-certbot
+            --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+            --cap-drop=ALL
+            --publish {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080
+            --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
+            --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
+            {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+            certonly
+            --non-interactive
+            --work-dir=/tmp
+            --http-01-port 8080
+            {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server | quote }}{% endif %}
+            {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+            --key-type {{ matrix_ssl_lets_encrypt_key_type }}
+            --standalone
+            --preferred-challenges http
+            --agree-tos
+            --email={{ matrix_ssl_lets_encrypt_support_email }}
+            -d {{ domain_name }}
+          register: result_certbot_direct
+          changed_when: "not result_certbot_direct.failed"
+          ignore_errors: true
+
+        # If matrix-nginx-proxy is configured from a previous run of this playbook,
+        # and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
+        - name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
+          ansible.builtin.shell: >-
+            {{ matrix_host_command_docker }} run
+            --rm
+            --name=matrix-certbot
+            --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+            --cap-drop=ALL
+            --publish 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
+            --network={{ matrix_docker_network }}
+            --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
+            --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
+            {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+            certonly
+            --non-interactive
+            --work-dir=/tmp
+            --http-01-port 8080
+            {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server | quote }}{% endif %}
+            {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+            --key-type {{ matrix_ssl_lets_encrypt_key_type }}
+            --standalone
+            --preferred-challenges http
+            --agree-tos
+            --email={{ matrix_ssl_lets_encrypt_support_email }}
+            -d {{ domain_name }}
+          when: "result_certbot_direct.failed"
+          register: result_certbot_proxy
+          changed_when: "not result_certbot_proxy.failed"
+          ignore_errors: true
+
+        - name: Fail if all SSL certificate retrieval attempts failed for HTTP challenge
+          ansible.builtin.fail:
+            msg: |
+              Failed to obtain a certificate directly (by listening on port 80)
+              and also failed to obtain by relying on the server at port 80 to proxy the request.
+              See above for details.
+              You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or,
+              more easily, stop the server on port 80 while this playbook runs.
+          when: "result_certbot_direct.failed and result_certbot_proxy.failed"
+      when: "certbot_challenge == 'http'"
+
+    # Execute DNS challenge
+    - block:
+        - ansible.builtin.set_fact:
+            domain_config: "{{ matrix_ssl_lets_encrypt_dns_challenge_domains | selectattr('domain', 'equalto', domain_name) | list | first }}"
+
+        - ansible.builtin.debug:
+            msg: "Executing DNS challenge for {{ domain_config.provider }} with {{ domain_config.config_file }}"
 
-# If matrix-nginx-proxy is configured from a previous run of this playbook,
-# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
-- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
-  ansible.builtin.shell: >-
-    {{ matrix_host_command_docker }} run
-    --rm
-    --name=matrix-certbot
-    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
-    --cap-drop=ALL
-    -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
-    --network={{ matrix_docker_network }}
-    --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
-    --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
-    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
-    certonly
-    --non-interactive
-    --work-dir=/tmp
-    --http-01-port 8080
-    {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
-    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
-    --key-type {{ matrix_ssl_lets_encrypt_key_type }}
-    --standalone
-    --preferred-challenges http
-    --agree-tos
-    --email={{ matrix_ssl_lets_encrypt_support_email }}
-    -d {{ domain_name }}
-  when: "domain_name_needs_cert and result_certbot_direct.failed"
-  register: result_certbot_proxy
-  ignore_errors: true
+        - name: Attempt initial SSL certificate retrieval with dns authenticator
+          ansible.builtin.shell: >-
+            {{ matrix_host_command_docker }} run
+            --rm
+            --name=matrix-certbot
+            --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+            --cap-drop=ALL
+            --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
+            --mount type=bind,src={{ matrix_ssl_dns_config_dir_path }},dst=/etc/letsencrypt-dns-config,readonly
+            --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
+            {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+            certonly
+            --non-interactive
+            --work-dir=/tmp
+            {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server | quote }}{% endif %}
+            {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+            --key-type {{ matrix_ssl_lets_encrypt_key_type }}
+            --dns-{{ domain_config.provider }}
+            {% if domain_config.provider in ['cloudflare', 'cloudxns', 'digitalocean', 'dnsmadeeasy', 'dnssimple', 'gehirn', 'google', 'linode', 'luadns', 'nsone', 'ovh', 'rfc2136', 'sakuracloud'] %}--dns-{{ domain_config.provider }}-credentials "/etc/letsencrypt-dns-config/{{ domain_config.config_file }}"{% endif %}
+            {% if domain_config.provider in ['route53'] %}--pre-hook "/etc/letsencrypt-dns-config/setup-awsconfig.sh '{{ domain_config.config_file }}'"{% endif %}
+            --agree-tos
+            --email={{ matrix_ssl_lets_encrypt_support_email }}
+            -d {{ domain_name }}
+          register: result_certbot_dns
+          changed_when: "not result_certbot_dns.failed"
+          ignore_errors: true
 
-- name: Fail if all SSL certificate retrieval attempts failed
-  ansible.builtin.fail:
-    msg: |
-      Failed to obtain a certificate directly (by listening on port 80)
-      and also failed to obtain by relying on the server at port 80 to proxy the request.
-      See above for details.
-      You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or,
-      more easily, stop the server on port 80 while this playbook runs.
-  when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed"
+        - name: Fail if all SSL certificate retrieval attempts failed for DNS challenge
+          ansible.builtin.fail:
+            msg: |
+              Failed to obtain a certificate through DNS challenge.
+              See above for details.
+              You may wish to ensure permissions to update DNS records are properly set and still valid.
+          when: "result_certbot_dns.failed"
+      when: "certbot_challenge == 'dns'"
+  when: "domain_name_needs_cert | bool"
diff --git a/roles/matrix-nginx-proxy/tasks/validate_config.yml b/roles/matrix-nginx-proxy/tasks/validate_config.yml
index 6c87a4bb2..3f6ccda7e 100644
--- a/roles/matrix-nginx-proxy/tasks/validate_config.yml
+++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml
@@ -56,7 +56,69 @@
         - "matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container"
         - "matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container"
         - "matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container"
+        - "matrix_ssl_lets_encrypt_certbot_challenge_image"
       when: "vars[item] == '' or vars[item] is none"
+
+    - name: "Fail if unsupported matrix_ssl_lets_encrypt_certbot_challenge_image"
+      ansible.builtin.fail:
+        msg: >-
+          `matrix_ssl_lets_encrypt_certbot_challenge_image` must be set to a known value: 'http' (default), 'dns' or 'custom'.
+      when: "matrix_ssl_lets_encrypt_certbot_challenge_image not in ['http', 'dns', 'custom']"
+
+    - name: "Fail if custom certbot image is missing when required"
+      ansible.builtin.fail:
+        msg: >-
+          No `matrix_ssl_lets_encrypt_certbot_custom_docker_image` has been provided while `matrix_ssl_lets_encrypt_certbot_challenge_image` is set to 'custom'.
+      when: "matrix_ssl_lets_encrypt_certbot_challenge_image == 'custom' and (matrix_ssl_lets_encrypt_certbot_custom_docker_image == '' or matrix_ssl_lets_encrypt_certbot_custom_docker_image is none)"
+
+    - name: "Fail if DNS certbot official image is not supported"
+      ansible.builtin.fail:
+        msg: >-
+          `matrix_ssl_lets_encrypt_certbot_official_dns_provider` needs to be set to a known value.
+      when: "matrix_ssl_lets_encrypt_certbot_challenge_image == 'dns' and matrix_ssl_lets_encrypt_certbot_official_dns_provider not in ['cloudflare', 'cloudxns', 'digitalocean', 'dnsmadeeasy', 'dnssimple', 'gehirn', 'google', 'linode', 'luadns', 'nsone', 'ovh', 'rfc2136', 'route53', 'sakuracloud']"
+
+    - block:
+        - name: "Fail if DNS challenge configured with image supporting only HTTP challenge"
+          ansible.builtin.fail:
+            msg: >-
+              `matrix_ssl_lets_encrypt_dns_challenge_domains` is defined but the configured image doesn't support DNS challenges.
+          when: matrix_ssl_lets_encrypt_certbot_challenge_image not in ['dns', 'custom']
+
+        - name: "Fail if required variables are undefined for an entry of `matrix_ssl_lets_encrypt_dns_challenge_domains`"
+          ansible.builtin.fail:
+            msg: >-
+              The `{{ item[1] }}` variable must be defined for configuration `{{ item[0] }}`
+          loop: "{{ matrix_ssl_lets_encrypt_dns_challenge_domains | product(['domain', 'provider', 'config_file']) | list }}"
+          when: "item[0][item[1]] is not defined"
+
+        - name: "Fail if domain configured for DNS challenge is unkown"
+          ansible.builtin.fail:
+            msg: >-
+              The domain `{{ dns_challenge_domain.domain }}` is not in the list of domains for which a certificate will be requested.
+              The associated module might be enabled or it might be added to `matrix_ssl_additional_domains_to_obtain_certificates_for`.
+          with_items: "{{ matrix_ssl_lets_encrypt_dns_challenge_domains }}"
+          loop_control:
+            loop_var: dns_challenge_domain
+          when: "dns_challenge_domain.domain not in matrix_ssl_domains_to_obtain_certificates_for | list"
+
+        - name: "Fail if DNS provider is not supported"
+          ansible.builtin.fail:
+            msg: >-
+              The DNS provider `{{ dns_challenge_domain.provider }}` is not supported for DNS challenges.
+          with_items: "{{ matrix_ssl_lets_encrypt_dns_challenge_domains }}"
+          loop_control:
+            loop_var: dns_challenge_domain
+          when: "dns_challenge_domain.provider not in ['cloudflare', 'cloudxns', 'digitalocean', 'dnsmadeeasy', 'dnssimple', 'gehirn', 'google', 'linode', 'luadns', 'nsone', 'ovh', 'rfc2136', 'route53', 'sakuracloud']"
+
+        - name: "Fail if DNS provider configuration is missing"
+          ansible.builtin.fail:
+            msg: >-
+              The configuration file `{{ dns_challenge_domain.config_file }}` is not declared in `matrix_ssl_lets_encrypt_dns_config`.
+          with_items: "{{ matrix_ssl_lets_encrypt_dns_challenge_domains }}"
+          loop_control:
+            loop_var: dns_challenge_domain
+          when: "dns_challenge_domain.config_file not in matrix_ssl_lets_encrypt_dns_config | map(attribute='name') | list"
+      when: "(matrix_ssl_lets_encrypt_dns_challenge_domains is defined) and (matrix_ssl_lets_encrypt_dns_challenge_domains | length > 0)"
   when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
 
 - name: (Deprecation) Catch and report old metrics usage
diff --git a/roles/matrix-nginx-proxy/templates/certbot-hook/setup-awsconfig.sh.j2 b/roles/matrix-nginx-proxy/templates/certbot-hook/setup-awsconfig.sh.j2
new file mode 100644
index 000000000..eedcbd131
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/certbot-hook/setup-awsconfig.sh.j2
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+ln -sf "/etc/letsencrypt-dns-config/$1" "~/.aws/config"
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/cloudflare.apikey.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/cloudflare.apikey.ini.j2
new file mode 100644
index 000000000..9cc27e6fa
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/cloudflare.apikey.ini.j2
@@ -0,0 +1,3 @@
+# Cloudflare API credentials used by Certbot
+dns_cloudflare_email = {{ dns_config.dns_cloudflare_email }}
+dns_cloudflare_api_key = {{ dns_config.dns_cloudflare_api_key }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/cloudflare.apitoken.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/cloudflare.apitoken.ini.j2
new file mode 100644
index 000000000..229972140
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/cloudflare.apitoken.ini.j2
@@ -0,0 +1,2 @@
+# Cloudflare API token used by Certbot
+dns_cloudflare_api_token = {{ dns_config.dns_cloudflare_api_token }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/cloudxns.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/cloudxns.ini.j2
new file mode 100644
index 000000000..4dac40ae3
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/cloudxns.ini.j2
@@ -0,0 +1,3 @@
+# CloudXNS API credentials used by Certbot
+dns_cloudxns_api_key = {{ dns_config.dns_cloudxns_api_key }}
+dns_cloudxns_secret_key = {{ dns_config.dns_cloudxns_secret_key }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/digitalocean.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/digitalocean.ini.j2
new file mode 100644
index 000000000..6e4299dc1
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/digitalocean.ini.j2
@@ -0,0 +1,2 @@
+# DigitalOcean API credentials used by Certbot
+dns_digitalocean_token = {{ dns_config.dns_digitalocean_token }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/dnsmadeeasy.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/dnsmadeeasy.ini.j2
new file mode 100644
index 000000000..bc9e7b61e
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/dnsmadeeasy.ini.j2
@@ -0,0 +1,3 @@
+# DNS Made Easy API credentials used by Certbot
+dns_dnsmadeeasy_api_key = {{ dns_config.dns_dnsmadeeasy_api_key }}
+dns_dnsmadeeasy_secret_key = {{ dns_config.dns_dnsmadeeasy_secret_key }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/dnssimple.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/dnssimple.ini.j2
new file mode 100644
index 000000000..68a9390d5
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/dnssimple.ini.j2
@@ -0,0 +1,2 @@
+# DNSimple API credentials used by Certbot
+dns_dnsimple_token = {{ dns_config.dns_dnsimple_token }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/gehirn.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/gehirn.ini.j2
new file mode 100644
index 000000000..9bbdde274
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/gehirn.ini.j2
@@ -0,0 +1,3 @@
+# Gehirn Infrastructure Service API credentials used by Certbot
+dns_gehirn_api_token  = {{ dns_config.dns_gehirn_api_token }}
+dns_gehirn_api_secret = {{ dns_config.dns_gehirn_api_secret }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/google.json.j2 b/roles/matrix-nginx-proxy/templates/dns-config/google.json.j2
new file mode 100644
index 000000000..accaef44a
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/google.json.j2
@@ -0,0 +1,12 @@
+{
+   "type": "{{ dns_config.type | default('service_account') }}",
+   "project_id": "{{ dns_config.project_id }}",
+   "private_key_id": "{{ dns_config.private_key_id }}",
+   "private_key": "{{ dns_config.private_key }}",
+   "client_email": "{{ dns_config.client_email }}",
+   "client_id": "{{ dns_config.client_id }}",
+   "auth_uri": "{{ dns_config.auth_uri | default('https://accounts.google.com/o/oauth2/auth') }}",
+   "token_uri": "{{ dns_config.token_uri | default('https://accounts.google.com/o/oauth2/token') }}",
+   "auth_provider_x509_cert_url": "{{ dns_config.auth_provider_x509_cert_url | default('https://www.googleapis.com/oauth2/v1/certs') }}",
+   "client_x509_cert_url": "{{ dns_config.client_x509_cert_url }}"
+}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/linode.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/linode.ini.j2
new file mode 100644
index 000000000..6c3943f80
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/linode.ini.j2
@@ -0,0 +1,3 @@
+# Linode API credentials used by Certbot
+dns_linode_key = {{ dns_config.dns_linode_key }}
+dns_linode_version = {{ dns_config.dns_linode_version }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/luadns.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/luadns.ini.j2
new file mode 100644
index 000000000..5c0934cd2
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/luadns.ini.j2
@@ -0,0 +1,3 @@
+# LuaDNS API credentials used by Certbot
+dns_luadns_email = {{ dns_config.dns_luadns_email }}
+dns_luadns_token = {{ dns_config.dns_luadns_token }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/nsone.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/nsone.ini.j2
new file mode 100644
index 000000000..df8258362
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/nsone.ini.j2
@@ -0,0 +1,2 @@
+# NS1 API credentials used by Certbot
+dns_nsone_api_key = {{ dns_config.dns_nsone_api_key }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/ovh.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/ovh.ini.j2
new file mode 100644
index 000000000..b6f239e55
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/ovh.ini.j2
@@ -0,0 +1,5 @@
+# OVH API credentials used by Certbot
+dns_ovh_endpoint = {{ dns_config.dns_ovh_endpoint }}
+dns_ovh_application_key = {{ dns_config.dns_ovh_application_key }}
+dns_ovh_application_secret = {{ dns_config.dns_ovh_application_secret }}
+dns_ovh_consumer_key = {{ dns_config.dns_ovh_consumer_key }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/rfc2136.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/rfc2136.ini.j2
new file mode 100644
index 000000000..d5bdb1ce8
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/rfc2136.ini.j2
@@ -0,0 +1,10 @@
+# Target DNS server (IPv4 or IPv6 address, not a hostname)
+dns_rfc2136_server = {{ dns_config.dns_rfc2136_server }}
+# Target DNS port
+dns_rfc2136_port = {{ dns_config.dns_rfc2136_port | default(53) }}
+# TSIG key name
+dns_rfc2136_name = {{ dns_config.dns_rfc2136_name }}
+# TSIG key secret
+dns_rfc2136_secret = {{ dns_config.dns_rfc2136_secret }}
+# TSIG key algorithm
+dns_rfc2136_algorithm = {{ dns_config.dns_rfc2136_algorithm | default('HMAC-SHA512') }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/route53.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/route53.ini.j2
new file mode 100644
index 000000000..28d786e95
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/route53.ini.j2
@@ -0,0 +1,3 @@
+[default]
+aws_access_key_id={{ dns_config.aws_access_key_id }}
+aws_secret_access_key={{ dns_config.aws_secret_access_key }}
diff --git a/roles/matrix-nginx-proxy/templates/dns-config/sakuracloud.ini.j2 b/roles/matrix-nginx-proxy/templates/dns-config/sakuracloud.ini.j2
new file mode 100644
index 000000000..a4b322a6c
--- /dev/null
+++ b/roles/matrix-nginx-proxy/templates/dns-config/sakuracloud.ini.j2
@@ -0,0 +1,3 @@
+# Sakura Cloud API credentials used by Certbot
+dns_sakuracloud_api_token  = {{ dns_config.dns_sakuracloud_api_token }}
+dns_sakuracloud_api_secret = {{ dns_config.dns_sakuracloud_api_secret }}