Use stable channel and use helper function for acme challenge proxy

config/hosts/web-public-2/nginx.nix

@@ -11,33 +11,32 @@
       worker_connections 1024;
     '';
 
-    streamConfig = ''
-      map $ssl_preread_server_name $address {
-        anisync.grzb.de 127.0.0.1:8443;
-        birdsite.nekover.se 10.202.41.107:8443;
-        cloud.nekover.se 10.202.41.122:8443;
-        element.nekover.se 127.0.0.1:8443;
-        gameserver.grzb.de 127.0.0.1:8443;
-        git.grzb.de 127.0.0.1:8443;
-        hydra.nekover.se 10.202.41.121:8443;
-        matrix.nekover.se 10.202.41.112:8443;
-        mewtube.nekover.se 127.0.0.1:8443;
-        nekover.se 127.0.0.1:8443;
-        nix-cache.nekover.se 10.202.41.121:8443;
-        social.nekover.se 10.202.41.104:8443;
-      }
-
-      server {
-        listen 0.0.0.0:443;
-        listen [::]:443;
-        proxy_pass $address;
-        ssl_preread on;
-        proxy_protocol on;
-      }
-    '';
-
     appendConfig = ''
       worker_processes auto;
+
+      stream {
+        map $ssl_preread_server_name $address {
+          anisync.grzb.de 127.0.0.1:8443;
+          birdsite.nekover.se 10.202.41.107:8443;
+          cloud.nekover.se 10.202.41.122:8443;
+          element.nekover.se 127.0.0.1:8443;
+          gameserver.grzb.de 127.0.0.1:8443;
+          git.grzb.de 127.0.0.1:8443;
+          hydra.nekover.se 10.202.41.121:8443;
+          matrix.nekover.se 10.202.41.112:8443;
+          mewtube.nekover.se 127.0.0.1:8443;
+          nekover.se 127.0.0.1:8443;
+          nix-cache.nekover.se 10.202.41.121:8443;
+          social.nekover.se 10.202.41.104:8443;
+        }
+        server {
+          listen 0.0.0.0:443;
+          listen [::]:443;
+          proxy_pass $address;
+          ssl_preread on;
+          proxy_protocol on;
+        }
+      }
     '';
 
     appendHttpConfig = ''