diff --git a/roles/debian/varnish_config/defaults/main.yml b/roles/debian/varnish_config/defaults/main.yml
index 38f9bd90e..605771e86 100644
--- a/roles/debian/varnish_config/defaults/main.yml
+++ b/roles/debian/varnish_config/defaults/main.yml
@@ -1,6 +1,10 @@
 ---
 # Defaults file for varnish_config, other variables exist from importing geerlingguy.varnish and can be overriden
 
+limit_memlock: 82000
+limit_core: infinity
+tasks_max: infinity
+varnish_storage: "malloc,{{ ansible_facts.memtotal_mb // 10 }}M"
 varnish_config:
   # List of IPs that are allowed to ask for content purge.
   allowed_purge_IP: []
@@ -17,3 +21,4 @@ varnish_config:
   upstream_proxies: []
   # Provide an alternative filename if you are providing a template.
   template_filename: default.vcl
+  # Varnish systemd overrides to make varnish consistent even after upgrades
diff --git a/roles/debian/varnish_config/tasks/main.yml b/roles/debian/varnish_config/tasks/main.yml
index ad6d2836e..ace30d274 100644
--- a/roles/debian/varnish_config/tasks/main.yml
+++ b/roles/debian/varnish_config/tasks/main.yml
@@ -1,15 +1,24 @@
 ---
-- name: Copy Varnish default VCL.
-  ansible.builtin.template:
-    src: "{{ item }}"
-    dest: "{{ varnish_config_path }}/default.vcl"
-    owner: root
-    group: root
-    mode: 0644
-  with_first_found:
-    - "{{ playbook_dir }}/templates/{{ varnish_config.template_filename }}.j2"
-    - "{{ _ce_provision_base_dir }}/config/files/templates/{{ varnish_config.template_filename }}.j2"
-    - "default.vcl.j2"
-  notify:
-    - reload systemd # handlers in https://github.com/geerlingguy/ansible-role-varnish/blob/master/handlers/main.yml
-    - restart varnish
+- block:
+    - name: Copy Varnish default VCL.
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: "{{ varnish_config_path }}/default.vcl"
+        owner: root
+        group: root
+        mode: 0644
+      with_first_found:
+        - "{{ playbook_dir }}/templates/{{ varnish_config.template_filename }}.j2"
+        - "{{ _ce_provision_base_dir }}/config/files/templates/{{ varnish_config.template_filename }}.j2"
+        - "default.vcl.j2"
+# This will keep varnish config as it is even after varnish upgrade
+    - name: Template varnish systemd service file
+      ansible.builtin.template:
+        src: varnish.service.j2
+        dest: /etc/systemd/system/varnish.service
+        mode: '0644'
+      notify:
+        - reload systemd
+        - restart varnish
+
+# TO DO: add varnish to unattended upgrades
diff --git a/roles/debian/varnish_config/templates/varnish.service.j2 b/roles/debian/varnish_config/templates/varnish.service.j2
new file mode 100644
index 000000000..04712fdcd
--- /dev/null
+++ b/roles/debian/varnish_config/templates/varnish.service.j2
@@ -0,0 +1,30 @@
+[Unit]
+Description=Varnish Cache, a high-performance HTTP accelerator
+After=network-online.target
+
+[Service]
+Type=forking
+KillMode=process
+
+PIDFile= {{ varnish_pidfile }}
+
+# Maximum number of open files (for ulimit -n)
+LimitNOFILE= {{ varnish_limit_nofile }}
+
+# Locked shared memory
+LimitMEMLOCK= {{ limit_memlock }}
+
+# Enable this to avoid "fork failed" on reload.
+TasksMax= {{ tasks_max }}
+
+# Maximum size of the corefile.
+LimitCORE= {{ limit_core }}
+
+ExecStart=/usr/sbin/varnishd -a :80 -T 127.0.0.1:6082 -P /run/varnishd.pid -f /etc/varnish/default.vcl -S /etc/varnish/secret -s {{ varnish_storage }}
+
+ExecReload=/usr/sbin/varnishreload
+
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target