Huh, that's weird, I went back & fiddled with the syntax, permissions & instructions a bit more. No dice.
My default.conf looks like:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name XXXX;
autoindex off;
index pihole/index.php index.php index.html index.htm;
location / {
expires max;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
fastcgi_param FQDN true;
auth_basic "Restricted"; # For Basic Auth
auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth
}
location /*.js {
index pihole/index.js;
auth_basic "Restricted"; # For Basic Auth
auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth
}
location /admin {
root /var/www/html;
index index.php index.html index.htm;
auth_basic "Restricted"; # For Basic Auth
auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth
}
location ~ /\.ht {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/XXXX/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/XXXX/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = XXXX) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name XXXX;
listen 80;
return 404; # managed by Certbot
}
The .htpasswd file is owned by root:root with 644 permissions just like the rest of the nginx folder.
/var/www/html has the pihole folder owned by www-data:www-data with permissions 755.
And by now I've added pihole to www-data 3 times at least, so what gives?
Though one more thing of note,
attempting to access Settings > Group Management > Groups
I'm hit with:
DataTables warning: table id=groupsTable - Ajax error. For more information about this error, please see http://datatables.net/tn/7
Same goes for Tools > Pi-Hole disgnosis
And Tools > Network gives:
An unknown error occurred while loading the data.
Finally Long-term data > Query Log returns:
An unknown error occurred while loading the data.
Check the server's log files (/var/log/lighttpd/error.log) for details.
You may need to increase PHP memory limit.
You can find more info in pi-hole's FAQ:
https://docs.pi-hole.net/main/faq/#error-while-loading-data-from-the-long-term-database
I should hope the 512M I've allocated should be enough,
Since I don't have lighttpd logs, I checked nginx & sure enough, they were filled with:
Stack trace:
#0 /var/www/html/admin/api_db.php(26): SQLite3_connect()
#1 {main}
thrown in /var/www/html/admin/scripts/pi-hole/php/database.php on line 61" while reading response header from upstream, client: 192.168.1.6, server: XXXX, request: "GET /admin/api_db.php?status HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.0-fpm.sock:", host: "19>2022/03/16 00:17:08 [error] 30238#30238: *296 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Error: Undefined constant "SQLITE3_OPEN_READONLY" in /var/www/html/admin/scripts/pi-hole/php/database.php:61
That was eye-opening, & this forum post led me to install php8.0-sqlite3 which ended up fixing the whole problem 
Many thanks, & wistful thinking, but with hope I may never face a problem again.