Angus,
Great write up. Mine is set up in a similar manner, though I need to find time to switch out my dsa keys for rsa.
However, have the following stub for my /etc/sudoers.d:
Cmnd_Alias BACKUP=/bin/tar, /usr/bin/rsync, /usr/bin/mysqldump, /usr/local/sbin/dbdump
backuppc ALL=NOPASSWD:BACKUP
or
Cmnd_Alias BACKUP=/usr/bin/tar,/usr/local/bin/rsync
backuppc ALL=NOPASSWD: BACKUP
on FreeBSD clients (in /usr/local/etc/sudoers.d)
This will accomodate the tar method as well as rsync, plus allow dbdump script I wrote to run as a DumpPreUserCmd.
--b