Pick peppers the same way you pick cryptographic keys: use your OS's CSPRNG to generate a 16-32 byte (128-256 bit) pepper.
If your system has a Hardware Security Module (HSM) or secure enclave, you can store a single pepper for all users there. Otherwise you have to use a regular file, so set access permissions appropriately.
It's possible to have a pepper per user in some cases. For that, you typically can't use an HSM or secure enclave since you'll have too many entries for it, and also have to store which user goes with which pepper. So it might make things less secure instead of more secure.
Salts are non-secret by definition. Store the salt in the same database as the username and password hash. For all the current secure password hashing functions the salt is part of the password hashing algorithm's output, and so doesn't need a separate database column.
Whatever you do ensure you have a way to backup and restore the pepper(s). It won't be backed up by your database backups, after all! If it's lost your users can't log in. Remember that security is a combination of confidentiality, integrity, and availability, so don't let the pepper become a single point of failure.
