This script generate a yourdomain.conf in /etc/nginx/sites-enabled/ and generate a Let's Encrypt certificate with certbot (You have to install certbot manually!)

add_domain.sh

#!/bin/bash

# Shell script to add a subdomain to nginx with let's encrypt

DOMAIN=""
PROXY=false
DOCROOT="/var/www/html/"

function usage()
{
    echo "This script generate a yourdomain.conf in /etc/nginx/sites-enabled/ and generate a Let's Encrypt certificate with certbot (You have to install certbot manually!)"
    echo ""
    echo "./add_domain.sh"
    echo "\t-h --help"
    echo "\t--domain=yourdomain.org"
    echo "\t--proxy=1 or 0"
    echo "\t--port=ProxyPort"
    echo "\t--docroot=/var/www/html/"
    echo ""
}

#root check (root is necessary for certbot)
if (($EUID != 0)); then
	echo "Please run with sudo or run as root :)"
	exit
fi

while [ "$1" != "" ]; do
    PARAM=`echo $1 | awk -F= '{print $1}'`
    VALUE=`echo $1 | awk -F= '{print $2}'`
    case $PARAM in
        -h | --help)
            usage
            exit
            ;;
        --domain)
            DOMAIN=$VALUE
            ;;
        --proxy)
            PROXY=$VALUE
            ;;
	--port)
		PORT=$VALUE
		;;
	--docroot)
		DOCROOT=$VALUE
		;;
        *)
            echo "ERROR: unknown parameter \"$PARAM\""
            usage
            exit 1
            ;;
    esac
    shift
done


INTERNLOCATION="ERROR"
if ((PROXY != 0));  then
	INTERNLOCATION=$(cat <<-END
			proxy_set_header X-Real-IP \$remote_addr; 
			proxy_set_header Host \$host; 
			proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; 
			proxy_pass http://127.0.0.1:$PORT;
END
)
fi

if ((PROXY != 1)); then
	INTERNLOCATION="root $DOCROOT;"
fi





echo "Running certbot for $DOMAIN...."
certbot --nginx certonly -d $DOMAIN
echo "Generate /etc/nginx/sites-enabled/$DOMAIN.conf...."

cat > /etc/nginx/sites-enabled/$DOMAIN.conf <<DELIM
## http://$DOMAIN redirects to https://$DOMAIN
server {

    listen 80;
	listen [::]:80;
    server_name $DOMAIN www.$DOMAIN;	


	location / {
		return 301 https://$DOMAIN$request_uri;
	}
}


## https://www.$DOMAIN redirects to https://$DOMAIN
server {
	listen 443 ssl http2;
	server_name www.$DOMAIN;

	ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
	include /etc/nginx/snippets/le.conf;

	location / {
		return 301 https://$DOMAIN$request_uri;
	}
}

## Serves https://$DOMAIN
server {
	server_name $DOMAIN;
	listen 443 ssl http2;


	ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
	include /etc/nginx/snippets/le.conf;


	location / {
$INTERNLOCATION
    	}
}
DELIM

echo "Reloading nginx config...."
sudo service nginx reload
echo "Domain $DOMAIN successfully added!!"
exit 1

le.conf

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;