The automatic inlining of CSS is cool, but it conflicts with the Content-Security-Policy style-src 'self' which enforces a common and widely-recommended level of security.

Replacing

<style>{% getBundle "css" %}</style>

with

<link rel="stylesheet" href="{% getBundleFileUrl "css" %}">

in base.njk will move the static CSS to a separate file. This should be documented in the README.

However,

<ol reversed class="postlist" style="counter-reset: start-from {{ (postslistCounter or postslist.length) + 1 }}">

is more challenging, as it can't be moved to a static CSS file. Replacing it with

{%- css %}.postlist { counter-reset: start-from {{ (postslistCounter or postslist.length) + 1 }} }{% endcss %}
<ol reversed class="postlist">

appears to be sufficient.

Thank you for the PR—looks great!