Looking at some other posts, there is an orphan answer from some months ago that helped: Question about forcing HTTPS traffic with Grafana - #9 by kevinbertho
In the partially-certbot-managed /etc/nginx/sites-available/[site-domain] I changed
proxy_pass http://grafana.staged-by-discourse.com;
to
proxy_pass https://community.grafana.com;
and that did the trick but then I reverted everything since I was not sure if making https calls to localhost is recommended or not. It did seem to be interfering with http-to-https redirection on the site, but I’m not positive it was.
In any case, it shouldn’t be this complicated to have a https password recovery URL with my domain.
What ended up working - taken from this answer - was editing /etc/grafana/grafana.ini:
domain = [my domain]
…
root_url = https://%(domain)s/
That way, you have an https URL without changing the protocol parameter, and thus you avoid running into messy paths, permissions or groups. There’s also no changing nginx config files.