diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -774,6 +774,8 @@
   zone_keys:
     softwareheritage.org: "%{alias('gandi::softwareheritage_org::xmlrpc_key')}"
 
+sentry::vhost::name: sentry.softwareheritage.org
+
 letsencrypt::certificates::exported_directory: "%{::puppet_vardir}/letsencrypt_exports"
 letsencrypt::certificates::directory: /etc/ssl/certs/letsencrypt
 letsencrypt::certificates:
@@ -817,9 +819,9 @@
   jenkins:
     domains:
       - jenkins.softwareheritage.org
-  sentry:
+  "%{lookup('sentry::vhost::name')}":
     domains:
-      - sentry.softwareheritage.org
+      - "%{lookup('sentry::vhost::name')}"
   storage1.internal.staging.swh.network:
     domains:
       - broker1.journal.staging.swh.network
diff --git a/data/deployments/admin/common.yaml b/data/deployments/admin/common.yaml
--- a/data/deployments/admin/common.yaml
+++ b/data/deployments/admin/common.yaml
@@ -2,10 +2,6 @@
 dns::search_domains:
   - internal.admin.swh.network
 
-swh::deploy::reverse_proxy::services:
-  - hedgedoc
-  - grafana
-
 swh::postgresql::version: '14'
 swh::postgresql::listen_addresses:
   - 0.0.0.0
@@ -22,6 +18,12 @@
 hedgedoc::db::username: hedgedoc
 # swh::deploy::hedgedoc::db::password: in private-data
 
+# namespace key `key_name`, lookup will happen on swh::deploy::{key_name}::...
+swh::deploy::reverse_proxy::services:
+  - hedgedoc
+  - grafana
+  - sentry
+
 swh::deploy::hedgedoc::reverse_proxy::backend_http_host: bardo.internal.admin.swh.network
 swh::deploy::hedgedoc::reverse_proxy::backend_http_port: "3000"
 swh::deploy::hedgedoc::reverse_proxy::websocket_support: true
@@ -34,6 +36,12 @@
 swh::deploy::grafana::reverse_proxy::websocket_support: true
 swh::deploy::grafana::base_url: "%{lookup('grafana::vhost::name')}"
 
+swh::deploy::sentry::vhost::letsencrypt_cert: "%{lookup('sentry::vhost::name')}"
+swh::deploy::sentry::reverse_proxy::backend_http_host: riverside.internal.admin.swh.network
+swh::deploy::sentry::reverse_proxy::backend_http_port: "9000"
+swh::deploy::sentry::base_url: "%{lookup('sentry::vhost::name')}"
+swh::deploy::sentry::icinga_check_uri: '/auth/login/swh/'
+
 hitch::frontend: "[*]:443"
 hitch::proxy_support: true
 varnish::http_port: 80
diff --git a/data/hostname/bojimans.internal.admin.swh.network.yaml b/data/hostname/bojimans.internal.admin.swh.network.yaml
--- a/data/hostname/bojimans.internal.admin.swh.network.yaml
+++ b/data/hostname/bojimans.internal.admin.swh.network.yaml
@@ -1,4 +1,4 @@
---- 
+---
 apache::rewrite_domains:
   # Must have matching certificates in letsencrypt::certificates
   inventory.internal.softwareheritage.org:
diff --git a/data/hostname/pergamon.softwareheritage.org.yaml b/data/hostname/pergamon.softwareheritage.org.yaml
--- a/data/hostname/pergamon.softwareheritage.org.yaml
+++ b/data/hostname/pergamon.softwareheritage.org.yaml
@@ -72,3 +72,11 @@
     gid: 3000
   boatbucket:
     gid: 1024
+
+# Temporarily for the duration of the riverside migration to the admin vlan (to remove
+# once the migration is effective and the ttl considered expired).
+apache::rewrite_domains:
+  # Must have matching certificates in letsencrypt::certificates
+  sentry.softwareheritage.org:
+    rewrites:
+      - "^.*$ http://riverside.internal.admin.swh.network:9000"
diff --git a/data/subnets/vagrant.yaml b/data/subnets/vagrant.yaml
--- a/data/subnets/vagrant.yaml
+++ b/data/subnets/vagrant.yaml
@@ -81,12 +81,15 @@
     aliases:
       - hedgedoc.softwareheritage.org
       - grafana.softwareheritage.org
+      - sentry.softwareheritage.org
   10.168.50.30:
     host: grafana0.internal.admin.swh.network
   10.168.50.50:
     host: dali.internal.admin.swh.network
     aliases:
       - db1.internal.admin.swh.network
+  10.168.50.70:
+    host: riverside.internal.admin.swh.network
   10.168.50.60:
     host: bojimans.internal.admin.swh.network
     aliases:
@@ -120,10 +123,6 @@
     host: beaubourg.internal.softwareheritage.org
   10.168.100.34:
     host: hypervisor3.internal.softwareheritage.org
-  10.168.100.52:
-    host: riverside.internal.softwareheritage.org
-    aliases:
-      - sentry.softwareheritage.org
   10.168.100.61:
     host: esnode1.internal.softwareheritage.org
   10.168.100.62:
diff --git a/manifests/site.pp b/manifests/site.pp
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -118,7 +118,7 @@
   include role::swh_ci_server
 }
 
-node 'riverside.internal.softwareheritage.org' {
+node 'riverside.internal.admin.swh.network' {
   include role::swh_sentry
 }
 
diff --git a/site-modules/profile/manifests/sentry/reverse_proxy.pp b/site-modules/profile/manifests/sentry/reverse_proxy.pp
deleted file mode 100644
--- a/site-modules/profile/manifests/sentry/reverse_proxy.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-class profile::sentry::reverse_proxy {
-  ::profile::reverse_proxy {'sentry':
-    extra_apache_opts => {
-      proxy_preserve_host => true,
-    },
-    icinga_check_uri  => '/auth/login/swh/',
-  }
-}
diff --git a/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp b/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp
--- a/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp
+++ b/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp
@@ -1,4 +1,4 @@
-# Reverse proxy to expose staging services
+# Reverse proxy to expose staging/admin services
 # https://forge.softwareheritage.org/T2747
 class profile::swh::deploy::reverse_proxy {
   include ::profile::hitch
@@ -12,6 +12,11 @@
     $cert_name = lookup("swh::deploy::${service_name}::vhost::letsencrypt_cert")
     $backend_http_host = lookup("swh::deploy::${service_name}::reverse_proxy::backend_http_host")
     $backend_http_port = lookup("swh::deploy::${service_name}::reverse_proxy::backend_http_port")
+    $icinga_check_uri = lookup("swh::deploy::${service_name}::icinga_check_uri",
+                               default_value => '/')
+    $icinga_check_string = lookup("swh::deploy::${service_name}::icinga_check_string",
+                                  default_value => capitalize($service_name))
+
     $websocket_support = lookup({
       'name'          => "swh::deploy::${service_name}::reverse_proxy::websocket_support",
       'default_value' => false,
@@ -100,7 +105,8 @@
         http_port       => $vhost_ssl_port,
         http_ssl        => true,
         http_sni        => true,
-        http_uri        => '/',
+        http_uri        => $icinga_check_uri,
+        http_string     => $icinga_check_string,
         http_onredirect => sticky,
       } + $http_expect_var,
       target        => $icinga_checks_file,
diff --git a/site-modules/role/manifests/swh_sysadmin.pp b/site-modules/role/manifests/swh_sysadmin.pp
--- a/site-modules/role/manifests/swh_sysadmin.pp
+++ b/site-modules/role/manifests/swh_sysadmin.pp
@@ -22,7 +22,8 @@
   include profile::debian_repository
   include profile::bitbucket_archive_web
 
-  include profile::sentry::reverse_proxy
+  # redirect sentry.s.o -> riverside.i.a.s.n (temporary during vlan migration)
+  include profile::apache::rewrite_domains
 
   include profile::weekly_report_bot
   include profile::weekly_planning_bot