All webservers/domains and subdomains on my machine serve https now. So far, this is optional for all domains except releases.fireandbrimst.one, because I think you should still be able to choose. On slow connections (think satellite connection in the middle of nowhere), https can still be a problem.
I used Oliver Kuederle’s pointers to configure nginx and obtain certs with lego. I did not like the official Let’s Encrypt certbot, too much magic and Python involved. Lego seemed like a sensible alternative.
The certificate will be renewed every month.