diff --git a/deploy-web b/deploy-web
index f4253d1..d3f0a96 100755
--- a/deploy-web
+++ b/deploy-web
@@ -16,7 +16,8 @@ for host in ${hosts_web[@]}; do
     rsync --chmod=755 create-session-ticket-keys rotate-session-ticket-keys $remote:/usr/local/bin/
     rsync -r --delete etc/systemd/system/nginx.service.d/ $remote:/etc/systemd/system/nginx.service.d
 
-    ssh $remote "groupadd -fg 2100 tls
+    ssh $remote "mkdir -pm755 /var/cache/nginx
+groupadd -fg 2100 tls
 mkdir -p -m 750 /etc/session-ticket-keys && chgrp tls /etc/session-ticket-keys
 systemctl daemon-reload &&
 systemctl enable create-session-ticket-keys.service rotate-session-ticket-keys.timer nginx"
diff --git a/etc/systemd/system/nginx.service.d/override.conf b/etc/systemd/system/nginx.service.d/override.conf
index 80d8afb..8e4339e 100644
--- a/etc/systemd/system/nginx.service.d/override.conf
+++ b/etc/systemd/system/nginx.service.d/override.conf
@@ -14,7 +14,7 @@ ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectProc=invisible
 ProtectSystem=strict
-ReadWritePaths=/var/lib/nginx /var/log/nginx -/var/cache/nginx
+ReadWritePaths=/var/lib/nginx /var/log/nginx /var/cache/nginx
 Restart=always
 RestartMaxDelaySec=10s
 RestartSec=100ms