Compromised config.php: what is needed to be regenerated and how?

Suppose we have compromised config.php.
It’s obvious that following fields must be changed\regenerated:

  • passwordsalt
  • secret
  • dbpassword
  • mail_smtppassword (if used)
    Is instanceid a confidential information?
    What is the proper way of regenerating passwordsalt and secret (and instanceid if needed) (db and mail passwords are pretty obvious) — which length it should be, what should be done after regeneration?

It seems doesn’t matter but still:
Nextcloud 12
Debian stretch
Lighttpd 1.4.45
PHP (using php-fpm) 7.0.19
PostgreSQL 9.6.3

  • passwordsalt
    • Changing this breaks existing authentication hashes and is thus not supported. The impact of losing this information is however negligible.
  • secret
    • Changing this breaks existing hashes and is thus not supported. The impact of losing this information is however as well not super grave.
  • dbpassword
    • Changing this is supported.
  • mail_smtppassword
    • Changing this is supported.
  • instanceid
    • This is a public information and changing this is not supported.