Auto-purge orphaned Let's Encrypt renewal configuration files

roles/matrix-nginx-proxy/defaults/main.yml

@@ -572,6 +572,20 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
 matrix_ssl_pre_obtaining_required_service_name: ~
 matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
 
+# matrix_ssl_orphaned_renewal_configs_purging_enabled controls whether the playbook will delete Let's Encryption renewal configuration files (`/matrix/ssl/config/renewal/*.conf)
+# for domains that are not part of the `matrix_ssl_domains_to_obtain_certificates_for` list.
+#
+# As the `matrix_ssl_domains_to_obtain_certificates_for` list changes over time, the playbook obtains certificates for various domains
+# and sets up "renewal" configuration files to keep these certificates fresh.
+# When a domain disappears from the `matrix_ssl_domains_to_obtain_certificates_for` list (because its associated service had gotten disabled),
+# the certificate files and renewal configuration still remain in the filesystem and certbot may try to renewal the certificate for this domain.
+# If there's no DNS record for this domain or it doesn't point to this server anymore, the `matrix-ssl-lets-encrypt-certificates-renew.service` systemd service
+# won't be able to renew the certificate and will generate an error.
+#
+# With `matrix_ssl_orphaned_renewal_configs_purging_enabled` enabled, orphaned renewal configurations will be purged on each playbook run.
+# Some other leftover files will still remain, but we don't bother purging them because they don't cause troubles.
+matrix_ssl_orphaned_renewal_configs_purging_enabled: true
+
 # Nginx Optimize SSL Session
 #
 # ssl_session_cache:

roles/matrix-nginx-proxy/tasks/ssl/purge_ssl_lets_encrypt_orphaned_configs.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Check if a Let's Encrypt renewal configuration directory exists
+  ansible.builtin.stat:
+    path: "{{ matrix_ssl_config_dir_path }}/renewal"
+  register: matrix_ssl_config_renewal_directory_stat_result
+
+- when: matrix_ssl_config_renewal_directory_stat_result.stat.exists | bool
+  block:
+    - name: Determine current Let's Encrypt renewal configs
+      ansible.builtin.find:
+        path: "{{ matrix_ssl_config_dir_path }}/renewal"
+        patterns: ".*.conf$"
+        use_regex: true
+      register: matrix_ssl_current_renewal_config_files
+
+    - name: Determine unnecessary Let's Encrypt renewal configs
+      ansible.builtin.set_fact:
+        matrix_ssl_current_renewal_config_files_to_purge: "{{ matrix_ssl_current_renewal_config_files_to_purge | default([]) + [item.path] }}"
+      with_items: "{{ matrix_ssl_current_renewal_config_files.files }}"
+      when: "item.path | basename | replace('.conf', '') not in matrix_ssl_domains_to_obtain_certificates_for"
+
+    - name: Purge unneceessary Let's Encrypt renewal config files
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      with_items: "{{ matrix_ssl_current_renewal_config_files_to_purge | default([]) }}"

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml

@@ -18,6 +18,9 @@
 
 - when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
   block:
+    - when: matrix_ssl_orphaned_renewal_configs_purging_enabled | bool
+      ansible.builtin.import_tasks: "{{ role_path }}/tasks/ssl/purge_ssl_lets_encrypt_orphaned_configs.yml"
+
     - name: Ensure certbot Docker image is pulled
       docker_image:
         name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"