diff --git a/roles/explorer.nix b/roles/explorer.nix
index c8182205..caeb84d6 100644
--- a/roles/explorer.nix
+++ b/roles/explorer.nix
@@ -65,6 +65,8 @@ in {
 
   services.varnish = {
     enable = globals.withSmash;
+    extraModules = [ pkgs.varnish-modules ];
+    extraCommandLine = "-s malloc,${toString (config.node.memory * 1024 / 4)}M";
     config = ''
       vcl 4.1;
 
@@ -643,6 +645,9 @@ in {
     });
   };
 
+  # Ensure the worker processes don't hit TCP file descriptor limits
+  systemd.services.nginx.serviceConfig.LimitNOFILE = 65535;
+
   # Avoid flooding (and rotating too quicky) default journal with nginx logs:
   # nginx logs: journalctl --namespace nginx
   systemd.services.nginx.serviceConfig.LogNamespace = "nginx";