diff --git a/ansible/roles/borgmatic/defaults/main.yml b/ansible/roles/borgmatic/defaults/main.yml
index a62e5de..0189321 100644
--- a/ansible/roles/borgmatic/defaults/main.yml
+++ b/ansible/roles/borgmatic/defaults/main.yml
@@ -3,6 +3,9 @@ borgmatic_config: /Users/erichblume/.config/borgmatic/config.yaml
 borgmatic_config_dir: /Users/erichblume/.config/borgmatic
 borgmatic_log_dir: /Users/erichblume/Library/Logs
 
+# Full path to borg binary since LaunchAgent doesn't have homebrew in PATH
+borgmatic_local_path: /opt/homebrew/bin/borg
+
 # Schedule: runs daily at 2:00 AM
 borgmatic_schedule_hour: 2
 borgmatic_schedule_minute: 0
diff --git a/ansible/roles/borgmatic/templates/config.yaml.j2 b/ansible/roles/borgmatic/templates/config.yaml.j2
index 6bfb835..2e2bf0f 100644
--- a/ansible/roles/borgmatic/templates/config.yaml.j2
+++ b/ansible/roles/borgmatic/templates/config.yaml.j2
@@ -1,5 +1,8 @@
 # {{ ansible_managed }}
 
+# Path to borg binary (LaunchAgent doesn't have homebrew in PATH)
+local_path: {{ borgmatic_local_path }}
+
 source_directories:
 {% for dir in borgmatic_source_directories %}
     - {{ dir }}
diff --git a/pulumi/policy.hujson b/pulumi/policy.hujson
index c575037..142326b 100644
--- a/pulumi/policy.hujson
+++ b/pulumi/policy.hujson
@@ -74,6 +74,12 @@
 			"dst": ["tag:homelab"],
 			"ip":  ["tcp:3001", "tcp:2200"],
 		},
+		// Homelab can reach k8s PostgreSQL for borgmatic backups
+		{
+			"src": ["tag:homelab"],
+			"dst": ["tag:k8s"],
+			"ip":  ["tcp:5432"],
+		},
 	],
 
 	// ============== SSH Access ==============