From be4bbc009224f1f5ae2a09743b30a2ce570b2cba Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 24 Jul 2022 10:07:45 -0500
Subject: [PATCH] r/grafana: Fix Origin not allowed error

Grafana 8.3.5 introduced a new CSRF protection mechanism that requires
the value of the Host HTTP request header to be preserved from the
original client request.

https://github.com/grafana/grafana/issues/45117#issuecomment-1033842787
---
 roles/grafana/defaults/main.yml        | 1 +
 roles/grafana/files/grafana.nginx.conf | 1 +
 roles/grafana/templates/grafana.ini.j2 | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/grafana/defaults/main.yml b/roles/grafana/defaults/main.yml
index 0fa1a39..34fa3a0 100644
--- a/roles/grafana/defaults/main.yml
+++ b/roles/grafana/defaults/main.yml
@@ -1,3 +1,4 @@
+grafana_domain: '{{ ansible_fqdn }}'
 grafana_ldap_enabled: false
 grafana_http_addr:
 grafana_ldap_host: 127.0.0.1
diff --git a/roles/grafana/files/grafana.nginx.conf b/roles/grafana/files/grafana.nginx.conf
index ed1f205..ad26829 100644
--- a/roles/grafana/files/grafana.nginx.conf
+++ b/roles/grafana/files/grafana.nginx.conf
@@ -1,3 +1,4 @@
 location / {
     proxy_pass http://[::1]:3000/;
+    proxy_set_header Host $http_host;
 }
diff --git a/roles/grafana/templates/grafana.ini.j2 b/roles/grafana/templates/grafana.ini.j2
index ced3be6..3a1810f 100644
--- a/roles/grafana/templates/grafana.ini.j2
+++ b/roles/grafana/templates/grafana.ini.j2
@@ -38,7 +38,7 @@ http_addr = {{ grafana_http_addr }}
 http_port = 3000
 
 # The public facing domain name used to access grafana from a browser
-domain = localhost
+domain = {{ grafana_domain }}
 
 # Redirect to correct domain if host header does not match domain
 # Prevents DNS rebinding attacks