diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -761,6 +761,9 @@
     domains:
       - deposit.staging.swh.network
       - deposit-rp.internal.staging.swh.network
+  hedgedoc:
+    domains:
+      - hedgedoc.softwareheritage.org
   journal0.internal.staging.swh.network:
     domains:
       - broker0.journal.staging.swh.network
diff --git a/data/deployments/admin/common.yaml b/data/deployments/admin/common.yaml
--- a/data/deployments/admin/common.yaml
+++ b/data/deployments/admin/common.yaml
@@ -4,3 +4,14 @@
   - hedgedoc
 
 swh::postgresql::shared_buffers: 4GB
+
+swh::deploy::hedgedoc::reverse_proxy::backend_http_host: bardo.internal.admin.swh.network
+swh::deploy::hedgedoc::reverse_proxy::backend_http_port: "3000"
+
+swh::deploy::hedgedoc::base_url: hedgedoc.softwareheritage.org
+swh::deploy::hedgedoc::vhost::letsencrypt_cert: hedgedoc
+
+hitch::frontend: "[*]:443"
+hitch::proxy_support: true
+varnish::http_port: 80
+
diff --git a/data/hostname/bardo.internal.admin.swh.network.yaml b/data/hostname/bardo.internal.admin.swh.network.yaml
--- a/data/hostname/bardo.internal.admin.swh.network.yaml
+++ b/data/hostname/bardo.internal.admin.swh.network.yaml
@@ -9,6 +9,7 @@
     groups:
       - hedgedoc
 
+hedgedoc::db::host: localhost
 hedgedoc::db::database: hedgedoc
 hedgedoc::db::username: hedgedoc
 # hedgedoc::db::password: in private-data
@@ -32,26 +33,19 @@
 
 swh::dbs:
   hedgedoc:
-    name: "%{alias('hedgedoc::db::db_name')}"
+    name: "%{alias('hedgedoc::db::database')}"
     user: "%{alias('hedgedoc::db::username')}"
 
 hedgedoc::release::version: 1.7.1
 hedgedoc::release::digest: 17e7092430b36c96059309fdd03f9244f6a13611e28ced153d9dbf97e109d5ba
 hedgedoc::release::digest_type: sha256
 
-hedgedoc::host: bardo.internal.admin.swh.network
-hedgedoc::port: 3000
 hedgedoc::user: hedgedoc
 hedgedoc::group: hedgedoc
 
-hedgedoc::db::db_name: hedgedoc
-hedgedoc::db::username: hedgedoc
-
 hedgedoc::allow_anonymous: true
 hedgedoc::allow_anonymous_edits: true
 hedgedoc::allow_email: true
 hedgedoc::allow_email_register: true
 hedgedoc::runtime_environment: production
 hedgedoc::log_level: debug
-
-hedgedoc::vhost::letsencrypt_cert: hedgedoc
diff --git a/data/subnets/vagrant.yaml b/data/subnets/vagrant.yaml
--- a/data/subnets/vagrant.yaml
+++ b/data/subnets/vagrant.yaml
@@ -51,6 +51,10 @@
 static_hostnames:
   10.168.50.10:
     host: bardo.internal.admin.swh.network
+  10.168.50.20:
+    host: rp0.internal.admin.swh.network
+    aliases:
+      - hedgedoc.softwareheritage.org
   10.168.100.18:
     host: banco.internal.softwareheritage.org
     aliases:
diff --git a/manifests/site.pp b/manifests/site.pp
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -184,7 +184,7 @@
   include role::swh_vault
 }
 
-node /^rp\d\.internal\.staging\.swh\.network$/ {
+node /^rp\d\.internal\.(staging|admin)\.swh\.network$/ {
   include role::swh_reverse_proxy
 }
 
diff --git a/site-modules/profile/manifests/hedgedoc.pp b/site-modules/profile/manifests/hedgedoc.pp
--- a/site-modules/profile/manifests/hedgedoc.pp
+++ b/site-modules/profile/manifests/hedgedoc.pp
@@ -11,15 +11,15 @@
   # ---- configuration
   $user = lookup('hedgedoc::user')
   $group = lookup('hedgedoc::group')
-  $host = lookup('hedgedoc::host')
-  $port = lookup('hedgedoc::port')
-  $base_url = "${host}:${port}"
 
-  $db_name = lookup('hedgedoc::db::db_name')
+  $base_url = lookup('swh::deploy::hedgedoc::base_url')
+
+  $db_host = lookup('hedgedoc::db::host')
+  $db_name = lookup('hedgedoc::db::database')
   $db_user = lookup('hedgedoc::db::username')
   $db_password = lookup('swh::deploy::hedgedoc::db::password')
   $db_port = lookup('swh::postgresql::port')
-  $db_url = "postgres://${db_user}:${db_password}@${host}:${db_port}/${db_name}"
+  $db_url = "postgres://${db_user}:${db_password}@${db_host}:${db_port}/${db_name}"
 
   $allow_anonymous = lookup('hedgedoc::allow_anonymous')
   $allow_anonymous_edits = lookup('hedgedoc::allow_anonymous_edits')
diff --git a/site-modules/profile/templates/hedgedoc/config.json.erb b/site-modules/profile/templates/hedgedoc/config.json.erb
--- a/site-modules/profile/templates/hedgedoc/config.json.erb
+++ b/site-modules/profile/templates/hedgedoc/config.json.erb
@@ -4,6 +4,7 @@
         "allowAnonymous": <%= @allow_anonymous %>,
         "allowAnonymousEdit": <%= @allow_anonymous_edits %>,
         "allowFreeURL": true,
+        "protocolUseSSL": true,
         "domain": "<%= @base_url %>",
         "loglevel": "<%= @log_level %>",
         "allowOrigin": [ "localhost", "<%= @base_url %>"],
@@ -29,7 +30,7 @@
             "username": "<%= @db_user %>",
             "password": "<%= @db_password %>",
             "database": "<%= @db_name %>",
-            "host": "<%= @host %>",
+            "host": "<%= @db_host %>",
             "port": "<%= @db_port %>",
             "dialect": "postgres"
         },