NixOS [1] actually has really great nginx integration with just a single line [2]:
enableACME = true;
This automatically does the ACME thing and sets up systemd units to renew the certificate. Have been using it a while for my (sub)domains and it's worked really well.