Let's Encrypt support is baked into Discourse so, that it should auto-renew the cert and therefore be "set it and forget it"-solution. There has been some bugs in the implementation during spring, thus I have not enabled it earlier. Bu tnot it seems to be ready for production, so let's see how it goes.
Also the solution here is two-fold, as I use CloudFlare CDN in front of this website. I have not yet enabled HSTS is CloudFlare settings, but the support is there.