diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -774,6 +774,8 @@
   zone_keys:
     softwareheritage.org: "%{alias('gandi::softwareheritage_org::xmlrpc_key')}"
 
+sentry::vhost::name: sentry.softwareheritage.org
+
 letsencrypt::certificates::exported_directory: "%{::puppet_vardir}/letsencrypt_exports"
 letsencrypt::certificates::directory: /etc/ssl/certs/letsencrypt
 letsencrypt::certificates:
@@ -817,9 +819,9 @@
   jenkins:
     domains:
       - jenkins.softwareheritage.org
-  sentry:
+  "%{lookup('sentry::vhost::name')}":
     domains:
-      - sentry.softwareheritage.org
+      - "%{lookup('sentry::vhost::name')}"
   storage1.internal.staging.swh.network:
     domains:
       - broker1.journal.staging.swh.network
@@ -1040,10 +1042,6 @@
     type: CNAME
     record: inventory.internal.admin.swh.network
     data: bojimans.internal.admin.swh.network.
-  sentry-admin/CNAME:
-    type: CNAME
-    record: sentry.internal.admin.swh.network
-    data: riverside.internal.admin.swh.network.
   glyptotek/A: # OPNSense firewall, not managed by puppet
     record: "%{alias('opnsense::hosts.glyptotek.fqdn')}"
     data: "%{alias('opnsense::hosts.glyptotek.ip')}"
diff --git a/data/deployments/admin/common.yaml b/data/deployments/admin/common.yaml
--- a/data/deployments/admin/common.yaml
+++ b/data/deployments/admin/common.yaml
@@ -1,10 +1,5 @@
 swh::deploy::environment: admin
 
-swh::deploy::reverse_proxy::services:
-  - hedgedoc
-  - grafana
-  - sentry
-
 swh::postgresql::version: '14'
 swh::postgresql::listen_addresses:
   - 0.0.0.0
@@ -21,6 +16,12 @@
 hedgedoc::db::username: hedgedoc
 # swh::deploy::hedgedoc::db::password: in private-data
 
+# namespace key `key_name`, lookup will happen on swh::deploy::{key_name}::...
+swh::deploy::reverse_proxy::services:
+  - hedgedoc
+  - grafana
+  - sentry
+
 swh::deploy::hedgedoc::reverse_proxy::backend_http_host: bardo.internal.admin.swh.network
 swh::deploy::hedgedoc::reverse_proxy::backend_http_port: "3000"
 swh::deploy::hedgedoc::reverse_proxy::websocket_support: true
@@ -33,14 +34,13 @@
 swh::deploy::grafana::reverse_proxy::websocket_support: true
 swh::deploy::grafana::base_url: "%{lookup('grafana::vhost::name')}"
 
-sentry::vhost::name: sentry.softwareheritage.org
 swh::deploy::sentry::vhost::letsencrypt_cert: "%{lookup('sentry::vhost::name')}"
 swh::deploy::sentry::reverse_proxy::backend_http_host: sentry.internal.admin.swh.network
-swh::deploy::sentry::reverse_proxy::backend_http_port: "3000"
+swh::deploy::sentry::reverse_proxy::backend_http_port: "80"
 swh::deploy::sentry::base_url: "%{lookup('sentry::vhost::name')}"
-swh::deploy::sentry::vhost::letsencrypt_cert: sentry
-# swh::deploy::sentry::extra_apache_opts:
-#   proxy_preserve_host: true
+# don't forget to:
+# - implement the icinga_check_uri  => '/auth/login/swh/'
+# - check proxy_preserve_host => true is the default varnish behavior
 
 hitch::frontend: "[*]:443"
 hitch::proxy_support: true
diff --git a/data/hostname/pergamon.softwareheritage.org.yaml b/data/hostname/pergamon.softwareheritage.org.yaml
--- a/data/hostname/pergamon.softwareheritage.org.yaml
+++ b/data/hostname/pergamon.softwareheritage.org.yaml
@@ -79,4 +79,4 @@
   # Must have matching certificates in letsencrypt::certificates
   sentry.softwareheritage.org:
     rewrites:
-      - "^.*$ https://riverside.internal.admin.swh.network"
+      - "^.*$ http://riverside.internal.admin.swh.network"
diff --git a/site-modules/profile/manifests/sentry/reverse_proxy.pp b/site-modules/profile/manifests/sentry/reverse_proxy.pp
deleted file mode 100644
--- a/site-modules/profile/manifests/sentry/reverse_proxy.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-class profile::sentry::reverse_proxy {
-  ::profile::reverse_proxy {'sentry':
-    extra_apache_opts => {
-      proxy_preserve_host => true,
-    },
-    icinga_check_uri  => '/auth/login/swh/',
-  }
-}
diff --git a/site-modules/role/manifests/swh_sysadmin.pp b/site-modules/role/manifests/swh_sysadmin.pp
--- a/site-modules/role/manifests/swh_sysadmin.pp
+++ b/site-modules/role/manifests/swh_sysadmin.pp
@@ -22,6 +22,9 @@
   include profile::debian_repository
   include profile::bitbucket_archive_web
 
+  # redirect sentry.s.o -> rp1.i.a.s.n (temporary during vlan migration)
+  include profile::apache::rewrite_domains
+
   include profile::weekly_report_bot
   include profile::weekly_planning_bot
   include profile::monthly_report_bot
@@ -29,5 +32,4 @@
   include profile::opnsense::monitoring
 
   include profile::status_io_metrics
-  include profile::apache::rewrite_domains
 }