After a few minutes of down-time (oops), things are up!
The external nginx server now proxies requests to the internal one, which handles app-specific stuff.
This means I can now deploy entire apps and their related nginx reverse-proxy config in a single commit :D
Unfortunately, the internal nginx is also using SSL which is a tad redundant but I suppose there’s nothing wrong with the extra security.