I tried the new configuration cleanup tool (https://github.com/opnsense/core/issues/8768) under System->Configuration->Defaults->Components. It worked beautifully to remove the stale configs of several plugins that I'd uninstalled. It even helpfully highlighted which ones were not installed to guide the selection for cleanup :) Nice touch.
The only minor inconsistency is that the XML element start/end tags sometimes get removed and sometimes don't. I had limited configs to play with, but it might be the case that when there is no plugin version in the start tag then those get left intact, but the versioned ones get removed.
I'm not sure if this is expected or warrants a bug, but in either case the end result is that the configs are removed and the plugin would revert to its defaults when re-installed (so not really an issue).
Adding a couple diff snippets here to illustrate.
1. The 'bind' plugin did not have a version listed. The element start tag was <bind> and the end tag was </bind>. Everything between the tags was removed:
6186,6234c6088,6089
< <record version="1.0.1">
< <records/>
< </record>
< <acl version="1.0.0">
< <acls/>
< </acl>
< <general version="1.0.12">
< <enabled>0</enabled>
< <disablev6>0</disablev6>
< <enablerpz>1</enablerpz>
< <listenv4>0.0.0.0</listenv4>
< <listenv6>::</listenv6>
< <querysource/>
< <querysourcev6/>
< <transfersource/>
< <transfersourcev6/>
< <port>53530</port>
< <forwarders/>
< <filteraaaav4>0</filteraaaav4>
< <filteraaaav6>0</filteraaaav6>
< <filteraaaaacl/>
< <logsize>5</logsize>
< <general_log_level>info</general_log_level>
< <maxcachesize>80</maxcachesize>
< <recursion/>
< <allowtransfer/>
< <allowquery/>
< <dnssecvalidation>no</dnssecvalidation>
< <hidehostname>0</hidehostname>
< <hideversion>0</hideversion>
< <disableprefetch>0</disableprefetch>
< <enableratelimiting>0</enableratelimiting>
< <ratelimitcount/>
< <ratelimitexcept>0.0.0.0,::</ratelimitexcept>
< <rndcalgo>hmac-sha256</rndcalgo>
< <rndcsecret>VxtIzJevSQXqnr7h2qerrcwjnZlMWSGGFBndKeNIDfw=</rndcsecret>
< </general>
< <domain version="1.1.1">
< <domains/>
< </domain>
< <dnsbl version="1.0.5">
< <enabled>0</enabled>
< <type/>
< <whitelists/>
< <forcesafegoogle>0</forcesafegoogle>
< <forcesafeduckduckgo>0</forcesafeduckduckgo>
< <forcesafeyoutube>0</forcesafeyoutube>
< <forcestrictbing>0</forcestrictbing>
< </dnsbl>
---
2. The 'stunnel' plugin had a version in the <start> tag and in that case everything including the tags was removed:
6236,6243d6090
< <Stunnel version="1.0.4" persisted_at="1756512408.00">
< <general>
< <enabled>0</enabled>
< <chroot>0</chroot>
< <enable_ident_server>0</enable_ident_server>
< </general>
< <services/>
< </Stunnel>
Thanks again for your work on this tool!
You know what, I only just realized after closer reading of Ad's commit message that this is how it works. It identifies config models by the version. https://github.com/opnsense/core/commit/c485a33ab7c9d366baf3665dfcbbda65052b04ad
My bad...