I did a quick diff between the systemd units in 20.09 and 21.05 and I think this is what you should add to your configuration.nix to test my theory:
systemd.services.nginx.serviceConfig = {
ProcSubset = lib.mkForce "";
ProtectProc = lib.mkForce "";
ProtectClock = lib.mkForce false;
ProtectKernelLogs = lib.mkForce false;
RestrictNamespaces = lib.mkForce false;
RemoveIPC = lib.mkForce false;
SystemCallFilter = lib.mkForce "";
};
This is likely wrong and we’ll have to fiddle with this a bit (remove one by one until we find the specific option), but it is a starting point so we can figure out exactly which option added caused your issues.