Fix borgmatic borg path and add k8s-pg ACL grant

- Add local_path option to borgmatic config for borg binary
- Add ACL grant for tag:homelab -> tag:k8s on port 5432

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/roles/borgmatic/defaults/main.yml

@@ -3,6 +3,9 @@ borgmatic_config: /Users/erichblume/.config/borgmatic/config.yaml
 borgmatic_config_dir: /Users/erichblume/.config/borgmatic
 borgmatic_log_dir: /Users/erichblume/Library/Logs
 
+# Full path to borg binary since LaunchAgent doesn't have homebrew in PATH
+borgmatic_local_path: /opt/homebrew/bin/borg
+
 # Schedule: runs daily at 2:00 AM
 borgmatic_schedule_hour: 2
 borgmatic_schedule_minute: 0

ansible/roles/borgmatic/templates/config.yaml.j2

@@ -1,5 +1,8 @@
 # {{ ansible_managed }}
 
+# Path to borg binary (LaunchAgent doesn't have homebrew in PATH)
+local_path: {{ borgmatic_local_path }}
+
 source_directories:
 {% for dir in borgmatic_source_directories %}
     - {{ dir }}

pulumi/policy.hujson

@@ -74,6 +74,12 @@
 			"dst": ["tag:homelab"],
 			"ip":  ["tcp:3001", "tcp:2200"],
 		},
+		// Homelab can reach k8s PostgreSQL for borgmatic backups
+		{
+			"src": ["tag:homelab"],
+			"dst": ["tag:k8s"],
+			"ip":  ["tcp:5432"],
+		},
 	],
 
 	// ============== SSH Access ==============