In my experience, the best way to achieve this is by using DNS challenges, which fixes any problems with HTTP/HTTPS redirects and also allows for wildcard certificates.
See Setup a wildcard certificate with ACME on a custom domain name "hosted" by PowerDNS for an example of different alternatives to set it up.
I modified your example with what I think would work:
{ ... }: {
services.nginx = {
enable = true;
virtualHosts = {
"mydoma.in" = {
forceSSL = true;
useACMEHost = "mydoma.in";
locations."/".root = "/var/www";
};
"watch.mydoma.in" = {
forceSSL = true;
useACMEHost = "mydoma.in";
locations."/".proxyPass = "http://localhost:8096";
};
};
};
security.acme.certs."mydoma.in" = {
webroot = "/var/lib/acme/.challenges";
dnsProvider = "...";
email = "myemail@gmail.com";
group = "nginx";
extraDomainNames = [ "*.mydoma.in" ];
};