Https with ACME + nginx

In my experience, the best way to achieve this is by using DNS challenges, which fixes any problems with HTTP/HTTPS redirects and also allows for wildcard certificates.

See Setup a wildcard certificate with ACME on a custom domain name "hosted" by PowerDNS for an example of different alternatives to set it up.

I modified your example with what I think would work:

{ ... }: {
  services.nginx = {
    enable = true;
    virtualHosts = {
      "mydoma.in" = {
        forceSSL = true;
	useACMEHost = "mydoma.in";
	locations."/".root = "/var/www";
      };
      "watch.mydoma.in" = {
        forceSSL = true;
        useACMEHost = "mydoma.in";
	locations."/".proxyPass = "http://localhost:8096";
      };
    };
  };
  security.acme.certs."mydoma.in" = {
    webroot = "/var/lib/acme/.challenges";
    dnsProvider = "...";
    email = "myemail@gmail.com";
    group = "nginx";
    extraDomainNames = [ "*.mydoma.in" ];
  };