Hi @kkoenen,
You can use Certbot or acme.sh. It's possible that certbot --nginx will do everything that you want based on your current configuration (it would be good to see what it does wrong, if not).
Basically the configuration that you'll eventually want to get to (whether via certbot --nginx or hand-editing your configuration) is creating a new nginx server block listening on port 443 and configured with your private key and chain. This server block can then do the same proxy_pass that your current port 80 server block does.
You'll then want to have a new port 80 server block which takes any request and rewrites the request to its https:// equivalent via a 301 redirect message. (certbot --nginx can do this for you, if it works.)
During the certificate validation process, your site will need to serve challenge files from /.well-known/acme-challenge via HTTP on port 80. certbot --nginx can add a temporary server block which does this in order not to have to make a permanent change to your nginx configuration.
Alternatively, you can add an additional rule to your existing server block so that /.well-known/acme-challenge is served out of a directory on the filesystem, rather than being proxy_passed to a different server. In that case certbot --webroot would be able to work. Or you could add a rule that /.well-known/acme-challenge requests are proxy_passed to a different port and then use certbot --standalone --http-01-port followed by that port number.
I hope one of these options will work well for you.