Only reason haven't implemented HSTS with any long living time is that when renewing a certificate have to (temporarily) enable HTTP to renew the certificate. Understand DNS is an option but using that right now because that would make entire process manual.
If were to implement HSTS with a year max-age what happens when temporarily enable HTTP and try to renew a certificate? If HSTS works correctly Let's Encrypt validation/ renewal via HTTP should theoretically fail, right? Or does the HTTP agent that validates Let's Encrypt certificates ignore HSTS?
*On a totally different note, what forum software is used here? Nextcloud uses same but don't think this is Flarum.